From e6b8cd999e6004a1799da9a0b21e492b23b1b3ac Mon Sep 17 00:00:00 2001 From: RJ Trujillo Date: Sun, 27 Aug 2023 10:06:57 -0600 Subject: [PATCH 1/6] feat(just): Add script that signs the current image --- .../usr/share/ublue-os/just/custom.just | 28 +++++++++++++++++-- .../usr/share/ublue-os/just/custom.just | 27 +++++++++++++++++- 2 files changed, 52 insertions(+), 3 deletions(-) diff --git a/system_files/deck/shared/usr/share/ublue-os/just/custom.just b/system_files/deck/shared/usr/share/ublue-os/just/custom.just index b9ef13ca..770b8cdd 100644 --- a/system_files/deck/shared/usr/share/ublue-os/just/custom.just +++ b/system_files/deck/shared/usr/share/ublue-os/just/custom.just @@ -31,8 +31,6 @@ configure-waydroid: deactivate rm -rf ~/waydroid_script - - get-decky: #!/usr/bin/env bash export HOME=$(getent passwd ${SUDO_USER:-$USER} | cut -d: -f6) @@ -284,3 +282,29 @@ _toggle_wayland: else sudo sed -i 's/false/true/g' /etc/default/desktop-wayland fi + +sign-image: + rpm-ostree rebase ostree-image-signed:$(just --unstable _get-image) + +_get-image: + #!/usr/bin/env python + from json import loads + from subprocess import PIPE, run + + """Pull deployment status via rpm-ostree""" + status = "rpm-ostree status --json" + out = run(status, shell=True, stdout=PIPE).stdout + + """Parse current image""" + deployments = loads(out)["deployments"][0] + current_image = deployments["container-image-reference"].split(":", 1) + + """Dissect current image to form URL to latest image""" + protocol = "docker://" + url = current_image[1] + + """Add protocol if URL doesn't contain it""" + if protocol not in url: + url = protocol + url + + print(url) diff --git a/system_files/desktop/shared/usr/share/ublue-os/just/custom.just b/system_files/desktop/shared/usr/share/ublue-os/just/custom.just index ca7fe108..f7d46af6 100644 --- a/system_files/desktop/shared/usr/share/ublue-os/just/custom.just +++ b/system_files/desktop/shared/usr/share/ublue-os/just/custom.just @@ -35,7 +35,6 @@ configure-waydroid: deactivate rm -rf ~/waydroid_script - install-corectrl: echo 'Installing CoreCtrl...' rpm-ostree install corectrl @@ -192,3 +191,29 @@ unhide-grub: else sudo grub2-mkconfig -o /boot/grub2/grub.cfg fi + +sign-image: + rpm-ostree rebase ostree-image-signed:$(just --unstable _get-image) + +_get-image: + #!/usr/bin/env python + from json import loads + from subprocess import PIPE, run + + """Pull deployment status via rpm-ostree""" + status = "rpm-ostree status --json" + out = run(status, shell=True, stdout=PIPE).stdout + + """Parse current image""" + deployments = loads(out)["deployments"][0] + current_image = deployments["container-image-reference"].split(":", 1) + + """Dissect current image to form URL to latest image""" + protocol = "docker://" + url = current_image[1] + + """Add protocol if URL doesn't contain it""" + if protocol not in url: + url = protocol + url + + print(url) From 3729cf63725fd469523413b3019edef2b651d04f Mon Sep 17 00:00:00 2001 From: RJ Trujillo Date: Sun, 27 Aug 2023 10:15:02 -0600 Subject: [PATCH 2/6] feat(yafti): Sign Bazzite during installation --- .../deck/shared/usr/share/ublue-os/firstboot/yafti.yml | 8 ++++++++ .../desktop/shared/usr/share/ublue-os/firstboot/yafti.yml | 8 ++++++++ 2 files changed, 16 insertions(+) diff --git a/system_files/deck/shared/usr/share/ublue-os/firstboot/yafti.yml b/system_files/deck/shared/usr/share/ublue-os/firstboot/yafti.yml index df24ab07..da31126c 100644 --- a/system_files/deck/shared/usr/share/ublue-os/firstboot/yafti.yml +++ b/system_files/deck/shared/usr/share/ublue-os/firstboot/yafti.yml @@ -203,6 +203,14 @@ screens: run: just --unstable enable-vgui2-theme description: | Optionally apply a Valve-inspired theme to GNOME via Gradience. Note that custom themes are not officially supported by GNOME and some applications can break. Please avoid reporting issues to application developers until you've tested against the default theme. + sign-image: + source: yafti.screen.consent + values: + title: Sign Bazzite + description: | + This will sign your current install of Bazzite. Note that this may take awhile. + actions: + - run: just --unstable sign-image final-screen: source: yafti.screen.title values: diff --git a/system_files/desktop/shared/usr/share/ublue-os/firstboot/yafti.yml b/system_files/desktop/shared/usr/share/ublue-os/firstboot/yafti.yml index 9f9e9ac3..7b81a7a1 100644 --- a/system_files/desktop/shared/usr/share/ublue-os/firstboot/yafti.yml +++ b/system_files/desktop/shared/usr/share/ublue-os/firstboot/yafti.yml @@ -208,6 +208,14 @@ screens: run: just --unstable enable-vgui2-theme description: | Optionally apply a Valve-inspired theme to GNOME via Gradience. Note that custom themes are not officially supported by GNOME and some applications can break. Please avoid reporting issues to application developers until you've tested against the default theme. + sign-image: + source: yafti.screen.consent + values: + title: Sign Bazzite + description: | + This will sign your current install of Bazzite. Note that this may take awhile. + actions: + - run: just --unstable sign-image final-screen: source: yafti.screen.title values: From 2916d9a7999b8a81a88dc401066c7b4a230fb64f Mon Sep 17 00:00:00 2001 From: RJ Trujillo Date: Sun, 27 Aug 2023 10:25:15 -0600 Subject: [PATCH 3/6] fix(yafti): Don't sign image if its already been signed --- system_files/deck/shared/usr/share/ublue-os/firstboot/yafti.yml | 2 ++ .../desktop/shared/usr/share/ublue-os/firstboot/yafti.yml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/system_files/deck/shared/usr/share/ublue-os/firstboot/yafti.yml b/system_files/deck/shared/usr/share/ublue-os/firstboot/yafti.yml index da31126c..b22c6038 100644 --- a/system_files/deck/shared/usr/share/ublue-os/firstboot/yafti.yml +++ b/system_files/deck/shared/usr/share/ublue-os/firstboot/yafti.yml @@ -205,6 +205,8 @@ screens: Optionally apply a Valve-inspired theme to GNOME via Gradience. Note that custom themes are not officially supported by GNOME and some applications can break. Please avoid reporting issues to application developers until you've tested against the default theme. sign-image: source: yafti.screen.consent + condition: + run: grep -qvz "signed" <<< $(rpm-ostree status) values: title: Sign Bazzite description: | diff --git a/system_files/desktop/shared/usr/share/ublue-os/firstboot/yafti.yml b/system_files/desktop/shared/usr/share/ublue-os/firstboot/yafti.yml index 7b81a7a1..d1db6942 100644 --- a/system_files/desktop/shared/usr/share/ublue-os/firstboot/yafti.yml +++ b/system_files/desktop/shared/usr/share/ublue-os/firstboot/yafti.yml @@ -210,6 +210,8 @@ screens: Optionally apply a Valve-inspired theme to GNOME via Gradience. Note that custom themes are not officially supported by GNOME and some applications can break. Please avoid reporting issues to application developers until you've tested against the default theme. sign-image: source: yafti.screen.consent + condition: + run: grep -qvz "signed" <<< $(rpm-ostree status) values: title: Sign Bazzite description: | From 603fc0d5fc16aa5565636e2e3a988883aeffb3fc Mon Sep 17 00:00:00 2001 From: RJ Trujillo Date: Sun, 27 Aug 2023 15:06:13 -0600 Subject: [PATCH 4/6] chore: Add vendor to image identifiers --- Containerfile | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/Containerfile b/Containerfile index 5a8a883c..48083b1e 100644 --- a/Containerfile +++ b/Containerfile @@ -7,6 +7,7 @@ ARG FEDORA_MAJOR_VERSION="${FEDORA_MAJOR_VERSION:-38}" FROM ${BASE_IMAGE}:${FEDORA_MAJOR_VERSION} AS bazzite ARG IMAGE_NAME="${IMAGE_NAME}" +ARG IMAGE_VENDOR="ublue-os" ARG BASE_IMAGE_NAME="${BASE_IMAGE_NAME}" ARG IMAGE_FLAVOR="${IMAGE_FLAVOR}" ARG FEDORA_MAJOR_VERSION="${FEDORA_MAJOR_VERSION}" @@ -193,7 +194,7 @@ RUN rm /usr/share/applications/shredder.desktop && \ systemctl disable waydroid-container.service && \ rm /usr/share/wayland-sessions/weston.desktop \ ; fi && \ - echo -e "IMAGE_NAME=${IMAGE_NAME}\nBASE_IMAGE_NAME=${BASE_IMAGE_NAME}\nIMAGE_FLAVOR=${IMAGE_FLAVOR}\nFEDORA_MAJOR_VERSION=${FEDORA_MAJOR_VERSION}" >> /etc/default/bazzite && \ + echo -e "IMAGE_NAME=${IMAGE_NAME}\nIMAGE_VENDOR=${IMAGE_VENDOR}\nBASE_IMAGE_NAME=${BASE_IMAGE_NAME}\nIMAGE_FLAVOR=${IMAGE_FLAVOR}\nFEDORA_MAJOR_VERSION=${FEDORA_MAJOR_VERSION}" >> /etc/default/bazzite && \ rm -rf \ /tmp/* \ /var/* && \ @@ -205,6 +206,7 @@ RUN rm /usr/share/applications/shredder.desktop && \ FROM bazzite as bazzite-deck ARG IMAGE_NAME="${IMAGE_NAME}" +ARG IMAGE_VENDOR="ublue-os" ARG BASE_IMAGE_NAME="${BASE_IMAGE_NAME}" ARG IMAGE_FLAVOR="${IMAGE_FLAVOR}" ARG FEDORA_MAJOR_VERSION="${FEDORA_MAJOR_VERSION}" @@ -352,7 +354,7 @@ RUN rm /usr/share/applications/wine*.desktop && \ systemctl --global disable ublue-update.timer && \ rm -f /usr/etc/sddm.conf && \ rm -f /etc/default/bazzite && \ - echo -e "IMAGE_NAME=${IMAGE_NAME}\nBASE_IMAGE_NAME=${BASE_IMAGE_NAME}\nIMAGE_FLAVOR=${IMAGE_FLAVOR}\nFEDORA_MAJOR_VERSION=${FEDORA_MAJOR_VERSION}" >> /etc/default/bazzite && \ + echo -e "IMAGE_NAME=${IMAGE_NAME}\nIMAGE_VENDOR=${IMAGE_VENDOR}\nBASE_IMAGE_NAME=${BASE_IMAGE_NAME}\nIMAGE_FLAVOR=${IMAGE_FLAVOR}\nFEDORA_MAJOR_VERSION=${FEDORA_MAJOR_VERSION}" >> /etc/default/bazzite && \ rm -rf \ /tmp/* \ /var/* && \ From 58238666ba4b95b6f92ebd09f909c3c8cd3febba Mon Sep 17 00:00:00 2001 From: RJ Trujillo Date: Sun, 27 Aug 2023 15:16:12 -0600 Subject: [PATCH 5/6] feat(just): Use image identifiers for signing Allows us to sign images built with Lorax --- .../usr/share/ublue-os/just/custom.just | 27 +++---------------- .../usr/share/ublue-os/just/custom.just | 27 +++---------------- 2 files changed, 6 insertions(+), 48 deletions(-) diff --git a/system_files/deck/shared/usr/share/ublue-os/just/custom.just b/system_files/deck/shared/usr/share/ublue-os/just/custom.just index 770b8cdd..2a610036 100644 --- a/system_files/deck/shared/usr/share/ublue-os/just/custom.just +++ b/system_files/deck/shared/usr/share/ublue-os/just/custom.just @@ -284,27 +284,6 @@ _toggle_wayland: fi sign-image: - rpm-ostree rebase ostree-image-signed:$(just --unstable _get-image) - -_get-image: - #!/usr/bin/env python - from json import loads - from subprocess import PIPE, run - - """Pull deployment status via rpm-ostree""" - status = "rpm-ostree status --json" - out = run(status, shell=True, stdout=PIPE).stdout - - """Parse current image""" - deployments = loads(out)["deployments"][0] - current_image = deployments["container-image-reference"].split(":", 1) - - """Dissect current image to form URL to latest image""" - protocol = "docker://" - url = current_image[1] - - """Add protocol if URL doesn't contain it""" - if protocol not in url: - url = protocol + url - - print(url) + #!/usr/bin/env bash + source /etc/default/bazzite + rpm-ostree rebase ostree-image-signed:docker://ghcr.io/${IMAGE_VENDOR}/${IMAGE_NAME}:${FEDORA_MAJOR_VERSION} diff --git a/system_files/desktop/shared/usr/share/ublue-os/just/custom.just b/system_files/desktop/shared/usr/share/ublue-os/just/custom.just index f7d46af6..cdb76af8 100644 --- a/system_files/desktop/shared/usr/share/ublue-os/just/custom.just +++ b/system_files/desktop/shared/usr/share/ublue-os/just/custom.just @@ -193,27 +193,6 @@ unhide-grub: fi sign-image: - rpm-ostree rebase ostree-image-signed:$(just --unstable _get-image) - -_get-image: - #!/usr/bin/env python - from json import loads - from subprocess import PIPE, run - - """Pull deployment status via rpm-ostree""" - status = "rpm-ostree status --json" - out = run(status, shell=True, stdout=PIPE).stdout - - """Parse current image""" - deployments = loads(out)["deployments"][0] - current_image = deployments["container-image-reference"].split(":", 1) - - """Dissect current image to form URL to latest image""" - protocol = "docker://" - url = current_image[1] - - """Add protocol if URL doesn't contain it""" - if protocol not in url: - url = protocol + url - - print(url) + #!/usr/bin/env bash + source /etc/default/bazzite + rpm-ostree rebase ostree-image-signed:docker://ghcr.io/${IMAGE_VENDOR}/${IMAGE_NAME}:${FEDORA_MAJOR_VERSION} From 038702d525fba59a0aeb9045c912ee52aff35822 Mon Sep 17 00:00:00 2001 From: RJ Trujillo Date: Sun, 27 Aug 2023 21:33:30 -0600 Subject: [PATCH 6/6] chore(yafti): Make image signing the first thing users encounter If a user installs an image using Lorax, this is absolutely mandatory to have a functional system --- .../usr/share/ublue-os/firstboot/yafti.yml | 20 +++++++++---------- .../usr/share/ublue-os/firstboot/yafti.yml | 20 +++++++++---------- 2 files changed, 20 insertions(+), 20 deletions(-) diff --git a/system_files/deck/shared/usr/share/ublue-os/firstboot/yafti.yml b/system_files/deck/shared/usr/share/ublue-os/firstboot/yafti.yml index b22c6038..657f57dd 100644 --- a/system_files/deck/shared/usr/share/ublue-os/firstboot/yafti.yml +++ b/system_files/deck/shared/usr/share/ublue-os/firstboot/yafti.yml @@ -10,6 +10,16 @@ screens: icon: "/usr/share/ublue-os/bazzite/logo.svg" description: | Configure your system to get started. Completion of this process is required for Game mode to function. + sign-image: + source: yafti.screen.consent + condition: + run: grep -qvz "signed" <<< $(rpm-ostree status) + values: + title: Sign Bazzite + description: | + This will sign your current install of Bazzite. Note that this may take awhile. + actions: + - run: just --unstable sign-image configure-bazzite: source: yafti.screen.package values: @@ -203,16 +213,6 @@ screens: run: just --unstable enable-vgui2-theme description: | Optionally apply a Valve-inspired theme to GNOME via Gradience. Note that custom themes are not officially supported by GNOME and some applications can break. Please avoid reporting issues to application developers until you've tested against the default theme. - sign-image: - source: yafti.screen.consent - condition: - run: grep -qvz "signed" <<< $(rpm-ostree status) - values: - title: Sign Bazzite - description: | - This will sign your current install of Bazzite. Note that this may take awhile. - actions: - - run: just --unstable sign-image final-screen: source: yafti.screen.title values: diff --git a/system_files/desktop/shared/usr/share/ublue-os/firstboot/yafti.yml b/system_files/desktop/shared/usr/share/ublue-os/firstboot/yafti.yml index d1db6942..573bde44 100644 --- a/system_files/desktop/shared/usr/share/ublue-os/firstboot/yafti.yml +++ b/system_files/desktop/shared/usr/share/ublue-os/firstboot/yafti.yml @@ -10,6 +10,16 @@ screens: icon: "/usr/share/ublue-os/bazzite/logo.svg" description: | Configure your system to get started + sign-image: + source: yafti.screen.consent + condition: + run: grep -qvz "signed" <<< $(rpm-ostree status) + values: + title: Sign Bazzite + description: | + This will sign your current install of Bazzite. Note that this may take awhile. + actions: + - run: just --unstable sign-image configure-bazzite-arch: source: yafti.screen.package values: @@ -208,16 +218,6 @@ screens: run: just --unstable enable-vgui2-theme description: | Optionally apply a Valve-inspired theme to GNOME via Gradience. Note that custom themes are not officially supported by GNOME and some applications can break. Please avoid reporting issues to application developers until you've tested against the default theme. - sign-image: - source: yafti.screen.consent - condition: - run: grep -qvz "signed" <<< $(rpm-ostree status) - values: - title: Sign Bazzite - description: | - This will sign your current install of Bazzite. Note that this may take awhile. - actions: - - run: just --unstable sign-image final-screen: source: yafti.screen.title values: