diff --git a/addons/Dockerfile b/addons/Dockerfile index 94d89f5..969988d 100644 --- a/addons/Dockerfile +++ b/addons/Dockerfile @@ -25,7 +25,7 @@ RUN \ && common_install_packages \ docker \ shellcheck \ - cas \ + cosign \ os-agent \ && usermod -aG docker vscode diff --git a/common/install/cas b/common/install/cas deleted file mode 100644 index fcf5b39..0000000 --- a/common/install/cas +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/bash - -set -e - -ARCH=$(get_arch docker) - -CAS_VERSION=$(get_package_version cas) - -curl -fLs \ - "https://github.com/codenotary/cas/releases/download/${CAS_VERSION}/cas-${CAS_VERSION}-linux-${ARCH}" \ - --output ./cas - -chmod +x ./cas -mv -f "./cas" "/usr/local/bin/cas" -rm -f "./cas" diff --git a/common/install/cosign b/common/install/cosign new file mode 100644 index 0000000..19848bc --- /dev/null +++ b/common/install/cosign @@ -0,0 +1,15 @@ +#!/bin/bash + +set -e + +ARCH=$(get_arch docker) + +COSIGN_VERSION=$(get_package_version cosign) + +curl -fLs \ + "https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign-linux-${ARCH}" \ + --output ./cosign + +chmod +x ./cosign +mv -f ./cosign /usr/local/bin/cosign +rm -f ./cosign diff --git a/common/install/docker b/common/install/docker index 9069387..2663e88 100644 --- a/common/install/docker +++ b/common/install/docker @@ -4,15 +4,18 @@ set -e apt-get update apt-get install -y --no-install-recommends \ - apt-transport-https \ ca-certificates \ curl \ - software-properties-common \ - gpg-agent + gnupg -curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add - +install -m 0755 -d /etc/apt/keyrings +curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg +chmod a+r /etc/apt/keyrings/docker.gpg -add-apt-repository "deb https://download.docker.com/linux/debian $(lsb_release -cs) stable" +echo \ + "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \ + "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | \ + tee /etc/apt/sources.list.d/docker.list > /dev/null apt-get update apt-get install -y --no-install-recommends \ diff --git a/common/install/versions.json b/common/install/versions.json index c4a8cb7..4bcc546 100644 --- a/common/install/versions.json +++ b/common/install/versions.json @@ -1,5 +1,5 @@ { - "cas": "v1.0.2", + "cosign": "2.0.2", "os-agent": "1.5.1", - "nvm": "v0.38.0" + "nvm": "0.38.0" } diff --git a/common/install/yarn b/common/install/yarn index 429e731..43a376a 100644 --- a/common/install/yarn +++ b/common/install/yarn @@ -20,5 +20,5 @@ apt-get install -y --no-install-recommends \ nodejs \ yarn -curl -o - "https://raw.githubusercontent.com/nvm-sh/nvm/${NVM_VERSION}/install.sh" | bash +curl -o - "https://raw.githubusercontent.com/nvm-sh/nvm/v${NVM_VERSION}/install.sh" | bash rm -rf /var/lib/apt/lists/* diff --git a/supervisor/Dockerfile b/supervisor/Dockerfile index 0eb2e6a..dfa2001 100644 --- a/supervisor/Dockerfile +++ b/supervisor/Dockerfile @@ -27,7 +27,7 @@ RUN \ && common_install_packages \ docker \ shellcheck \ - cas \ + cosign \ os-agent \ yarn diff --git a/supervisor/rootfs/usr/bin/supervisor_run b/supervisor/rootfs/usr/bin/supervisor_run index 4bf496a..d200936 100755 --- a/supervisor/rootfs/usr/bin/supervisor_run +++ b/supervisor/rootfs/usr/bin/supervisor_run @@ -11,6 +11,11 @@ trap "stop_docker" ERR function build_supervisor() { docker pull "ghcr.io/home-assistant/${HA_ARCH}-builder:dev" + cosign verify \ + --certificate-oidc-issuer https://token.actions.githubusercontent.com \ + --certificate-identity-regexp https://github.com/home-assistant/builder/.* \ + "ghcr.io/home-assistant/${HA_ARCH}-builder:dev" + docker run --rm \ --privileged \ -v /run/docker.sock:/run/docker.sock \