feat: modules useful for vanilla os

modules/apt-get/apt-get.sh

@@ -0,0 +1,65 @@
+#!/usr/bin/env bash
+
+# Tell build process to exit if there are any errors.
+set -euo pipefail
+
+NO_RECOMMENDS=$(echo "${1}" | jq 'try .["no-recommends"]')
+if [[ -z "${NO_RECOMMENDS}" || "${NO_RECOMMENDS}" == "null" ]]; then
+    NO_RECOMMENDS=false
+fi
+
+INSTALL_SUGGESTS=$(echo "${1}" | jq 'try .["install-suggests"]')
+if [[ -z "${INSTALL_SUGGESTS}" || "${INSTALL_SUGGESTS}" == "null" ]]; then
+    INSTALL_SUGGESTS=false
+fi
+
+FIX_MISSING=$(echo "${1}" | jq 'try .["fix-missing"]')
+if [[ -z "${FIX_MISSING}" || "${FIX_MISSING}" == "null" ]]; then
+    FIX_MISSING=false
+fi
+
+FIX_BROKEN=$(echo "${1}" | jq 'try .["fix-broken"]')
+if [[ -z "${FIX_BROKEN}" || "${FIX_BROKEN}" == "null" ]]; then
+    FIX_BROKEN=false
+fi
+
+if [[ ${NO_RECOMMENDS} == true ]]; then
+    APT_ARGS+=("--no-install-recommends")
+fi
+
+if [[ ${INSTALL_SUGGESTS} == true ]]; then
+    APT_ARGS+=("--install-suggests")
+fi
+
+if [[ ${FIX_MISSING} == true ]]; then
+    APT_ARGS+=("--fix-missing")
+fi
+
+if [[ ${FIX_BROKEN} == true ]]; then
+    APT_ARGS+=("--fix-broken")
+fi
+
+# get_yaml_array INSTALL_PKGS '.install[]' "$1"
+
+INSTALL_PKGS=("https://discord.com/api/download?platform=linux&format=deb" "micro")
+
+if [[ ${#INSTALL_PKGS[@]} -gt 0 ]]; then
+  for PKG in "${INSTALL_PKGS[@]}"; do
+      if [[ "${PKG}" =~ ^https?:\/\/.* ]]; then
+        PKG_PATH=$(mktemp --suffix=".deb")
+        wget -O "${PKG_PATH}" "${PKG}"
+        wait
+        PROCESSED_INSTALL_PKGS+=("${PKG_PATH}")
+      else
+        PROCESSED_INSTALL_PKGS+=("${PKG}")
+      fi
+  done
+fi
+
+# shellcheck disable=SC2068
+apt-get install -y ${APT_ARGS[@]} "${PROCESSED_INSTALL_PKGS[@]}"
+
+get_yaml_array REMOVE_PKGS '.remove[]' "$1"
+apt-get remove -y "${REMOVE_PKGS[@]}"
+
+apt-get clean

modules/signing/signing.sh

@@ -3,47 +3,71 @@
 # Tell build process to exit if there are any errors.
 set -euo pipefail
 
-CONTAINER_DIR="/usr/etc/containers"
-MODULE_DIRECTORY="${MODULE_DIRECTORY:-"/tmp/modules"}"
-IMAGE_NAME_FILE="${IMAGE_NAME//\//_}"
+if grep -q OSTREE /etc/os-release; then
+    echo "Detected OSTREE"
 
-echo "Setting up container signing in policy.json and cosign.yaml for $IMAGE_NAME"
-echo "Registry to write: $IMAGE_REGISTRY"
+    CONTAINER_DIR="/etc/containers"
+    MODULE_DIRECTORY="${MODULE_DIRECTORY:-"/tmp/modules"}"
+    IMAGE_NAME_FILE="${IMAGE_NAME//\//_}"
 
-if ! [ -d "$CONTAINER_DIR" ]; then
-    mkdir -p "$CONTAINER_DIR"
-fi
+    echo "Setting up container signing in policy.json and cosign.yaml for ${IMAGE_NAME}"
+    echo "Registry to write: ${IMAGE_REGISTRY}"
 
-if ! [ -d $CONTAINER_DIR/registries.d ]; then
-   mkdir -p "$CONTAINER_DIR/registries.d"
-fi
+    if ! [ -d "${CONTAINER_DIR}" ]; then
+        mkdir -p "${CONTAINER_DIR}"
+    fi
 
-if ! [ -d "/usr/etc/pki/containers" ]; then
-    mkdir -p "/usr/etc/pki/containers"
-fi
+    if ! [ -d "${CONTAINER_DIR}/registries.d" ]; then
+        mkdir -p "${CONTAINER_DIR}/registries.d"
+    fi
 
-if ! [ -f "$CONTAINER_DIR/policy.json" ]; then
-    cp "$MODULE_DIRECTORY/signing/policy.json" "$CONTAINER_DIR/policy.json"
-fi
+    if ! [ -d "/etc/pki/containers" ]; then
+        mkdir -p "/etc/pki/containers"
+    fi
 
-if ! [ -f "/usr/etc/pki/containers/$IMAGE_NAME_FILE.pub" ]; then
-    cp "/usr/share/ublue-os/cosign.pub" "/usr/etc/pki/containers/$IMAGE_NAME_FILE.pub"
-fi
+    if ! [ -f "/etc/pki/containers/${IMAGE_NAME_FILE}.pub" ]; then
+        echo "ERROR: Cannot find '${IMAGE_NAME_FILE}.pub' image key in '/etc/pki/containers/'"
+        echo "       BlueBuild CLI should have copied it, but it didn't"
+        exit 1
+    fi
 
-POLICY_FILE="$CONTAINER_DIR/policy.json"
+    TEMPLATE_POLICY="${MODULE_DIRECTORY}/signing/policy.json"
+    POLICY_FILE="${CONTAINER_DIR}/policy.json"
 
-yq -i -o=j '.transports.docker |=
-    {"'"$IMAGE_REGISTRY"'/'"$IMAGE_NAME"'": [
+    # If there is no policy.json file, then copy the template policy
+    if ! [ -f "${POLICY_FILE}" ]; then
+        cp "${TEMPLATE_POLICY}" "${POLICY_FILE}"
+    fi
+
+    # If the already existing policy.json file doesn't have 'reject' as default policy,
+    # then signing is effectively disabled & template policy.json should be copied in that case also
+    if [[ "$(jq -r '.default[0].type' "${POLICY_FILE}")" == "insecureAcceptAnything" ]]; then
+        cp "${TEMPLATE_POLICY}" "${POLICY_FILE}"
+    fi
+
+    jq --arg image_registry "${IMAGE_REGISTRY}" \
+    --arg image_name "${IMAGE_NAME}" \
+    --arg image_name_file "${IMAGE_NAME_FILE}" \
+    '.transports.docker |= 
+        { ($image_registry + "/" + $image_name): [
             {
                 "type": "sigstoreSigned",
-                "keyPath": "/usr/etc/pki/containers/'"$IMAGE_NAME_FILE"'.pub",
+                "keyPath": ("/etc/pki/containers/" + $image_name_file + ".pub"),
                 "signedIdentity": {
                     "type": "matchRepository"
                 }
             }
-        ]
-    }
-+ .' "$POLICY_FILE"
+        ] } + .' "${POLICY_FILE}" > "/tmp/POLICY.tmp"
+
+    mv "/tmp/POLICY.tmp" "${POLICY_FILE}"
+
+    mv "${MODULE_DIRECTORY}/signing/registry-config.yaml" "${CONTAINER_DIR}/registries.d/${IMAGE_REGISTRY##*/}-${IMAGE_NAME_FILE}.yaml"
+    sed -i "s ghcr.io/IMAGENAME ${IMAGE_REGISTRY}/${IMAGE_NAME} g" "${CONTAINER_DIR}/registries.d/${IMAGE_REGISTRY##*/}-${IMAGE_NAME_FILE}.yaml"
+
+elif grep -q "Vanilla OS" /etc/os-release; then
+    echo "Detected Vanilla OS"
 
-mv "$MODULE_DIRECTORY/signing/registry-config.yaml" "$CONTAINER_DIR/registries.d/$IMAGE_NAME_FILE.yaml"
-sed -i "s ghcr.io/IMAGENAME $IMAGE_REGISTRY g" "$CONTAINER_DIR/registries.d/$IMAGE_NAME_FILE.yaml"
+    USERNAME="${IMAGE_REGISTRY##*/}"
+    jq -r ".name |= \"$USERNAME/$IMAGE_NAME\"" /usr/share/abroot/abroot.json > /usr/share/abroot/abroot_tmp.json
+    mv /usr/share/abroot/abroot_tmp.json /usr/share/abroot/abroot.json
+fi