samhclark · samhclark · Nov 8, 2024 · Sep 29, 2024
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -21,7 +21,7 @@ jobs:
       image_name: custom-silverblue
       tags: |
         ${{ github.sha }}
-        40
+        41
     secrets:
       cosign_password: ${{ secrets.COSIGN_PASSWORD }}
-      cosign_private_key: ${{ secrets.COSIGN_PRIVATE_KEY }}
+      cosign_private_key: ${{ secrets.COSIGN_PRIVATE_KEY }}
diff --git a/Containerfile b/Containerfile
@@ -1,8 +1,7 @@
-ARG silverblue_version=40
+ARG silverblue_version=41
 FROM quay.io/fedora-ostree-desktops/silverblue:${silverblue_version}
 
-COPY cosign.pub /etc/pki/cosign/cosign.pub
-COPY overlay-root/etc/ /etc/
+COPY overlay-root/ /
 
 RUN mkdir -p /var/opt \
     && mkdir -p /usr/lib/opt/google \

diff --git a/README.md b/README.md
@@ -2,6 +2,41 @@
 
 Following Jorge Castro's lead and making my own spin on Silverblue
 
+## Rebasing onto this image
+
+This bootstrapping process helps get the public keys onto your machine 
+and makes sure everything is configured right. 
+
+From another Silverblue based image, first, rebase onto the _unverified_ image.
+
+```
+rpm-ostree rebase ostree-unverified-registry:ghcr.io/samhclark/custom-silverblue:41
+```
+
+Optional: Manually verify that the image you just rebased onto is signed.
+
+```
+$ wget -O - https://raw.githubusercontent.com/samhclark/custom-silverblue/refs/heads/main/overlay-root/usr/etc/pki/cosign/cosign.pub \
+    | cosign verify --key /dev/stdin ghcr.io/samhclark/custom-silverblue@$( \
+        rpm-ostree status \
+        | head -n 7 \
+        | grep -o 'sha256:[a-f0-9]\{64\}' \
+    )
+```
+
+If the above command fails (returns with a non-zero exit code), then you should abort the rebase
+
+```
+rpm-ostree cleanup --pending
+```
+
+Assuming it succeeded, then reboot: `systemctl reboot`.
+After that, rebase onto the signed image. 
+
+```
+rpm-ostree rebase ostree-image-signed:docker://ghcr.io/samhclark/custom-silverblue:41
+```
+
 ## Google Linux Signing Keys
 
 Google does something weird with their keys for signing RPMs.

diff --git a/overlay-root/usr/etc/containers/policy.json b/overlay-root/usr/etc/containers/policy.json
@@ -0,0 +1,86 @@
+{
+    "default": [
+        {
+            "type": "reject"
+        }
+    ],
+    "transports": {
+        "docker": {
+            "ghcr.io/samhclark/custom-silverblue:40": [
+                {
+                    "type": "insecureAcceptAnything"
+                }
+            ],
+            "ghcr.io/samhclark": [
+                {
+                    "type": "sigstoreSigned",
+                    "keyPath": "/etc/pki/cosign/cosign.pub",
+                    "signedIdentity": {
+                        "type": "matchRepository"
+                    }
+                }
+            ],
+            "": [
+                {
+                    "type": "insecureAcceptAnything"
+                }
+            ]
+        },
+        "docker-daemon": {
+            "": [
+                {
+                    "type": "insecureAcceptAnything"
+                }
+            ]
+        },
+        "atomic": {
+            "": [
+                {
+                    "type": "insecureAcceptAnything"
+                }
+            ]
+        },
+        "containers-storage": {
+            "": [
+                {
+                    "type": "insecureAcceptAnything"
+                }
+            ]
+        },
+        "dir": {
+            "": [
+                {
+                    "type": "insecureAcceptAnything"
+                }
+            ]
+        },
+        "oci": {
+            "": [
+                {
+                    "type": "insecureAcceptAnything"
+                }
+            ]
+        },
+        "oci-archive": {
+            "": [
+                {
+                    "type": "insecureAcceptAnything"
+                }
+            ]
+        },
+        "docker-archive": {
+            "": [
+                {
+                    "type": "insecureAcceptAnything"
+                }
+            ]
+        },
+        "tarball": {
+            "": [
+                {
+                    "type": "insecureAcceptAnything"
+                }
+            ]
+        }
+    }
+}
diff --git a/overlay-root/usr/etc/containers/registries.d/50-docker.yaml b/overlay-root/usr/etc/containers/registries.d/50-docker.yaml
@@ -0,0 +1,3 @@
+docker:
+  ghcr.io/samhclark:
+    use-sigstore-attachments: true
diff --git a/cosign.pub → overlay-root/usr/etc/pki/cosign/cosign.pub b/cosign.pub → overlay-root/usr/etc/pki/cosign/cosign.pub
diff --git a/packages.json b/packages.json
@@ -86,10 +86,6 @@
         "name": "gnome-software-rpm-ostree",
         "_comment": "Don't want to manage rom-ostree software from a GUI in the OS"
       },
-      {
-        "name": "gnome-terminal-nautilus",
-        "_comment": "Don't want Gnome Terminal in the file browser"
-      },
       {
         "name": "gnome-tour",
         "_comment": "Don't want the tour"
@@ -108,4 +104,4 @@
       }
     ]
   }
-
+