From d095f08cd4290ded078cf8da11382deb225f8e09 Mon Sep 17 00:00:00 2001 From: Paul Meyer <49727155+katexochen@users.noreply.github.com> Date: Thu, 26 Jan 2023 18:28:22 +0100 Subject: [PATCH] apko: build base image with pinned packages Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> --- .github/actions/build_apko/action.yml | 7 ++ apko/alpine-base-user-65532.yaml | 7 +- apko/alpine-base.yaml | 7 +- apko/alpine-libcryptsetup.yaml | 13 ++-- apko/alpine-qemu-metadata-api.yaml | 12 +-- .../Containerfile.apk.downloader | 73 +++++++++++++++++++ 6 files changed, 100 insertions(+), 19 deletions(-) create mode 100644 hack/package-hasher/Containerfile.apk.downloader diff --git a/.github/actions/build_apko/action.yml b/.github/actions/build_apko/action.yml index f85271ff3..2e9f0d786 100644 --- a/.github/actions/build_apko/action.yml +++ b/.github/actions/build_apko/action.yml @@ -59,6 +59,13 @@ runs: inputs.cosignPassword != '' uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1 + - name: Download apk repository + shell: bash + env: + DOCKER_BUILDKIT: "1" + run: | + docker build -o . -f hack/package-hasher/Containerfile.apk.downloader . + - name: Build apko images and sign them shell: bash env: diff --git a/apko/alpine-base-user-65532.yaml b/apko/alpine-base-user-65532.yaml index 5aaecee1e..4e4c12030 100644 --- a/apko/alpine-base-user-65532.yaml +++ b/apko/alpine-base-user-65532.yaml @@ -1,8 +1,10 @@ contents: + keyring: + - index-signing-key.rsa.pub repositories: - - https://dl-cdn.alpinelinux.org/alpine/v3.17/main + - "@local repository-apk" packages: - - alpine-base + - alpine-base@local entrypoint: command: /bin/sh -l @@ -22,4 +24,3 @@ environment: archs: - amd64 - - 386 diff --git a/apko/alpine-base.yaml b/apko/alpine-base.yaml index 2913d727c..a6a5af444 100644 --- a/apko/alpine-base.yaml +++ b/apko/alpine-base.yaml @@ -1,8 +1,10 @@ contents: + keyring: + - index-signing-key.rsa.pub repositories: - - https://dl-cdn.alpinelinux.org/alpine/v3.17/main + - "@local repository-apk" packages: - - alpine-base + - alpine-base@local entrypoint: command: /bin/sh -l @@ -12,4 +14,3 @@ environment: archs: - amd64 - - 386 diff --git a/apko/alpine-libcryptsetup.yaml b/apko/alpine-libcryptsetup.yaml index 22d81d910..9f9cbdc5a 100644 --- a/apko/alpine-libcryptsetup.yaml +++ b/apko/alpine-libcryptsetup.yaml @@ -1,16 +1,15 @@ contents: + keyring: + - index-signing-key.rsa.pub repositories: - - https://dl-cdn.alpinelinux.org/alpine/v3.17/main - - https://dl-cdn.alpinelinux.org/alpine/v3.17/community + - "@local repository-apk" packages: - - alpine-base - - cryptsetup-dev - - bash - - gcompat + - alpine-base@local + - cryptsetup-dev@local + - gcompat@local environment: PATH: /usr/sbin:/sbin:/usr/bin:/bin archs: - amd64 - - 386 diff --git a/apko/alpine-qemu-metadata-api.yaml b/apko/alpine-qemu-metadata-api.yaml index 2260fc6f6..36dc08e75 100644 --- a/apko/alpine-qemu-metadata-api.yaml +++ b/apko/alpine-qemu-metadata-api.yaml @@ -1,14 +1,14 @@ contents: + keyring: + - index-signing-key.rsa.pub repositories: - - https://dl-cdn.alpinelinux.org/alpine/v3.17/main - - https://dl-cdn.alpinelinux.org/alpine/v3.17/community + - "@local repository-apk" packages: - - alpine-base - - libvirt-dev - - bash + - alpine-base@local + - libvirt-dev@local + environment: PATH: /usr/sbin:/sbin:/usr/bin:/bin archs: - amd64 - - 386 diff --git a/hack/package-hasher/Containerfile.apk.downloader b/hack/package-hasher/Containerfile.apk.downloader new file mode 100644 index 000000000..4724f3e47 --- /dev/null +++ b/hack/package-hasher/Containerfile.apk.downloader @@ -0,0 +1,73 @@ +# syntax=docker/dockerfile:1.5-labs +FROM alpine:3.17.1@sha256:93d5a28ff72d288d69b5997b8ba47396d2cbb62a72b5d87cd3351094b5d578a0 as builder + +# +# Install dependencies +# + +ADD --checksum=sha256:11968a8b706095a081ac30168849b351b0263a6df5c224119aa914d7e5afb0c1 \ + https://github.com/reproducible-containers/repro-get/releases/download/v0.3.0/repro-get-v0.3.0.linux-amd64 \ + /usr/bin/repro-get +RUN chmod +x /usr/bin/repro-get + +ADD --checksum=sha256:45ae2e1f566cdc26dd9ddf0ca37a494d3fa7db29946094ae2f0d91e16def827d \ + https://github.com/oras-project/oras/releases/download/v0.16.0/oras_0.16.0_linux_amd64.tar.gz \ + /tmp/oras.tar.gz +RUN tar -C /usr/bin -xzf /tmp/oras.tar.gz oras +RUN chmod +x /usr/bin/oras + +COPY SHA256SUMS-apk-amd64 /SHA256SUMS-apk-amd64 + +# TODO(katexochen): reenable when bug is fixed upstream, +# see https://github.com/reproducible-containers/repro-get/issues/29 + +# RUN repro-get \ +# --provider=oci://ghcr.io/katexochen/apk-repo-test \ +# --cache ./cache \ +# --distro alpine \ +# download /SHA256SUMS-apk-amd64 + +# RUN repro-get \ +# --cache ./cache \ +# --distro alpine \ +# cache export repository-apk + + +WORKDIR /workspace/repository-apk/x86_64 + +# Pull our pinned packages from the registry +RUN oras pull ghcr.io/edgelesssys/constellation/packages-apk:latest + +# Need to remove the repository prefix from the hashes file +RUN sed -i -E 's%v[0-9].[0-9]+\/(main|community)\/x86_64/%%' /SHA256SUMS-apk-amd64 + +# Validate package hashes +RUN sha256sum -c /SHA256SUMS-apk-amd64 + +# Create an apk index from the packages +RUN apk index \ + --rewrite-arch x86_64 \ + -o APKINDEX.tar.gz \ + *.apk + +# +# We need package abuild to sign out index. +# This is not a security mesaure. It is just a requirement of apko. +# We installe the pinned abuild package from our registry, create +# a new keypair and sign the index. +# + +RUN echo "/workspace/repository-apk" > /etc/apk/repositories +RUN apk update --allow-untrusted && apk add --allow-untrusted abuild +RUN abuild-keygen -a -n + +RUN mv /root/.abuild/*.rsa /root/.abuild/index-signing-key.rsa +RUN mv /root/.abuild/*.rsa.pub /root/.abuild/index-signing-key.rsa.pub +RUN echo 'PACKAGER_PRIVKEY="/root/.abuild/index-signing-key.rsa"' > /root/.abuild/abuild.conf + +RUN abuild-sign APKINDEX.tar.gz + +FROM scratch as output + +COPY --from=builder /workspace/repository-apk repository-apk +COPY --from=builder /root/.abuild/*.rsa.pub index-signing-key.rsa.pub