diff --git a/modules/apt-get/apt-get.sh b/modules/apt-get/apt-get.sh new file mode 100644 index 00000000..825d89b3 --- /dev/null +++ b/modules/apt-get/apt-get.sh @@ -0,0 +1,65 @@ +#!/usr/bin/env bash + +# Tell build process to exit if there are any errors. +set -euo pipefail + +NO_RECOMMENDS=$(echo "${1}" | jq 'try .["no-recommends"]') +if [[ -z "${NO_RECOMMENDS}" || "${NO_RECOMMENDS}" == "null" ]]; then + NO_RECOMMENDS=false +fi + +INSTALL_SUGGESTS=$(echo "${1}" | jq 'try .["install-suggests"]') +if [[ -z "${INSTALL_SUGGESTS}" || "${INSTALL_SUGGESTS}" == "null" ]]; then + INSTALL_SUGGESTS=false +fi + +FIX_MISSING=$(echo "${1}" | jq 'try .["fix-missing"]') +if [[ -z "${FIX_MISSING}" || "${FIX_MISSING}" == "null" ]]; then + FIX_MISSING=false +fi + +FIX_BROKEN=$(echo "${1}" | jq 'try .["fix-broken"]') +if [[ -z "${FIX_BROKEN}" || "${FIX_BROKEN}" == "null" ]]; then + FIX_BROKEN=false +fi + +if [[ ${NO_RECOMMENDS} == true ]]; then + APT_ARGS+=("--no-install-recommends") +fi + +if [[ ${INSTALL_SUGGESTS} == true ]]; then + APT_ARGS+=("--install-suggests") +fi + +if [[ ${FIX_MISSING} == true ]]; then + APT_ARGS+=("--fix-missing") +fi + +if [[ ${FIX_BROKEN} == true ]]; then + APT_ARGS+=("--fix-broken") +fi + +# get_yaml_array INSTALL_PKGS '.install[]' "$1" + +INSTALL_PKGS=("https://discord.com/api/download?platform=linux&format=deb" "micro") + +if [[ ${#INSTALL_PKGS[@]} -gt 0 ]]; then + for PKG in "${INSTALL_PKGS[@]}"; do + if [[ "${PKG}" =~ ^https?:\/\/.* ]]; then + PKG_PATH=$(mktemp --suffix=".deb") + wget -O "${PKG_PATH}" "${PKG}" + wait + PROCESSED_INSTALL_PKGS+=("${PKG_PATH}") + else + PROCESSED_INSTALL_PKGS+=("${PKG}") + fi + done +fi + +# shellcheck disable=SC2068 +apt-get install -y ${APT_ARGS[@]} "${PROCESSED_INSTALL_PKGS[@]}" + +get_yaml_array REMOVE_PKGS '.remove[]' "$1" +apt-get remove -y "${REMOVE_PKGS[@]}" + +apt-get clean diff --git a/modules/signing/signing.sh b/modules/signing/signing.sh index 42081bc6..de23a759 100644 --- a/modules/signing/signing.sh +++ b/modules/signing/signing.sh @@ -3,47 +3,71 @@ # Tell build process to exit if there are any errors. set -euo pipefail -CONTAINER_DIR="/usr/etc/containers" -MODULE_DIRECTORY="${MODULE_DIRECTORY:-"/tmp/modules"}" -IMAGE_NAME_FILE="${IMAGE_NAME//\//_}" +if grep -q OSTREE /etc/os-release; then + echo "Detected OSTREE" -echo "Setting up container signing in policy.json and cosign.yaml for $IMAGE_NAME" -echo "Registry to write: $IMAGE_REGISTRY" + CONTAINER_DIR="/etc/containers" + MODULE_DIRECTORY="${MODULE_DIRECTORY:-"/tmp/modules"}" + IMAGE_NAME_FILE="${IMAGE_NAME//\//_}" -if ! [ -d "$CONTAINER_DIR" ]; then - mkdir -p "$CONTAINER_DIR" -fi + echo "Setting up container signing in policy.json and cosign.yaml for ${IMAGE_NAME}" + echo "Registry to write: ${IMAGE_REGISTRY}" -if ! [ -d $CONTAINER_DIR/registries.d ]; then - mkdir -p "$CONTAINER_DIR/registries.d" -fi + if ! [ -d "${CONTAINER_DIR}" ]; then + mkdir -p "${CONTAINER_DIR}" + fi -if ! [ -d "/usr/etc/pki/containers" ]; then - mkdir -p "/usr/etc/pki/containers" -fi + if ! [ -d "${CONTAINER_DIR}/registries.d" ]; then + mkdir -p "${CONTAINER_DIR}/registries.d" + fi -if ! [ -f "$CONTAINER_DIR/policy.json" ]; then - cp "$MODULE_DIRECTORY/signing/policy.json" "$CONTAINER_DIR/policy.json" -fi + if ! [ -d "/etc/pki/containers" ]; then + mkdir -p "/etc/pki/containers" + fi -if ! [ -f "/usr/etc/pki/containers/$IMAGE_NAME_FILE.pub" ]; then - cp "/usr/share/ublue-os/cosign.pub" "/usr/etc/pki/containers/$IMAGE_NAME_FILE.pub" -fi + if ! [ -f "/etc/pki/containers/${IMAGE_NAME_FILE}.pub" ]; then + echo "ERROR: Cannot find '${IMAGE_NAME_FILE}.pub' image key in '/etc/pki/containers/'" + echo " BlueBuild CLI should have copied it, but it didn't" + exit 1 + fi -POLICY_FILE="$CONTAINER_DIR/policy.json" + TEMPLATE_POLICY="${MODULE_DIRECTORY}/signing/policy.json" + POLICY_FILE="${CONTAINER_DIR}/policy.json" -yq -i -o=j '.transports.docker |= - {"'"$IMAGE_REGISTRY"'/'"$IMAGE_NAME"'": [ + # If there is no policy.json file, then copy the template policy + if ! [ -f "${POLICY_FILE}" ]; then + cp "${TEMPLATE_POLICY}" "${POLICY_FILE}" + fi + + # If the already existing policy.json file doesn't have 'reject' as default policy, + # then signing is effectively disabled & template policy.json should be copied in that case also + if [[ "$(jq -r '.default[0].type' "${POLICY_FILE}")" == "insecureAcceptAnything" ]]; then + cp "${TEMPLATE_POLICY}" "${POLICY_FILE}" + fi + + jq --arg image_registry "${IMAGE_REGISTRY}" \ + --arg image_name "${IMAGE_NAME}" \ + --arg image_name_file "${IMAGE_NAME_FILE}" \ + '.transports.docker |= + { ($image_registry + "/" + $image_name): [ { "type": "sigstoreSigned", - "keyPath": "/usr/etc/pki/containers/'"$IMAGE_NAME_FILE"'.pub", + "keyPath": ("/etc/pki/containers/" + $image_name_file + ".pub"), "signedIdentity": { "type": "matchRepository" } } - ] - } -+ .' "$POLICY_FILE" + ] } + .' "${POLICY_FILE}" > "/tmp/POLICY.tmp" + + mv "/tmp/POLICY.tmp" "${POLICY_FILE}" + + mv "${MODULE_DIRECTORY}/signing/registry-config.yaml" "${CONTAINER_DIR}/registries.d/${IMAGE_REGISTRY##*/}-${IMAGE_NAME_FILE}.yaml" + sed -i "s ghcr.io/IMAGENAME ${IMAGE_REGISTRY}/${IMAGE_NAME} g" "${CONTAINER_DIR}/registries.d/${IMAGE_REGISTRY##*/}-${IMAGE_NAME_FILE}.yaml" + +elif grep -q "Vanilla OS" /etc/os-release; then + echo "Detected Vanilla OS" -mv "$MODULE_DIRECTORY/signing/registry-config.yaml" "$CONTAINER_DIR/registries.d/$IMAGE_NAME_FILE.yaml" -sed -i "s ghcr.io/IMAGENAME $IMAGE_REGISTRY g" "$CONTAINER_DIR/registries.d/$IMAGE_NAME_FILE.yaml" + USERNAME="${IMAGE_REGISTRY##*/}" + jq -r ".name |= \"$USERNAME/$IMAGE_NAME\"" /usr/share/abroot/abroot.json > /usr/share/abroot/abroot_tmp.json + mv /usr/share/abroot/abroot_tmp.json /usr/share/abroot/abroot.json +fi \ No newline at end of file