feat: sign keyless

tidy up
ii · Feb 20, 2024 · 6b43543 · 6b43543
1 parent e1f3bb4
commit 6b43543
Show file tree

Hide file tree

Showing 5 changed files with 9 additions and 16 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -139,11 +139,10 @@ jobs:
       - name: Sign container image
         if: github.event_name != 'pull_request'
         run: |
-          cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${{ steps.build_image.outputs.image }}@${TAGS}
+          cosign sign -y ${{ steps.registry_case.outputs.lowercase }}/${{ steps.build_image.outputs.image }}@${TAGS}
         env:
           TAGS: ${{ steps.push.outputs.digest }}
-          COSIGN_EXPERIMENTAL: false
-          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          COSIGN_YES: true
 
       - name: Echo outputs
         if: github.event_name != 'pull_request'

diff --git a/Containerfile b/Containerfile
@@ -1,7 +1,6 @@
 ARG VERSION="${VERSION:-latest}"
 FROM ghcr.io/ublue-os/silverblue-main:${VERSION}
 COPY files /
-COPY cosign.pub /usr/etc/pki/containers/ii.pub
 RUN sed -i -e '0,/enabled=0/s//enabled=1/' /etc/yum.repos.d/fedora-updates-testing.repo && \
   rpm-ostree install \
     vim \

diff --git a/README.md b/README.md
@@ -17,15 +17,9 @@ rpm-ostree reset
 
 rebase to the image
 ```shell
-rpm-ostree rebase ostree-unverified-registry:ghcr.io/ii/image:latest
-```
-(as root)
-and reboot
-
-then rebase to the signed version
-```shell
 rpm-ostree rebase ostree-image-signed:docker://ghcr.io/ii/image:latest
 ```
+(as root)
 
 ## Making changes
 

diff --git a/cosign.pub b/cosign.pub
diff --git a/files/usr/etc/containers/policy.json b/files/usr/etc/containers/policy.json
@@ -23,7 +23,12 @@
             "ghcr.io/ii": [
                 {
                     "type": "sigstoreSigned",
-                    "keyPath": "/usr/etc/pki/containers/ii.pub",
+                    "fulcio": {
+                        "caData": "-----BEGIN CERTIFICATE-----\nMIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMw\nKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0y\nMTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3Jl\nLmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7\nXeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxex\nX69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92j\nYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRY\nwB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQ\nKsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCM\nWP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9\nTNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ\n-----END CERTIFICATE-----",
+                        "oidcIssuer": "https://token.actions.githubusercontent.com",
+                        "subjectEmail": "https://github.com/ii/image/.github/workflows/build.yml@refs/heads/main"
+                    },
+                    "rekorPublicKeyData": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2G2Y+2tabdTV5BcGiBIx0a9fAFwr\nkBbmLSGtks4L3qX6yYY0zufBnhC8Ur/iy55GhWP/9A/bY2LhC30M9+RYtw==\n-----END PUBLIC KEY-----",
                     "signedIdentity": {
                         "type": "matchRepository"
                     }