@@ -168,7 +168,7 @@ runs:
168168 key_url="https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/unstable/xUbuntu_${ubuntu_version}/Release.key"
169169 sources_url="https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/unstable/xUbuntu_${ubuntu_version}"
170170 echo "deb ${sources_url}/ /" | sudo tee /etc/apt/sources.list.d/devel-kubic-libcontainers-unstable.list
171- curl -fsSL "${key_url}" | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/devel_kubic_libcontainers_unstable.gpg > /dev/null
171+ curl -fLsS --retry 5 "${key_url}" | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/devel_kubic_libcontainers_unstable.gpg > /dev/null
172172 sudo apt-get update
173173 sudo apt-get install -y podman
174174
@@ -197,39 +197,43 @@ runs:
197197 CLI_IMAGE_PUBKEY="/etc/pki/containers/blue-build-cli.pub"
198198 MODULES_IMAGE_PUBKEY="/etc/pki/containers/blue-build-modules.pub"
199199 sudo mkdir -p /etc/pki/containers
200- sudo curl -Lo "${CLI_IMAGE_PUBKEY}" https://raw.githubusercontent.com/blue-build/cli/refs/heads/main/cosign.pub
201- sudo curl -Lo "${MODULES_IMAGE_PUBKEY}" https://raw.githubusercontent.com/blue-build/modules/refs/heads/main/cosign.pub
200+ curl -fLsS --retry 5 https://raw.githubusercontent.com/blue-build/cli/refs/heads/main/cosign.pub | sudo tee "${CLI_IMAGE_PUBKEY}" > /dev/null
201+ curl -fLsS --retry 5 https://raw.githubusercontent.com/blue-build/modules/refs/heads/main/cosign.pub | sudo tee "${MODULES_IMAGE_PUBKEY}" > /dev/null
202202
203- # add cli pubkey
204- jq --arg image_registry "${CLI_IMAGE_REGISTRY}" \
205- --arg image_pubkey "${CLI_IMAGE_PUBKEY}" \
206- '.transports.docker |=
207- { $image_registry: [
208- {
209- "type": "sigstoreSigned",
210- "keyPath": $image_pubkey,
211- "signedIdentity": {
212- "type": "matchRepository"
213- }
203+ # add public keys for BlueBuild CLI and modules to container policy
204+ jq --arg cli_image_registry "${CLI_IMAGE_REGISTRY}" \
205+ --arg cli_image_pubkey "${CLI_IMAGE_PUBKEY}" \
206+ --arg modules_image_registry "${MODULES_IMAGE_REGISTRY}" \
207+ --arg modules_image_pubkey "${MODULES_IMAGE_PUBKEY}" \
208+ '.transports.docker += {
209+ $cli_image_registry: [
210+ {
211+ "type": "sigstoreSigned",
212+ "keyPath": $cli_image_pubkey,
213+ "signedIdentity": {
214+ "type": "matchRepository"
214215 }
215- ] } + .' "${POLICY_FILE}" > POLICY.tmp
216- sudo mv POLICY.tmp "${POLICY_FILE}"
217-
218- # add modules pubkey
219- jq --arg image_registry "${MODULES_IMAGE_REGISTRY}" \
220- --arg image_pubkey "${MODULES_IMAGE_PUBKEY}" \
221- '.transports.docker |=
222- { $image_registry: [
223- {
224- "type": "sigstoreSigned",
225- "keyPath": $image_pubkey,
226- "signedIdentity": {
227- "type": "matchRepository"
228- }
216+ }
217+ ],
218+ $modules_image_registry: [
219+ {
220+ "type": "sigstoreSigned",
221+ "keyPath": $modules_image_pubkey,
222+ "signedIdentity": {
223+ "type": "matchRepository"
229224 }
230- ] } + .' "${POLICY_FILE}" > POLICY.tmp
225+ }
226+ ]
227+ }' "${POLICY_FILE}" > POLICY.tmp
231228 sudo mv POLICY.tmp "${POLICY_FILE}"
232229
230+ # enable sigstore attachments for BlueBuild container verification
231+ sudo cat <<'EOF' > /etc/containers/registries.d/blue-build.yaml
232+ docker:
233+ ghcr.io/blue-build:
234+ use-sigstore-attachments: true
235+ EOF
236+
233237 - name : Determine Vars
234238 id : build_vars
235239 shell : bash
@@ -247,7 +251,7 @@ runs:
247251 REPO_TAG="${CLI_VERSION}"
248252 VERIFY_FLAG="--source-tag"
249253 else
250- REPO_TAG=$(curl -s https://api.github.com/repos/blue-build/cli/tags | jq -r '.[0].name')
254+ REPO_TAG=$(curl -fLsS --retry 5 https://api.github.com/repos/blue-build/cli/tags | jq -r '.[0].name')
251255 CLI_VERSION_TAG="v0.9"
252256 VERIFY_FLAG="--source-tag"
253257 fi
0 commit comments