diff --git a/ansible-silverblue/roles/verify_build/README.md b/ansible-silverblue/roles/verify_build/README.md new file mode 100644 index 0000000..b5f90dd --- /dev/null +++ b/ansible-silverblue/roles/verify_build/README.md @@ -0,0 +1,46 @@ +verify_build +============ + +Installs necessary public key and related files to verify the resulting OCI container image. This +will allow us to transition from using `ostree-unverified-registry` to `ostree-image-signed` +knowing that the image has been signed with the prescribed key. + +Requirements +------------ + +Uses the following modules: + + * [ansible.builtin.file](https://docs.ansible.com/ansible/latest/collections/ansible/builtin/file_module.html) + * [ansible.builtin.copy](https://docs.ansible.com/ansible/latest/collections/ansible/builtin/copy_module.html) + +Role Variables +-------------- + +None + +Dependencies +------------ + +This role requires creation of a [Sigstore Cosign key](https://docs.sigstore.dev/key_management/signing_with_self-managed_keys/). + +Example Adhoc Run +----------------- + +`ansible-playbook -i hosts -l this_host -K roles/verify_build/playbook.yml` + +Example Playbook +---------------- + + - hosts: all + roles: + - { role: verify_build } + +License +------- + +BSD + +Author Information +------------------ + + * Jim Campbell (jwcampbell@gmail.com) diff --git a/ansible-silverblue/roles/verify_build/files/j1mc-cosign.pub b/ansible-silverblue/roles/verify_build/files/j1mc-cosign.pub new file mode 100644 index 0000000..348ccce --- /dev/null +++ b/ansible-silverblue/roles/verify_build/files/j1mc-cosign.pub @@ -0,0 +1,4 @@ +-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEMZNJmj3MTowdPApZp7MkiqC4jEkz +Rpa8c7+cf3go+AHLxd36AOPgSLtsQqEgN7YfpTLtI7zzmNzVWSXBxxYs/A== +-----END PUBLIC KEY----- diff --git a/ansible-silverblue/roles/verify_build/files/j1mc.yaml b/ansible-silverblue/roles/verify_build/files/j1mc.yaml new file mode 100644 index 0000000..1097247 --- /dev/null +++ b/ansible-silverblue/roles/verify_build/files/j1mc.yaml @@ -0,0 +1,3 @@ +docker: + ghcr.io/j1mc: + use-sigstore-attachments: true diff --git a/ansible-silverblue/roles/verify_build/files/policy.json b/ansible-silverblue/roles/verify_build/files/policy.json new file mode 100644 index 0000000..ecc7a2e --- /dev/null +++ b/ansible-silverblue/roles/verify_build/files/policy.json @@ -0,0 +1,95 @@ +{ + "default": [ + { + "type": "reject" + } + ], + "transports": { + "docker": { + "registry.access.redhat.com": [ + { + "type": "signedBy", + "keyType": "GPGKeys", + "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" + } + ], + "registry.redhat.io": [ + { + "type": "signedBy", + "keyType": "GPGKeys", + "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" + } + ], + "ghcr.io/j1mc": [ + { + "type": "sigstoreSigned", + "keyPath": "/usr/etc/pki/containers/j1mc-cosign.pub", + "signedIdentity": { + "type": "matchRepository" + } + } + ], + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "docker-daemon": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "atomic": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "containers-storage": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "dir": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "oci": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "oci-archive": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "docker-archive": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "tarball": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + } + } +} diff --git a/ansible-silverblue/roles/verify_build/meta/main.yml b/ansible-silverblue/roles/verify_build/meta/main.yml new file mode 100644 index 0000000..53388b9 --- /dev/null +++ b/ansible-silverblue/roles/verify_build/meta/main.yml @@ -0,0 +1,12 @@ +galaxy_info: + author: Jim Campbell + description: Installs files and keys needed to validate the signed image + company: None + + license: BSD + + min_ansible_version: 5.1 + + galaxy_tags: [] + +dependencies: [] diff --git a/ansible-silverblue/roles/verify_build/tasks/main.yml b/ansible-silverblue/roles/verify_build/tasks/main.yml new file mode 100644 index 0000000..bff96fe --- /dev/null +++ b/ansible-silverblue/roles/verify_build/tasks/main.yml @@ -0,0 +1,24 @@ +--- +# tasks file for verify_build + +- name: Ensure necessary directories are present + ansible.builtin.file: + path: {{ item }} + state: directory + owner: root + group: root + mode: 0755 + loop: + - /usr/etc/pki/containers/ + - /usr/etc/containers/registries.d/ + +- name: Copy public key and key-verification yaml file to appropriate directories + ansible.builtin.copy: + src: files/{{ item.name }} + dest: {{ item.path }} + owner: root + group: root + mode: 0644 + loop: + - {name: 'j1mc-cosign.pub', path: '/usr/etc/pki/containers/j1mc-cosign.pub'} + - {name: 'j1mc.yaml', path: '/usr/etc/containers/registries.d/j1mc.yaml'} diff --git a/ansible-silverblue/roles/verify_build/verify_build.yml b/ansible-silverblue/roles/verify_build/verify_build.yml new file mode 100644 index 0000000..354c104 --- /dev/null +++ b/ansible-silverblue/roles/verify_build/verify_build.yml @@ -0,0 +1,4 @@ +--- +- hosts: all + roles: + - { role: verify_build }