diff --git a/.vscode/settings.json b/.vscode/settings.json index 8e97809d..2625bca7 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -1,5 +1,5 @@ { "files.associations": { - "Makefile.*": "makefile" + "Makefile.inputs": "makefile" } } \ No newline at end of file diff --git a/Makefile b/Makefile index 7886947a..25ee23a6 100644 --- a/Makefile +++ b/Makefile @@ -30,7 +30,7 @@ _LORAX_ARGS := _LORAX_TEMPLATES := $(call get_templates,install) _REPO_FILES := $(subst /etc/yum.repos.d,repos,$(REPOS)) _TEMP_DIR := $(shell mktemp -d) -_TEMPLATE_VARS := ARCH IMAGE_NAME IMAGE_REPO _IMAGE_REPO_DOUBLE_ESCAPED _IMAGE_REPO_ESCAPED IMAGE_TAG REPOS _RHEL VARIANT VERSION WEB_UI +_TEMPLATE_VARS := ARCH IMAGE_NAME IMAGE_REPO _IMAGE_REPO_DOUBLE_ESCAPED _IMAGE_REPO_ESCAPED IMAGE_SIGNED IMAGE_TAG REPOS _RHEL VARIANT VERSION WEB_UI _VOLID := $(firstword $(subst -, ,$(IMAGE_NAME)))-$(ARCH)-$(IMAGE_TAG) ifeq ($(findstring redhat.repo,$(REPOS)),redhat.repo) diff --git a/Makefile.inputs b/Makefile.inputs index ad4f333e..51804c30 100644 --- a/Makefile.inputs +++ b/Makefile.inputs @@ -7,6 +7,7 @@ export EXTRA_BOOT_PARAMS := export IMAGE_NAME := base export IMAGE_REPO := quay.io/fedora-ostree-desktops export IMAGE_TAG = $(VERSION) +export IMAGE_SIGNED := true REPOS := $(subst :,\:,$(wildcard /etc/yum.repos.d/*.repo)) export ROOTFS_SIZE := 4 export VARIANT := Server @@ -21,4 +22,4 @@ export FLATPAK_DIR := # Secure boot export ENROLLMENT_PASSWORD := export SECURE_BOOT_KEY_URL := -export ISO_NAME := build/deploy.iso \ No newline at end of file +export ISO_NAME := build/deploy.iso diff --git a/README.md b/README.md index 974e8c8c..0124d581 100644 --- a/README.md +++ b/README.md @@ -55,6 +55,7 @@ The following variables can be used to customize the created ISO. | flatpak_remote_url | URL of the flatpakrepo file | | :white_check_mark: | :white_check_mark: | | image_name | Name of the source container image | base | :white_check_mark: | :white_check_mark: | | image_repo | Repository containing the source container image | quay.io/fedora-ostree-desktops | :white_check_mark: | :white_check_mark: | +| image_signed | Whether the container image is signed. The policy to test the signing must be configured inside the container image | true | :white_check_mark: | :white_check_mark: | | image_tag | Tag of the source container image | *VERSION* | :white_check_mark: | :white_check_mark: | | iso_name | Name of the ISO you wish to output when completed | build/deploy.iso | :white_check_mark: | :white_check_mark: | | make_target | Overrides the default make target | *ISO_NAME*-Checksum | :white_check_mark: | :x: | diff --git a/action.yml b/action.yml index 0a6a436d..e3255273 100644 --- a/action.yml +++ b/action.yml @@ -59,6 +59,10 @@ inputs: description: Repository containing the source container image required: true default: quay.io/fedora-ostree-desktops + image_signed: + description: Whether the container image is signed. The policy to test the signing must be configured inside the container image + required: false + default: "true" image_tag: description: Tag of the source container image. Defaults to the installer version required: false @@ -209,6 +213,7 @@ runs: FLATPAK_DIR="${{ steps.flatpak_dependencies.outputs.flatpak_dir && format('/github/workspace/{0}', steps.flatpak_dependencies.outputs.flatpak_dir) || '' }}" \ IMAGE_NAME="${{ inputs.image_name }}" \ IMAGE_REPO="${{ inputs.image_repo }}" \ + IMAGE_SIGNED="${{ inputs.image_signed }}" \ IMAGE_TAG="${{ inputs.image_tag || inputs.version }}" \ ISO_NAME=/github/workspace/${{ inputs.iso_name }} \ ${{ inputs.repos && format('REPOS="{0}"', inputs.repos) || '' }} \ diff --git a/lorax_templates/scripts/post/install_configure_upgrades b/lorax_templates/scripts/post/install_configure_upgrades index f474d939..20ca2ae4 100644 --- a/lorax_templates/scripts/post/install_configure_upgrades +++ b/lorax_templates/scripts/post/install_configure_upgrades @@ -1,7 +1,18 @@ -<%page args="image_repo, _image_repo_double_escaped, image_name, image_tag, _rhel, version"/> +<%page args="image_repo, _image_repo_double_escaped, image_name, image_signed, image_tag, _rhel, version"/> + if (which bootc &> /dev/null) && [ ${_rhel} == 'false' && ${version} -ge 39 ] then - bootc switch --mutate-in-place --enforce-container-sigpolicy --transport registry ${image_repo}/${image_name}:${image_tag} + if [ ${image_signed} == 'true' ] + then + bootc switch --mutate-in-place --enforce-container-sigpolicy --transport registry ${image_repo}/${image_name}:${image_tag} + else + bootc switch --mutate-in-place --transport registry ${image_repo}/${image_name}:${image_tag} + fi else - sed -i 's/container-image-reference=.*/container-image-reference=ostree-image-signed:docker:\/\/${_image_repo_double_escaped}\/${image_name}:${image_tag}/' /ostree/deploy/default/deploy/*.origin + if [ ${image_signed} == 'true' ] + then + sed -i 's/container-image-reference=.*/container-image-reference=ostree-image-signed:docker:\/\/${_image_repo_double_escaped}\/${image_name}:${image_tag}/' /ostree/deploy/default/deploy/*.origin + else + sed -i 's/container-image-reference=.*/container-image-reference=ostree-unverified-image:docker:\/\/${_image_repo_double_escaped}\/${image_name}:${image_tag}/' /ostree/deploy/default/deploy/*.origin + fi fi