apko: build base image with pinned packages

Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2024-09-20 00:06:21 +00:00 · 2023-01-26 18:28:22 +01:00 · 2023-01-26 18:28:22 +01:00 · d095f08cd4
commit d095f08cd4
parent 32a540bff4
6 changed files with 100 additions and 19 deletions
--- a/.github/actions/build_apko/action.yml
+++ b/.github/actions/build_apko/action.yml
@ -59,6 +59,13 @@ runs:
        inputs.cosignPassword != ''
      uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1

+    - name: Download apk repository
+      shell: bash
+      env:
+        DOCKER_BUILDKIT: "1"
+      run: |
+        docker build -o . -f hack/package-hasher/Containerfile.apk.downloader .
+
    - name: Build apko images and sign them
      shell: bash
      env:
--- a/apko/alpine-base-user-65532.yaml
+++ b/apko/alpine-base-user-65532.yaml
@ -1,8 +1,10 @@
 contents:
+  keyring:
+    - index-signing-key.rsa.pub
  repositories:
-    - https://dl-cdn.alpinelinux.org/alpine/v3.17/main
+    - "@local repository-apk"
  packages:
-    - alpine-base
+    - alpine-base@local

 entrypoint:
  command: /bin/sh -l
@ -22,4 +24,3 @@ environment:

 archs:
  - amd64
-  - 386
--- a/apko/alpine-base.yaml
+++ b/apko/alpine-base.yaml
@ -1,8 +1,10 @@
 contents:
+  keyring:
+    - index-signing-key.rsa.pub
  repositories:
-    - https://dl-cdn.alpinelinux.org/alpine/v3.17/main
+    - "@local repository-apk"
  packages:
-    - alpine-base
+    - alpine-base@local

 entrypoint:
  command: /bin/sh -l
@ -12,4 +14,3 @@ environment:

 archs:
  - amd64
-  - 386
--- a/apko/alpine-libcryptsetup.yaml
+++ b/apko/alpine-libcryptsetup.yaml
@ -1,16 +1,15 @@
 contents:
+  keyring:
+    - index-signing-key.rsa.pub
  repositories:
-    - https://dl-cdn.alpinelinux.org/alpine/v3.17/main
-    - https://dl-cdn.alpinelinux.org/alpine/v3.17/community
+    - "@local repository-apk"
  packages:
-    - alpine-base
-    - cryptsetup-dev
-    - bash
-    - gcompat
+    - alpine-base@local
+    - cryptsetup-dev@local
+    - gcompat@local

 environment:
  PATH: /usr/sbin:/sbin:/usr/bin:/bin

 archs:
  - amd64
-  - 386
--- a/apko/alpine-qemu-metadata-api.yaml
+++ b/apko/alpine-qemu-metadata-api.yaml
@ -1,14 +1,14 @@
 contents:
+  keyring:
+    - index-signing-key.rsa.pub
  repositories:
-    - https://dl-cdn.alpinelinux.org/alpine/v3.17/main
-    - https://dl-cdn.alpinelinux.org/alpine/v3.17/community
+    - "@local repository-apk"
  packages:
-    - alpine-base
-    - libvirt-dev
-    - bash
+    - alpine-base@local
+    - libvirt-dev@local
+
 environment:
  PATH: /usr/sbin:/sbin:/usr/bin:/bin

 archs:
  - amd64
-  - 386
--- a/hack/package-hasher/Containerfile.apk.downloader
+++ b/hack/package-hasher/Containerfile.apk.downloader
@ -0,0 +1,73 @@
+# syntax=docker/dockerfile:1.5-labs
+FROM alpine:3.17.1@sha256:93d5a28ff72d288d69b5997b8ba47396d2cbb62a72b5d87cd3351094b5d578a0 as builder
+
+#
+# Install dependencies
+#
+
+ADD --checksum=sha256:11968a8b706095a081ac30168849b351b0263a6df5c224119aa914d7e5afb0c1 \
+    https://github.com/reproducible-containers/repro-get/releases/download/v0.3.0/repro-get-v0.3.0.linux-amd64 \
+    /usr/bin/repro-get
+RUN chmod +x /usr/bin/repro-get
+
+ADD --checksum=sha256:45ae2e1f566cdc26dd9ddf0ca37a494d3fa7db29946094ae2f0d91e16def827d \
+    https://github.com/oras-project/oras/releases/download/v0.16.0/oras_0.16.0_linux_amd64.tar.gz \
+    /tmp/oras.tar.gz
+RUN tar -C /usr/bin -xzf /tmp/oras.tar.gz oras
+RUN chmod +x /usr/bin/oras
+
+COPY SHA256SUMS-apk-amd64 /SHA256SUMS-apk-amd64
+
+# TODO(katexochen): reenable when bug is fixed upstream,
+# see https://github.com/reproducible-containers/repro-get/issues/29
+
+# RUN repro-get \
+#     --provider=oci://ghcr.io/katexochen/apk-repo-test \
+#     --cache ./cache \
+#     --distro alpine \
+#     download /SHA256SUMS-apk-amd64
+
+# RUN repro-get \
+#     --cache ./cache \
+#     --distro alpine \
+#     cache export repository-apk
+
+
+WORKDIR /workspace/repository-apk/x86_64
+
+# Pull our pinned packages from the registry
+RUN oras pull ghcr.io/edgelesssys/constellation/packages-apk:latest
+
+# Need to remove the repository prefix from the hashes file
+RUN sed -i -E 's%v[0-9].[0-9]+\/(main|community)\/x86_64/%%' /SHA256SUMS-apk-amd64
+
+# Validate package hashes
+RUN sha256sum -c /SHA256SUMS-apk-amd64
+
+# Create an apk index from the packages
+RUN apk index \
+    --rewrite-arch x86_64 \
+    -o APKINDEX.tar.gz \
+    *.apk
+
+#
+# We need package abuild to sign out index.
+# This is not a security mesaure. It is just a requirement of apko.
+# We installe the pinned abuild package from our registry, create
+# a new keypair and sign the index.
+#
+
+RUN echo "/workspace/repository-apk" > /etc/apk/repositories
+RUN apk update --allow-untrusted && apk add --allow-untrusted abuild
+RUN abuild-keygen -a -n
+
+RUN mv /root/.abuild/*.rsa /root/.abuild/index-signing-key.rsa
+RUN mv /root/.abuild/*.rsa.pub /root/.abuild/index-signing-key.rsa.pub
+RUN echo 'PACKAGER_PRIVKEY="/root/.abuild/index-signing-key.rsa"' > /root/.abuild/abuild.conf
+
+RUN abuild-sign APKINDEX.tar.gz
+
+FROM scratch as output
+
+COPY --from=builder /workspace/repository-apk repository-apk
+COPY --from=builder /root/.abuild/*.rsa.pub index-signing-key.rsa.pub