From 3e6d9f4eacf4ba6650b7087290beb66959dad870 Mon Sep 17 00:00:00 2001 From: xyny Date: Wed, 7 Aug 2024 13:23:47 +0300 Subject: [PATCH 1/8] feat: initial apt module draft --- modules/apt-get/apt-get.sh | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 modules/apt-get/apt-get.sh diff --git a/modules/apt-get/apt-get.sh b/modules/apt-get/apt-get.sh new file mode 100644 index 00000000..e4639fd1 --- /dev/null +++ b/modules/apt-get/apt-get.sh @@ -0,0 +1,9 @@ +#!/usr/bin/env bash + +# Tell build process to exit if there are any errors. +set -euo pipefail + +get_yaml_array INSTALL_PKGS '.install[]' "$1" + +apt-get install -y "${INSTALL_PKGS[@]}" +apt-get clean \ No newline at end of file From 231e699a9002dfb94b8b12e164979a96e9dda94c Mon Sep 17 00:00:00 2001 From: xyny Date: Sun, 11 Aug 2024 12:56:35 +0300 Subject: [PATCH 2/8] feat(signing): add OS detection, change abroot.json on vanilla --- modules/signing/signing.sh | 95 +++++++++++++++++++++----------------- 1 file changed, 52 insertions(+), 43 deletions(-) diff --git a/modules/signing/signing.sh b/modules/signing/signing.sh index 42081bc6..fbaa7356 100644 --- a/modules/signing/signing.sh +++ b/modules/signing/signing.sh @@ -3,47 +3,56 @@ # Tell build process to exit if there are any errors. set -euo pipefail -CONTAINER_DIR="/usr/etc/containers" -MODULE_DIRECTORY="${MODULE_DIRECTORY:-"/tmp/modules"}" -IMAGE_NAME_FILE="${IMAGE_NAME//\//_}" - -echo "Setting up container signing in policy.json and cosign.yaml for $IMAGE_NAME" -echo "Registry to write: $IMAGE_REGISTRY" - -if ! [ -d "$CONTAINER_DIR" ]; then - mkdir -p "$CONTAINER_DIR" -fi - -if ! [ -d $CONTAINER_DIR/registries.d ]; then - mkdir -p "$CONTAINER_DIR/registries.d" -fi - -if ! [ -d "/usr/etc/pki/containers" ]; then - mkdir -p "/usr/etc/pki/containers" -fi - -if ! [ -f "$CONTAINER_DIR/policy.json" ]; then - cp "$MODULE_DIRECTORY/signing/policy.json" "$CONTAINER_DIR/policy.json" -fi - -if ! [ -f "/usr/etc/pki/containers/$IMAGE_NAME_FILE.pub" ]; then - cp "/usr/share/ublue-os/cosign.pub" "/usr/etc/pki/containers/$IMAGE_NAME_FILE.pub" -fi - -POLICY_FILE="$CONTAINER_DIR/policy.json" - -yq -i -o=j '.transports.docker |= - {"'"$IMAGE_REGISTRY"'/'"$IMAGE_NAME"'": [ - { - "type": "sigstoreSigned", - "keyPath": "/usr/etc/pki/containers/'"$IMAGE_NAME_FILE"'.pub", - "signedIdentity": { - "type": "matchRepository" +if grep -q OSTREE /etc/os-release; then + echo "Detected OSTREE" + + CONTAINER_DIR="/usr/etc/containers" + MODULE_DIRECTORY="${MODULE_DIRECTORY:-"/tmp/modules"}" + IMAGE_NAME_FILE="${IMAGE_NAME//\//_}" + + echo "Setting up container signing in policy.json and cosign.yaml for $IMAGE_NAME" + echo "Registry to write: $IMAGE_REGISTRY" + + if ! [ -d "$CONTAINER_DIR" ]; then + mkdir -p "$CONTAINER_DIR" + fi + + if ! [ -d $CONTAINER_DIR/registries.d ]; then + mkdir -p "$CONTAINER_DIR/registries.d" + fi + + if ! [ -d "/usr/etc/pki/containers" ]; then + mkdir -p "/usr/etc/pki/containers" + fi + + if ! [ -f "$CONTAINER_DIR/policy.json" ]; then + cp "$MODULE_DIRECTORY/signing/policy.json" "$CONTAINER_DIR/policy.json" + fi + + if ! [ -f "/usr/etc/pki/containers/$IMAGE_NAME_FILE.pub" ]; then + cp "/usr/share/ublue-os/cosign.pub" "/usr/etc/pki/containers/$IMAGE_NAME_FILE.pub" + fi + + POLICY_FILE="$CONTAINER_DIR/policy.json" + + yq -i -o=j '.transports.docker |= + {"'"$IMAGE_REGISTRY"'/'"$IMAGE_NAME"'": [ + { + "type": "sigstoreSigned", + "keyPath": "/usr/etc/pki/containers/'"$IMAGE_NAME_FILE"'.pub", + "signedIdentity": { + "type": "matchRepository" + } } - } - ] - } -+ .' "$POLICY_FILE" - -mv "$MODULE_DIRECTORY/signing/registry-config.yaml" "$CONTAINER_DIR/registries.d/$IMAGE_NAME_FILE.yaml" -sed -i "s ghcr.io/IMAGENAME $IMAGE_REGISTRY g" "$CONTAINER_DIR/registries.d/$IMAGE_NAME_FILE.yaml" + ] + } + + .' "$POLICY_FILE" + + mv "$MODULE_DIRECTORY/signing/registry-config.yaml" "$CONTAINER_DIR/registries.d/$IMAGE_NAME_FILE.yaml" + sed -i "s ghcr.io/IMAGENAME $IMAGE_REGISTRY g" "$CONTAINER_DIR/registries.d/$IMAGE_NAME_FILE.yaml" +elif grep -q "Vanilla OS" /etc/os-release; then + echo "Detected Vanilla OS" + USERNAME="${IMAGE_REGISTRY##*/}" + jq -r ".name |= \"$USERNAME/$IMAGE_NAME\"" /usr/share/abroot/abroot.json > /usr/share/abroot/abroot_tmp.json + mv /usr/share/abroot/abroot_tmp.json /usr/share/abroot/abroot.json +fi \ No newline at end of file From a3e539890eb3cb4b7041aa3544407538ef47d8f7 Mon Sep 17 00:00:00 2001 From: xyny Date: Sun, 11 Aug 2024 16:56:42 +0300 Subject: [PATCH 3/8] feat(apt-get): support removing packages --- modules/apt-get/apt-get.sh | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/modules/apt-get/apt-get.sh b/modules/apt-get/apt-get.sh index e4639fd1..162dba71 100644 --- a/modules/apt-get/apt-get.sh +++ b/modules/apt-get/apt-get.sh @@ -4,6 +4,9 @@ set -euo pipefail get_yaml_array INSTALL_PKGS '.install[]' "$1" - apt-get install -y "${INSTALL_PKGS[@]}" -apt-get clean \ No newline at end of file + +get_yaml_array REMOVE_PKGS '.remove[]' "$1" +apt-get remove -y "${REMOVE_PKGS[@]}" + +apt-get clean From d6122821b34303933a390b1dd6442a7c7c7dbb8a Mon Sep 17 00:00:00 2001 From: xyny Date: Sun, 11 Aug 2024 17:07:25 +0300 Subject: [PATCH 4/8] feat(apt-get): support adding same cli args as vib --- modules/apt-get/apt-get.sh | 41 +++++++++++++++++++++++++++++++++++++- 1 file changed, 40 insertions(+), 1 deletion(-) diff --git a/modules/apt-get/apt-get.sh b/modules/apt-get/apt-get.sh index 162dba71..7ad00cf2 100644 --- a/modules/apt-get/apt-get.sh +++ b/modules/apt-get/apt-get.sh @@ -3,8 +3,47 @@ # Tell build process to exit if there are any errors. set -euo pipefail +NO_RECOMMENDS=$(echo "${1}" | yq -I=0 ".no-recommends") +if [[ -z "${NO_RECOMMENDS}" || "${NO_RECOMMENDS}" == "null" ]]; then + NO_RECOMMENDS=false +fi + +INSTALL_SUGGESTS=$(echo "${1}" | yq -I=0 ".install-suggests") +if [[ -z "${INSTALL_SUGGESTS}" || "${INSTALL_SUGGESTS}" == "null" ]]; then + INSTALL_SUGGESTS=false +fi + +FIX_MISSING=$(echo "${1}" | yq -I=0 ".fix-missing") +if [[ -z "${FIX_MISSING}" || "${FIX_MISSING}" == "null" ]]; then + FIX_MISSING=false +fi + +FIX_BROKEN=$(echo "${1}" | yq -I=0 ".fix-broken") +if [[ -z "${FIX_BROKEN}" || "${FIX_BROKEN}" == "null" ]]; then + FIX_BROKEN=false +fi + +APT_ARGS=() + +if [[ ${NO_RECOMMENDS} == true ]]; then + APT_ARGS+=("--no-install-recommends") +fi + +if [[ ${INSTALL_SUGGESTS} == true ]]; then + APT_ARGS+=("--install-suggests") +fi + +if [[ ${FIX_MISSING} == true ]]; then + APT_ARGS+=("--fix-missing") +fi + +if [[ ${FIX_BROKEN} == true ]]; then + APT_ARGS+=("--fix-broken") +fi + get_yaml_array INSTALL_PKGS '.install[]' "$1" -apt-get install -y "${INSTALL_PKGS[@]}" +# shellcheck disable=SC2068 +apt-get install -y ${APT_ARGS[@]} "${INSTALL_PKGS[@]}" get_yaml_array REMOVE_PKGS '.remove[]' "$1" apt-get remove -y "${REMOVE_PKGS[@]}" From dffe3b15445e2a4d676d9492b12dc262c962d7a9 Mon Sep 17 00:00:00 2001 From: xyny Date: Sun, 11 Aug 2024 17:46:22 +0300 Subject: [PATCH 5/8] feat(apt-get): support installing .deb packages from URL --- modules/apt-get/apt-get.sh | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/modules/apt-get/apt-get.sh b/modules/apt-get/apt-get.sh index 7ad00cf2..6f7f9f6a 100644 --- a/modules/apt-get/apt-get.sh +++ b/modules/apt-get/apt-get.sh @@ -23,8 +23,6 @@ if [[ -z "${FIX_BROKEN}" || "${FIX_BROKEN}" == "null" ]]; then FIX_BROKEN=false fi -APT_ARGS=() - if [[ ${NO_RECOMMENDS} == true ]]; then APT_ARGS+=("--no-install-recommends") fi @@ -41,9 +39,25 @@ if [[ ${FIX_BROKEN} == true ]]; then APT_ARGS+=("--fix-broken") fi -get_yaml_array INSTALL_PKGS '.install[]' "$1" +# get_yaml_array INSTALL_PKGS '.install[]' "$1" + +INSTALL_PKGS=("https://discord.com/api/download?platform=linux&format=deb" "micro") + +if [[ ${#INSTALL_PKGS[@]} -gt 0 ]]; then + for PKG in "${INSTALL_PKGS[@]}"; do + if [[ "${PKG}" =~ ^https?:\/\/.* ]]; then + PKG_PATH=$(mktemp --suffix=".deb") + wget -o "${PKG_PATH}" "${PKG}" + wait + PROCESSED_INSTALL_PKGS+=("${PKG_PATH}") + else + PROCESSED_INSTALL_PKGS+=("${PKG}") + fi + done +fi + # shellcheck disable=SC2068 -apt-get install -y ${APT_ARGS[@]} "${INSTALL_PKGS[@]}" +apt-get install -y ${APT_ARGS[@]} "${PROCESSED_INSTALL_PKGS[@]}" get_yaml_array REMOVE_PKGS '.remove[]' "$1" apt-get remove -y "${REMOVE_PKGS[@]}" From 9678675d32d135bfb48894b86e60dfc97c6b0cb0 Mon Sep 17 00:00:00 2001 From: xyny Date: Sun, 11 Aug 2024 17:56:21 +0300 Subject: [PATCH 6/8] fix(apt-get): use -O with wget isntead of -o --- modules/apt-get/apt-get.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/apt-get/apt-get.sh b/modules/apt-get/apt-get.sh index 6f7f9f6a..738ce8ab 100644 --- a/modules/apt-get/apt-get.sh +++ b/modules/apt-get/apt-get.sh @@ -47,7 +47,7 @@ if [[ ${#INSTALL_PKGS[@]} -gt 0 ]]; then for PKG in "${INSTALL_PKGS[@]}"; do if [[ "${PKG}" =~ ^https?:\/\/.* ]]; then PKG_PATH=$(mktemp --suffix=".deb") - wget -o "${PKG_PATH}" "${PKG}" + wget -O "${PKG_PATH}" "${PKG}" wait PROCESSED_INSTALL_PKGS+=("${PKG_PATH}") else From c86fc62b7dca829f119056f122aebcdc4e54a218 Mon Sep 17 00:00:00 2001 From: xyny Date: Mon, 30 Jun 2025 13:31:25 +0300 Subject: [PATCH 7/8] fix: stop using yq & update signing module --- modules/apt-get/apt-get.sh | 8 ++--- modules/signing/signing.sh | 69 +++++++++++++++++++++++--------------- 2 files changed, 46 insertions(+), 31 deletions(-) diff --git a/modules/apt-get/apt-get.sh b/modules/apt-get/apt-get.sh index 738ce8ab..d20cba4e 100644 --- a/modules/apt-get/apt-get.sh +++ b/modules/apt-get/apt-get.sh @@ -3,22 +3,22 @@ # Tell build process to exit if there are any errors. set -euo pipefail -NO_RECOMMENDS=$(echo "${1}" | yq -I=0 ".no-recommends") +NO_RECOMMENDS=$(echo "${1}" | jq "try .no-recommends") if [[ -z "${NO_RECOMMENDS}" || "${NO_RECOMMENDS}" == "null" ]]; then NO_RECOMMENDS=false fi -INSTALL_SUGGESTS=$(echo "${1}" | yq -I=0 ".install-suggests") +INSTALL_SUGGESTS=$(echo "${1}" | jq "try .install-suggests") if [[ -z "${INSTALL_SUGGESTS}" || "${INSTALL_SUGGESTS}" == "null" ]]; then INSTALL_SUGGESTS=false fi -FIX_MISSING=$(echo "${1}" | yq -I=0 ".fix-missing") +FIX_MISSING=$(echo "${1}" | jq "try .fix-missing") if [[ -z "${FIX_MISSING}" || "${FIX_MISSING}" == "null" ]]; then FIX_MISSING=false fi -FIX_BROKEN=$(echo "${1}" | yq -I=0 ".fix-broken") +FIX_BROKEN=$(echo "${1}" | jq "try .fix-broken") if [[ -z "${FIX_BROKEN}" || "${FIX_BROKEN}" == "null" ]]; then FIX_BROKEN=false fi diff --git a/modules/signing/signing.sh b/modules/signing/signing.sh index fbaa7356..de23a759 100644 --- a/modules/signing/signing.sh +++ b/modules/signing/signing.sh @@ -6,52 +6,67 @@ set -euo pipefail if grep -q OSTREE /etc/os-release; then echo "Detected OSTREE" - CONTAINER_DIR="/usr/etc/containers" + CONTAINER_DIR="/etc/containers" MODULE_DIRECTORY="${MODULE_DIRECTORY:-"/tmp/modules"}" IMAGE_NAME_FILE="${IMAGE_NAME//\//_}" - echo "Setting up container signing in policy.json and cosign.yaml for $IMAGE_NAME" - echo "Registry to write: $IMAGE_REGISTRY" + echo "Setting up container signing in policy.json and cosign.yaml for ${IMAGE_NAME}" + echo "Registry to write: ${IMAGE_REGISTRY}" - if ! [ -d "$CONTAINER_DIR" ]; then - mkdir -p "$CONTAINER_DIR" + if ! [ -d "${CONTAINER_DIR}" ]; then + mkdir -p "${CONTAINER_DIR}" fi - if ! [ -d $CONTAINER_DIR/registries.d ]; then - mkdir -p "$CONTAINER_DIR/registries.d" + if ! [ -d "${CONTAINER_DIR}/registries.d" ]; then + mkdir -p "${CONTAINER_DIR}/registries.d" fi - if ! [ -d "/usr/etc/pki/containers" ]; then - mkdir -p "/usr/etc/pki/containers" + if ! [ -d "/etc/pki/containers" ]; then + mkdir -p "/etc/pki/containers" fi - if ! [ -f "$CONTAINER_DIR/policy.json" ]; then - cp "$MODULE_DIRECTORY/signing/policy.json" "$CONTAINER_DIR/policy.json" + if ! [ -f "/etc/pki/containers/${IMAGE_NAME_FILE}.pub" ]; then + echo "ERROR: Cannot find '${IMAGE_NAME_FILE}.pub' image key in '/etc/pki/containers/'" + echo " BlueBuild CLI should have copied it, but it didn't" + exit 1 fi - if ! [ -f "/usr/etc/pki/containers/$IMAGE_NAME_FILE.pub" ]; then - cp "/usr/share/ublue-os/cosign.pub" "/usr/etc/pki/containers/$IMAGE_NAME_FILE.pub" + TEMPLATE_POLICY="${MODULE_DIRECTORY}/signing/policy.json" + POLICY_FILE="${CONTAINER_DIR}/policy.json" + + # If there is no policy.json file, then copy the template policy + if ! [ -f "${POLICY_FILE}" ]; then + cp "${TEMPLATE_POLICY}" "${POLICY_FILE}" fi - POLICY_FILE="$CONTAINER_DIR/policy.json" + # If the already existing policy.json file doesn't have 'reject' as default policy, + # then signing is effectively disabled & template policy.json should be copied in that case also + if [[ "$(jq -r '.default[0].type' "${POLICY_FILE}")" == "insecureAcceptAnything" ]]; then + cp "${TEMPLATE_POLICY}" "${POLICY_FILE}" + fi - yq -i -o=j '.transports.docker |= - {"'"$IMAGE_REGISTRY"'/'"$IMAGE_NAME"'": [ - { - "type": "sigstoreSigned", - "keyPath": "/usr/etc/pki/containers/'"$IMAGE_NAME_FILE"'.pub", - "signedIdentity": { - "type": "matchRepository" - } + jq --arg image_registry "${IMAGE_REGISTRY}" \ + --arg image_name "${IMAGE_NAME}" \ + --arg image_name_file "${IMAGE_NAME_FILE}" \ + '.transports.docker |= + { ($image_registry + "/" + $image_name): [ + { + "type": "sigstoreSigned", + "keyPath": ("/etc/pki/containers/" + $image_name_file + ".pub"), + "signedIdentity": { + "type": "matchRepository" } - ] - } - + .' "$POLICY_FILE" + } + ] } + .' "${POLICY_FILE}" > "/tmp/POLICY.tmp" + + mv "/tmp/POLICY.tmp" "${POLICY_FILE}" + + mv "${MODULE_DIRECTORY}/signing/registry-config.yaml" "${CONTAINER_DIR}/registries.d/${IMAGE_REGISTRY##*/}-${IMAGE_NAME_FILE}.yaml" + sed -i "s ghcr.io/IMAGENAME ${IMAGE_REGISTRY}/${IMAGE_NAME} g" "${CONTAINER_DIR}/registries.d/${IMAGE_REGISTRY##*/}-${IMAGE_NAME_FILE}.yaml" - mv "$MODULE_DIRECTORY/signing/registry-config.yaml" "$CONTAINER_DIR/registries.d/$IMAGE_NAME_FILE.yaml" - sed -i "s ghcr.io/IMAGENAME $IMAGE_REGISTRY g" "$CONTAINER_DIR/registries.d/$IMAGE_NAME_FILE.yaml" elif grep -q "Vanilla OS" /etc/os-release; then echo "Detected Vanilla OS" + USERNAME="${IMAGE_REGISTRY##*/}" jq -r ".name |= \"$USERNAME/$IMAGE_NAME\"" /usr/share/abroot/abroot.json > /usr/share/abroot/abroot_tmp.json mv /usr/share/abroot/abroot_tmp.json /usr/share/abroot/abroot.json From ce2c831576b82c14b659b4bb4a1dd07971b21fab Mon Sep 17 00:00:00 2001 From: xyny Date: Mon, 30 Jun 2025 13:39:23 +0300 Subject: [PATCH 8/8] fix: more robust jq syntax --- modules/apt-get/apt-get.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/apt-get/apt-get.sh b/modules/apt-get/apt-get.sh index d20cba4e..825d89b3 100644 --- a/modules/apt-get/apt-get.sh +++ b/modules/apt-get/apt-get.sh @@ -3,22 +3,22 @@ # Tell build process to exit if there are any errors. set -euo pipefail -NO_RECOMMENDS=$(echo "${1}" | jq "try .no-recommends") +NO_RECOMMENDS=$(echo "${1}" | jq 'try .["no-recommends"]') if [[ -z "${NO_RECOMMENDS}" || "${NO_RECOMMENDS}" == "null" ]]; then NO_RECOMMENDS=false fi -INSTALL_SUGGESTS=$(echo "${1}" | jq "try .install-suggests") +INSTALL_SUGGESTS=$(echo "${1}" | jq 'try .["install-suggests"]') if [[ -z "${INSTALL_SUGGESTS}" || "${INSTALL_SUGGESTS}" == "null" ]]; then INSTALL_SUGGESTS=false fi -FIX_MISSING=$(echo "${1}" | jq "try .fix-missing") +FIX_MISSING=$(echo "${1}" | jq 'try .["fix-missing"]') if [[ -z "${FIX_MISSING}" || "${FIX_MISSING}" == "null" ]]; then FIX_MISSING=false fi -FIX_BROKEN=$(echo "${1}" | jq "try .fix-broken") +FIX_BROKEN=$(echo "${1}" | jq 'try .["fix-broken"]') if [[ -z "${FIX_BROKEN}" || "${FIX_BROKEN}" == "null" ]]; then FIX_BROKEN=false fi