verify_build: New role

See: containers/image#2235
j1mc · Jan 28, 2024 · 2188295 · 2188295
1 parent 89a494f
commit 2188295
Show file tree

Hide file tree

Showing 7 changed files with 188 additions and 0 deletions.
diff --git a/ansible-silverblue/roles/verify_build/README.md b/ansible-silverblue/roles/verify_build/README.md
@@ -0,0 +1,46 @@
+verify_build
+============
+
+Installs necessary public key and related files to verify the resulting OCI container image. This
+will allow us to transition from using `ostree-unverified-registry` to `ostree-image-signed`
+knowing that the image has been signed with the prescribed key.
+
+Requirements
+------------
+
+Uses the following modules:
+
+  * [ansible.builtin.file](https://docs.ansible.com/ansible/latest/collections/ansible/builtin/file_module.html)
+  * [ansible.builtin.copy](https://docs.ansible.com/ansible/latest/collections/ansible/builtin/copy_module.html)
+
+Role Variables
+--------------
+
+None
+
+Dependencies
+------------
+
+This role requires creation of a [Sigstore Cosign key](https://docs.sigstore.dev/key_management/signing_with_self-managed_keys/).
+
+Example Adhoc Run
+-----------------
+
+`ansible-playbook -i hosts -l this_host -K roles/verify_build/playbook.yml`
+
+Example Playbook
+----------------
+
+    - hosts: all
+      roles:
+         - { role: verify_build }
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+  * Jim Campbell (jwcampbell@gmail.com)
diff --git a/ansible-silverblue/roles/verify_build/files/j1mc-cosign.pub b/ansible-silverblue/roles/verify_build/files/j1mc-cosign.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEMZNJmj3MTowdPApZp7MkiqC4jEkz
+Rpa8c7+cf3go+AHLxd36AOPgSLtsQqEgN7YfpTLtI7zzmNzVWSXBxxYs/A==
+-----END PUBLIC KEY-----
diff --git a/ansible-silverblue/roles/verify_build/files/j1mc.yaml b/ansible-silverblue/roles/verify_build/files/j1mc.yaml
@@ -0,0 +1,3 @@
+docker:
+  ghcr.io/j1mc:
+    use-sigstore-attachments: true
diff --git a/ansible-silverblue/roles/verify_build/files/policy.json b/ansible-silverblue/roles/verify_build/files/policy.json
@@ -0,0 +1,95 @@
+{
+    "default": [
+        {
+            "type": "reject"
+        }
+    ],
+    "transports": {
+        "docker": {
+            "registry.access.redhat.com": [
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
+                }
+            ],
+            "registry.redhat.io": [
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
+                }
+            ],
+            "ghcr.io/j1mc": [
+                {
+                    "type": "sigstoreSigned",
+                    "keyPath": "/usr/etc/pki/containers/j1mc-cosign.pub",
+                    "signedIdentity": {
+                        "type": "matchRepository"
+                    }
+                }
+            ],
+            "": [
+                {
+                    "type": "insecureAcceptAnything"
+                }
+            ]
+        },
+        "docker-daemon": {
+            "": [
+                {
+                    "type": "insecureAcceptAnything"
+                }
+            ]
+        },
+        "atomic": {
+            "": [
+                {
+                    "type": "insecureAcceptAnything"
+                }
+            ]
+        },
+        "containers-storage": {
+            "": [
+                {
+                    "type": "insecureAcceptAnything"
+                }
+            ]
+        },
+        "dir": {
+            "": [
+                {
+                    "type": "insecureAcceptAnything"
+                }
+            ]
+        },
+        "oci": {
+            "": [
+                {
+                    "type": "insecureAcceptAnything"
+                }
+            ]
+        },
+        "oci-archive": {
+            "": [
+                {
+                    "type": "insecureAcceptAnything"
+                }
+            ]
+        },
+        "docker-archive": {
+            "": [
+                {
+                    "type": "insecureAcceptAnything"
+                }
+            ]
+        },
+        "tarball": {
+            "": [
+                {
+                    "type": "insecureAcceptAnything"
+                }
+            ]
+        }
+    }
+}
diff --git a/ansible-silverblue/roles/verify_build/meta/main.yml b/ansible-silverblue/roles/verify_build/meta/main.yml
@@ -0,0 +1,12 @@
+galaxy_info:
+  author: Jim Campbell
+  description: Installs files and keys needed to validate the signed image
+  company: None
+
+  license: BSD
+
+  min_ansible_version: 5.1 
+
+  galaxy_tags: []
+
+dependencies: []
diff --git a/ansible-silverblue/roles/verify_build/tasks/main.yml b/ansible-silverblue/roles/verify_build/tasks/main.yml
@@ -0,0 +1,24 @@
+---
+# tasks file for verify_build
+
+- name: Ensure necessary directories are present
+  ansible.builtin.file:
+    path: {{ item }}
+    state: directory
+    owner: root
+    group: root
+    mode: 0755
+  loop:
+    - /usr/etc/pki/containers/
+    - /usr/etc/containers/registries.d/
+
+- name: Copy public key and key-verification yaml file to appropriate directories
+  ansible.builtin.copy:
+    src: files/{{ item.name }}
+    dest: {{ item.path }}
+    owner: root
+    group: root
+    mode: 0644
+  loop:
+    - {name: 'j1mc-cosign.pub', path: '/usr/etc/pki/containers/j1mc-cosign.pub'}
+    - {name: 'j1mc.yaml', path: '/usr/etc/containers/registries.d/j1mc.yaml'}
diff --git a/ansible-silverblue/roles/verify_build/verify_build.yml b/ansible-silverblue/roles/verify_build/verify_build.yml
@@ -0,0 +1,4 @@
+---
+- hosts: all
+  roles:
+    - { role: verify_build }