diff --git a/Makefile.inputs b/Makefile.inputs index ad4f333..c08835c 100644 --- a/Makefile.inputs +++ b/Makefile.inputs @@ -7,6 +7,7 @@ export EXTRA_BOOT_PARAMS := export IMAGE_NAME := base export IMAGE_REPO := quay.io/fedora-ostree-desktops export IMAGE_TAG = $(VERSION) +export IMAGE_SIGNED := false REPOS := $(subst :,\:,$(wildcard /etc/yum.repos.d/*.repo)) export ROOTFS_SIZE := 4 export VARIANT := Server diff --git a/README.md b/README.md index 974e8c8..ce8dc46 100644 --- a/README.md +++ b/README.md @@ -55,6 +55,7 @@ The following variables can be used to customize the created ISO. | flatpak_remote_url | URL of the flatpakrepo file | | :white_check_mark: | :white_check_mark: | | image_name | Name of the source container image | base | :white_check_mark: | :white_check_mark: | | image_repo | Repository containing the source container image | quay.io/fedora-ostree-desktops | :white_check_mark: | :white_check_mark: | +| image_signed | Whether the container image is signed. The policy to test the signing must be configured inside the container image | false | :white_check_mark: | :white_check_mark: | | image_tag | Tag of the source container image | *VERSION* | :white_check_mark: | :white_check_mark: | | iso_name | Name of the ISO you wish to output when completed | build/deploy.iso | :white_check_mark: | :white_check_mark: | | make_target | Overrides the default make target | *ISO_NAME*-Checksum | :white_check_mark: | :x: | diff --git a/action.yml b/action.yml index 0a6a436..e325527 100644 --- a/action.yml +++ b/action.yml @@ -59,6 +59,10 @@ inputs: description: Repository containing the source container image required: true default: quay.io/fedora-ostree-desktops + image_signed: + description: Whether the container image is signed. The policy to test the signing must be configured inside the container image + required: false + default: "true" image_tag: description: Tag of the source container image. Defaults to the installer version required: false @@ -209,6 +213,7 @@ runs: FLATPAK_DIR="${{ steps.flatpak_dependencies.outputs.flatpak_dir && format('/github/workspace/{0}', steps.flatpak_dependencies.outputs.flatpak_dir) || '' }}" \ IMAGE_NAME="${{ inputs.image_name }}" \ IMAGE_REPO="${{ inputs.image_repo }}" \ + IMAGE_SIGNED="${{ inputs.image_signed }}" \ IMAGE_TAG="${{ inputs.image_tag || inputs.version }}" \ ISO_NAME=/github/workspace/${{ inputs.iso_name }} \ ${{ inputs.repos && format('REPOS="{0}"', inputs.repos) || '' }} \ diff --git a/lorax_templates/scripts/post/install_configure_upgrades b/lorax_templates/scripts/post/install_configure_upgrades index f474d93..ad61dc0 100644 --- a/lorax_templates/scripts/post/install_configure_upgrades +++ b/lorax_templates/scripts/post/install_configure_upgrades @@ -1,7 +1,16 @@ -<%page args="image_repo, _image_repo_double_escaped, image_name, image_tag, _rhel, version"/> +<%page args="image_repo, _image_repo_double_escaped, image_name, image_signed, image_tag, _rhel, version"/> + if (which bootc &> /dev/null) && [ ${_rhel} == 'false' && ${version} -ge 39 ] then +% if image_signed == 'true': bootc switch --mutate-in-place --enforce-container-sigpolicy --transport registry ${image_repo}/${image_name}:${image_tag} +% else: + bootc switch --mutate-in-place --enforce-container-sigpolicy --transport registry ${image_repo}/${image_name}:${image_tag} +% endif else +% if image_signed == 'true': sed -i 's/container-image-reference=.*/container-image-reference=ostree-image-signed:docker:\/\/${_image_repo_double_escaped}\/${image_name}:${image_tag}/' /ostree/deploy/default/deploy/*.origin +% else: + sed -i 's/container-image-reference=.*/container-image-reference=ostree-unverified-image:docker:\/\/${_image_repo_double_escaped}\/${image_name}:${image_tag}/' /ostree/deploy/default/deploy/*.origin +% endif fi