Initial creation with proper signing setup

mtalexan · mtalexan · commit 0f21dbc929f9 · 2025-06-29T20:57:23.000-06:00
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -5,7 +5,7 @@ on:
     branches:
       - main
   schedule:
-    - cron: '05 10 * * *'  # 10:05am UTC everyday
+    - cron: '12 06 * * *'  # 06:12am UTC everyday
   push:
     branches:
       - main
@@ -14,7 +14,7 @@ on:
   workflow_dispatch:
 
 env:
-  IMAGE_DESC: "My Customized Universal Blue Image"
+  IMAGE_DESC: "Universal Blue Image for MSI EVO 13"
   IMAGE_KEYWORDS: "bootc,ublue,universal-blue"
   IMAGE_LOGO_URL: "https://avatars.githubusercontent.com/u/120078124?s=200&v=4"  # Put your own image here for a fancy profile on https://artifacthub.io/!
   IMAGE_NAME: "${{ github.event.repository.name }}"  # output image name, usually same as repo name
diff --git a/Containerfile b/Containerfile
@@ -1,9 +1,10 @@
 # Allow build scripts to be referenced without being copied into the final image
 FROM scratch AS ctx
-COPY build_files /
+# Modified: It's idiotic to not include all the files in the build context
+COPY / /
 
 # Base Image
-FROM ghcr.io/ublue-os/bazzite:stable
+FROM ghcr.io/ublue-os/aurora-dx:stable-daily
 
 ## Other possible base images include:
 # FROM ghcr.io/ublue-os/bazzite:latest
@@ -22,7 +23,7 @@ RUN --mount=type=bind,from=ctx,source=/,target=/ctx \
     --mount=type=cache,dst=/var/cache \
     --mount=type=cache,dst=/var/log \
     --mount=type=tmpfs,dst=/tmp \
-    /ctx/build.sh && \
+    /ctx/build_files/build.sh && \
     ostree container commit
     
 ### LINTING
diff --git a/README.md b/README.md
@@ -2,42 +2,15 @@
 
 # Purpose
 
-This repository is meant to be a template for building your own custom [bootc](https://github.com/bootc-dev/bootc) image. This template is the recommended way to make customizations to any image published by the Universal Blue Project:
-- Products: [Aurora](https://getaurora.dev/), [Bazzite](https://bazzite.gg/), [Bluefin](https://projectbluefin.io/), [uCore](https://projectucore.io/)
-- Base images: [main](https://github.com/ublue-os/main/) - the product images build on these and may be a better starting point depending on what you want. 
+Files and GitHub Actions for generating an Ostree bootc image derived from a Universal Blue OS image.  
 
-or any other base image if you want to start from scratch:
-
-- Fedora: `quay.io/fedora/fedora-bootc:41`
-- CentOS Stream 10: `quay.io/centos-bootc/centos-bootc:stream10`
-
-This template includes a Containerfile and a Github workflow for building the container image, signing, and proper metadata to be listed on [artifacthub](https://artifacthub.io/). As soon as the workflow is enabled in your repository, it will build the container image and push it to the Github Container Registry.
-
-# Prerequisites
-
-Working knowledge in the following topics:
-
-- Containers
-  - https://www.youtube.com/watch?v=SnSH8Ht3MIc
-  - https://www.mankier.com/5/Containerfile
-- bootc
-  - https://bootc-dev.github.io/bootc/
-- Fedora Silverblue (and other Fedora Atomic variants)
-  - https://docs.fedoraproject.org/en-US/fedora-silverblue/
-- Github Workflows
-  - https://docs.github.com/en/actions/using-workflows
-
-# Video Tutorial
-
-TesterTech has made a tutorial video, check it out: 
-
-[![Video Tutorial](https://img.youtube.com/vi/IxBl11Zmq5w/0.jpg)](https://www.youtube.com/watch?v=IxBl11Zmq5wE)
+As of Fedora 42, it's no longer possible to perform hot-fix changes to the rootfs, which limits certain workarounds, and this is the only alternative.
 
 # How to Use
 
-## Template
+## build.sh
 
-Select `Use this Template` and create a new repository from it. To enable the workflows, you may need to go the `Actions` tab of the new repository and click to enable workflows.
+Called by the `Containerfile` to do the actual work. 
 
 ## Containerfile
 
diff --git a/build_files/build.sh b/build_files/build.sh
@@ -2,16 +2,34 @@
 
 set -ouex pipefail
 
+# recursively copy everything from system_config/ in the build context to the root of the repo.
+rsync -rvK /ctx/system_config /
+
 ### Install packages
 
 # Packages can be installed from any enabled yum repo on the image.
 # RPMfusion repos are available by default in ublue main images
 # List of rpmfusion packages can be found here:
 # https://mirrors.rpmfusion.org/mirrorlist?path=free/fedora/updates/39/x86_64/repoview/index.html&protocol=https&redirect=1
 
-# this installs a package from fedora repos
-dnf5 install -y tmux 
+# Install KDE extras
+dnf5 install -y \
+    imsettings-plasma \
+    kclock-plasma-applet \
+    marble-plasma \
+    plasma-discover-offline-updates \
+    plasma-discover-rpm-ostree \
+    plasma-discover-snap
+    
+# Need java for the cloudflare-warp to work
+dnf5 install -y \
+    java-11-openjdk \
+    cloudflare-warp
 
+# tio for serial
+dnf5 install -y \
+    tio
+    
 # Use a COPR Example:
 #
 # dnf5 -y copr enable ublue-os/staging
@@ -21,4 +39,11 @@ dnf5 install -y tmux
 
 #### Example for enabling a System Unit File
 
-systemctl enable podman.socket
+#systemctl enable podman.socket
+
+# Add the nix mountpoint
+install -d -m 0755 /nix
+
+
+# Adds the cosign.pub as the signing key for verifying bootc images pulled from this repo.
+/ctx/build_files/signing.sh
diff --git a/build_files/signing.sh b/build_files/signing.sh
@@ -0,0 +1,43 @@
+#!/usr/bin/bash
+#
+# Based on https://github.com/bsherman/bos/blob/main/signing.sh
+#
+# Sets up the system container registry config in the image to use the cosign.pub
+# key from the root of the repo/build context as the signature verification key
+# of any images pulled from the GitHub docker registry for this repo.
+
+set -exou pipefail
+
+# these need to match your GitHub username and the name of this repo
+readonly github_username="mtalexan"
+readonly github_reponame="ublueos-msi-evo13"
+
+# Signing
+mkdir -p /etc/containers
+mkdir -p /etc/pki/containers
+mkdir -p /etc/containers/registries.d/
+
+if [ -f /usr/etc/containers/policy.json ]; then
+    cp /usr/etc/containers/policy.json /etc/containers/policy.json
+fi
+
+cat <<<"$(jq '.transports.docker |=. + {
+   "ghcr.io/${github_username}/${github_reponame}": [
+    {
+        "type": "sigstoreSigned",
+        "keyPath": "/etc/pki/containers/${github_username}-${github_reponame}.pub",
+        "signedIdentity": {
+            "type": "matchRepository"
+        }
+    }
+]}' <"/etc/containers/policy.json")" >"/tmp/policy.json"
+cp /tmp/policy.json /etc/containers/policy.json
+cp /ctx/cosign.pub /etc/pki/containers/${github_username}-${github_reponame}.pub
+tee /etc/containers/registries.d/${github_username}-${github_reponame}.yaml <<EOF
+docker:
+  ghcr.io/${github_username}/${github_reponame}:
+    use-sigstore-attachments: true
+EOF
+
+mkdir -p /usr/etc/containers/
+cp /etc/containers/policy.json /usr/etc/containers/policy.json
diff --git a/cosign.pub b/cosign.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbM1TZ7myGjXpTpcLTY9h0IqbcNPj
+a/26+7idLw68isANmtvijsDyvr7NcClthexlXB7Usz5WRHZ/iv3llR0aBw==
+-----END PUBLIC KEY-----
diff --git a/system_config/etc/yum.repos.d/cloudflare-warp.repo b/system_config/etc/yum.repos.d/cloudflare-warp.repo
@@ -0,0 +1,7 @@
+[cloudflare-warp-stable]
+name=cloudflare-warp-stable
+baseurl=https://pkg.cloudflareclient.com/rpm
+enabled=1
+type=rpm
+gpgcheck=1
+gpgkey=https://pkg.cloudflareclient.com/pubkey.gpg
