chore: add upstream signature validation (secureblue#859)

nihil-admirari · Feb 18, 2025 · 605c8cf · 605c8cf
1 parent dddf4b6
commit 605c8cf
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 1 deletion.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -66,6 +66,14 @@ jobs:
           BASE_IMAGE=$(grep '^base-image:' ./recipes/${{ matrix.recipe }} | sed 's/^base-image: //')
           echo "BASE_IMAGE_NAME=$(echo $BASE_IMAGE | sed 's/.*\/.*\///')" >> $GITHUB_ENV
 
+      - name: Verify base image
+        if: ${{ ! contains(env.IMAGE_NAME, 'wayblue') }}
+        uses: EyeCantCU/cosign-action/verify@58722a084c82190b57863002d494c91eabbe9e79 # v0.3.0
+        with:
+          containers: ${{ env.BASE_IMAGE_NAME }}:${{ env.IMAGE_MAJOR_VERSION }}
+          registry: 'quay.io/fedora-ostree-desktops'
+          pubkey: 'https://gitlab.com/fedora/ostree/ci-test/-/raw/main/quay.io-fedora-ostree-desktops.pub'
+
       - name: Verify base image
         if: ${{ contains(env.IMAGE_NAME, 'wayblue') }}
         uses: EyeCantCU/cosign-action/verify@58722a084c82190b57863002d494c91eabbe9e79 # v0.3.0
@@ -77,7 +85,7 @@ jobs:
       - name: Build secureblue
         uses: blue-build/github-action@4d8b4df657ec923574611eec6fd7e959416c47f0 # v1.8.1
         with:          
-          cli_version: v0.9.7
+          cli_version: v0.9.8
           recipe: ${{ matrix.recipe }}
           cosign_private_key: ${{ secrets.SIGNING_SECRET }}
           registry_token: ${{ github.token }}

diff --git a/files/system/etc/containers/registries.d/quay.io-fedora-ostree-desktops.yaml b/files/system/etc/containers/registries.d/quay.io-fedora-ostree-desktops.yaml
@@ -0,0 +1,3 @@
+docker:
+  quay.io/fedora-ostree-desktops:
+    use-sigstore-attachments: true
diff --git a/files/system/etc/pki/containers/quay.io-fedora-ostree-desktops.pub b/files/system/etc/pki/containers/quay.io-fedora-ostree-desktops.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoyz2L+WsK8aLrK+j5D/rNNZojlg4
+KMcGKGooo4ds3MIkqYMuClwkSUa1mmoT4sF5eMAGRvHZZejUQ/uShKUsNg==
+-----END PUBLIC KEY-----
diff --git a/modules/secureblue-signing/policy.json b/modules/secureblue-signing/policy.json
@@ -65,6 +65,15 @@
                   }
               }
           ],
+          "quay.io/fedora-ostree-desktops": [
+              {
+                  "type": "sigstoreSigned",
+                  "keyPath": "/usr/etc/pki/containers/quay.io-fedora-ostree-desktops.pub",
+                  "signedIdentity": {
+                      "type": "matchRepository"
+                  }
+              }
+          ],
           "ghcr.io/ublue-os": [
               {
                   "type": "sigstoreSigned",