Replace cas with cosign (#44)

* Replace cas with cosign * try fix docker * Fix LN * fix v2 * use according docker * adjust more * verify
home-assistant · Jun 26, 2023 · 636f90b · 636f90b
1 parent 6850729
commit 636f90b
Show file tree

Hide file tree

Showing 8 changed files with 33 additions and 25 deletions.
diff --git a/addons/Dockerfile b/addons/Dockerfile
@@ -25,7 +25,7 @@ RUN \
     && common_install_packages \
         docker \
         shellcheck \
-        cas \
+        cosign \
         os-agent \
     && usermod -aG docker vscode
 

diff --git a/common/install/cas b/common/install/cas
diff --git a/common/install/cosign b/common/install/cosign
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+set -e
+
+ARCH=$(get_arch docker)
+
+COSIGN_VERSION=$(get_package_version cosign)
+
+curl -fLs \
+    "https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign-linux-${ARCH}" \
+    --output ./cosign
+
+chmod +x ./cosign
+mv -f ./cosign /usr/local/bin/cosign
+rm -f ./cosign
diff --git a/common/install/docker b/common/install/docker
@@ -4,15 +4,18 @@ set -e
 
 apt-get update
 apt-get install -y --no-install-recommends \
-    apt-transport-https \
     ca-certificates \
     curl \
-    software-properties-common \
-    gpg-agent
+    gnupg
 
-curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -
+install -m 0755 -d /etc/apt/keyrings
+curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+chmod a+r /etc/apt/keyrings/docker.gpg
 
-add-apt-repository "deb https://download.docker.com/linux/debian $(lsb_release -cs) stable"
+echo \
+  "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \
+  "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | \
+  tee /etc/apt/sources.list.d/docker.list > /dev/null
 
 apt-get update 
 apt-get install -y --no-install-recommends \

diff --git a/common/install/versions.json b/common/install/versions.json
@@ -1,5 +1,5 @@
 {
-    "cas": "v1.0.2",
+    "cosign": "2.0.2",
     "os-agent": "1.5.1",
-    "nvm": "v0.38.0"
+    "nvm": "0.38.0"
 }
diff --git a/common/install/yarn b/common/install/yarn
@@ -20,5 +20,5 @@ apt-get install -y --no-install-recommends \
     nodejs \
     yarn
 
-curl -o - "https://raw.githubusercontent.com/nvm-sh/nvm/${NVM_VERSION}/install.sh" | bash 
+curl -o - "https://raw.githubusercontent.com/nvm-sh/nvm/v${NVM_VERSION}/install.sh" | bash 
 rm -rf /var/lib/apt/lists/*
diff --git a/supervisor/Dockerfile b/supervisor/Dockerfile
@@ -27,7 +27,7 @@ RUN \
     && common_install_packages \
         docker \
         shellcheck \
-        cas \
+        cosign \
         os-agent \
         yarn
 

diff --git a/supervisor/rootfs/usr/bin/supervisor_run b/supervisor/rootfs/usr/bin/supervisor_run
@@ -11,6 +11,11 @@ trap "stop_docker" ERR
 
 function build_supervisor() {
     docker pull "ghcr.io/home-assistant/${HA_ARCH}-builder:dev"
+    cosign verify \
+          --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+          --certificate-identity-regexp https://github.com/home-assistant/builder/.* \
+          "ghcr.io/home-assistant/${HA_ARCH}-builder:dev"
+
     docker run --rm \
         --privileged \
         -v /run/docker.sock:/run/docker.sock \