mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-10-01 01:36:09 -04:00
b49ca67add
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
74 lines
2.4 KiB
Plaintext
74 lines
2.4 KiB
Plaintext
# syntax=docker/dockerfile:1.5-labs
|
|
FROM alpine:3.17.3@sha256:b6ca290b6b4cdcca5b3db3ffa338ee0285c11744b4a6abaa9627746ee3291d8d as builder
|
|
|
|
#
|
|
# Install dependencies
|
|
#
|
|
|
|
ADD --checksum=sha256:11968a8b706095a081ac30168849b351b0263a6df5c224119aa914d7e5afb0c1 \
|
|
https://github.com/reproducible-containers/repro-get/releases/download/v0.3.0/repro-get-v0.3.0.linux-amd64 \
|
|
/usr/bin/repro-get
|
|
RUN chmod +x /usr/bin/repro-get
|
|
|
|
ADD --checksum=sha256:45ae2e1f566cdc26dd9ddf0ca37a494d3fa7db29946094ae2f0d91e16def827d \
|
|
https://github.com/oras-project/oras/releases/download/v0.16.0/oras_0.16.0_linux_amd64.tar.gz \
|
|
/tmp/oras.tar.gz
|
|
RUN tar -C /usr/bin -xzf /tmp/oras.tar.gz oras
|
|
RUN chmod +x /usr/bin/oras
|
|
|
|
COPY SHA256SUMS-apk-amd64 /SHA256SUMS-apk-amd64
|
|
|
|
# TODO(katexochen): reenable when bug is fixed upstream,
|
|
# see https://github.com/reproducible-containers/repro-get/issues/29
|
|
|
|
# RUN repro-get \
|
|
# --provider=oci://ghcr.io/katexochen/apk-repo-test \
|
|
# --cache ./cache \
|
|
# --distro alpine \
|
|
# download /SHA256SUMS-apk-amd64
|
|
|
|
# RUN repro-get \
|
|
# --cache ./cache \
|
|
# --distro alpine \
|
|
# cache export repository-apk
|
|
|
|
|
|
WORKDIR /workspace/repository-apk/x86_64
|
|
|
|
# Pull our pinned packages from the registry
|
|
RUN oras pull ghcr.io/edgelesssys/constellation/packages-apk:latest
|
|
|
|
# Need to remove the repository prefix from the hashes file
|
|
RUN sed -i -E 's%v[0-9].[0-9]+\/(main|community)\/x86_64/%%' /SHA256SUMS-apk-amd64
|
|
|
|
# Validate package hashes
|
|
RUN sha256sum -c /SHA256SUMS-apk-amd64
|
|
|
|
# Create an apk index from the packages
|
|
RUN apk index \
|
|
--rewrite-arch x86_64 \
|
|
-o APKINDEX.tar.gz \
|
|
*.apk
|
|
|
|
#
|
|
# We need package abuild to sign out index.
|
|
# This is not a security mesaure. It is just a requirement of apko.
|
|
# We installe the pinned abuild package from our registry, create
|
|
# a new keypair and sign the index.
|
|
#
|
|
|
|
RUN echo "/workspace/repository-apk" > /etc/apk/repositories
|
|
RUN apk update --allow-untrusted && apk add --allow-untrusted abuild
|
|
RUN abuild-keygen -a -n
|
|
|
|
RUN mv /root/.abuild/*.rsa /root/.abuild/index-signing-key.rsa
|
|
RUN mv /root/.abuild/*.rsa.pub /root/.abuild/index-signing-key.rsa.pub
|
|
RUN echo 'PACKAGER_PRIVKEY="/root/.abuild/index-signing-key.rsa"' > /root/.abuild/abuild.conf
|
|
|
|
RUN abuild-sign APKINDEX.tar.gz
|
|
|
|
FROM scratch as output
|
|
|
|
COPY --from=builder /workspace/repository-apk repository-apk
|
|
COPY --from=builder /root/.abuild/*.rsa.pub index-signing-key.rsa.pub
|