Add support for unsigned container images (#118)

2025-12-25 02:47:56 +01:00 · 2024-05-10 19:59:44 -04:00 · 2024-05-10 19:59:44 -04:00 · e0e4de8f9a
commit e0e4de8f9a
parent 383427c619
6 changed files with 24 additions and 6 deletions
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -1,5 +1,5 @@
 {
    "files.associations": {
-        "Makefile.*": "makefile"
+        "Makefile.inputs": "makefile"
    }
 }
--- a/2
+++ b/2
@ -30,7 +30,7 @@ _LORAX_ARGS                :=
 _LORAX_TEMPLATES           := $(call get_templates,install)
 _REPO_FILES                := $(subst /etc/yum.repos.d,repos,$(REPOS))
 _TEMP_DIR                  := $(shell mktemp -d)
-_TEMPLATE_VARS             := ARCH IMAGE_NAME IMAGE_REPO _IMAGE_REPO_DOUBLE_ESCAPED _IMAGE_REPO_ESCAPED IMAGE_TAG REPOS _RHEL VARIANT VERSION WEB_UI
+_TEMPLATE_VARS             := ARCH IMAGE_NAME IMAGE_REPO _IMAGE_REPO_DOUBLE_ESCAPED _IMAGE_REPO_ESCAPED IMAGE_SIGNED IMAGE_TAG REPOS _RHEL VARIANT VERSION WEB_UI
 _VOLID                     := $(firstword $(subst -, ,$(IMAGE_NAME)))-$(ARCH)-$(IMAGE_TAG)

 ifeq ($(findstring redhat.repo,$(REPOS)),redhat.repo)
--- a/Makefile.inputs
+++ b/Makefile.inputs
@ -7,6 +7,7 @@ export EXTRA_BOOT_PARAMS       :=
 export IMAGE_NAME              := base
 export IMAGE_REPO              := quay.io/fedora-ostree-desktops
 export IMAGE_TAG                = $(VERSION)
+export IMAGE_SIGNED            := true
       REPOS                   := $(subst :,\:,$(wildcard /etc/yum.repos.d/*.repo))
 export ROOTFS_SIZE             := 4
 export VARIANT                 := Server
@ -21,4 +22,4 @@ export FLATPAK_DIR             :=
 # Secure boot
 export ENROLLMENT_PASSWORD     :=
 export SECURE_BOOT_KEY_URL     :=
-export ISO_NAME                := build/deploy.iso
+export ISO_NAME                := build/deploy.iso
--- a/README.md
+++ b/README.md
@ -55,6 +55,7 @@ The following variables can be used to customize the created ISO.
 | flatpak_remote_url      | URL of the flatpakrepo file                                                  | <https://flathub.org/repo/flathub.flatpakrepo> | :white_check_mark: | :white_check_mark: |
 | image_name              | Name of the source container image                                           | base                                         | :white_check_mark: | :white_check_mark: |
 | image_repo              | Repository containing the source container image                             | quay.io/fedora-ostree-desktops               | :white_check_mark: | :white_check_mark: |
+| image_signed            | Whether the container image is signed. The policy to test the signing must be configured inside the container image | true  | :white_check_mark: | :white_check_mark: |
 | image_tag               | Tag of the source container image                                            | *VERSION*                                    | :white_check_mark: | :white_check_mark: |
 | iso_name                | Name of the ISO you wish to output when completed                            | build/deploy.iso                             | :white_check_mark: | :white_check_mark: |
 | make_target             | Overrides the default make target                                            | *ISO_NAME*-Checksum                          | :white_check_mark: | :x:                |
--- a/action.yml
+++ b/action.yml
@ -59,6 +59,10 @@ inputs:
    description: Repository containing the source container image
    required: true
    default: quay.io/fedora-ostree-desktops
+  image_signed:
+    description: Whether the container image is signed. The policy to test the signing must be configured inside the container image
+    required: false
+    default: "true"
  image_tag:
    description: Tag of the source container image. Defaults to the installer version
    required: false
@ -209,6 +213,7 @@ runs:
          FLATPAK_DIR="${{ steps.flatpak_dependencies.outputs.flatpak_dir && format('/github/workspace/{0}', steps.flatpak_dependencies.outputs.flatpak_dir) || '' }}" \
          IMAGE_NAME="${{ inputs.image_name }}" \
          IMAGE_REPO="${{ inputs.image_repo }}" \
+          IMAGE_SIGNED="${{ inputs.image_signed }}" \
          IMAGE_TAG="${{ inputs.image_tag || inputs.version }}" \
          ISO_NAME=/github/workspace/${{ inputs.iso_name }} \
          ${{ inputs.repos && format('REPOS="{0}"', inputs.repos) || '' }} \
--- a/lorax_templates/scripts/post/install_configure_upgrades
+++ b/lorax_templates/scripts/post/install_configure_upgrades
@ -1,7 +1,18 @@
-<%page args="image_repo, _image_repo_double_escaped, image_name, image_tag, _rhel, version"/>
+<%page args="image_repo, _image_repo_double_escaped, image_name, image_signed, image_tag, _rhel, version"/>
+
 if (which bootc &> /dev/null) && [ ${_rhel} == 'false' && ${version} -ge 39 ]
 then
-  bootc switch --mutate-in-place --enforce-container-sigpolicy --transport registry ${image_repo}/${image_name}:${image_tag}
+  if [ ${image_signed} == 'true' ]
+  then
+    bootc switch --mutate-in-place --enforce-container-sigpolicy --transport registry ${image_repo}/${image_name}:${image_tag}
+  else
+    bootc switch --mutate-in-place --transport registry ${image_repo}/${image_name}:${image_tag}
+  fi
 else
-  sed -i 's/container-image-reference=.*/container-image-reference=ostree-image-signed:docker:\/\/${_image_repo_double_escaped}\/${image_name}:${image_tag}/' /ostree/deploy/default/deploy/*.origin
+  if [ ${image_signed} == 'true' ]
+  then
+    sed -i 's/container-image-reference=.*/container-image-reference=ostree-image-signed:docker:\/\/${_image_repo_double_escaped}\/${image_name}:${image_tag}/' /ostree/deploy/default/deploy/*.origin
+  else
+    sed -i 's/container-image-reference=.*/container-image-reference=ostree-unverified-image:docker:\/\/${_image_repo_double_escaped}\/${image_name}:${image_tag}/' /ostree/deploy/default/deploy/*.origin
+  fi
 fi