veilor-org/veilor-os
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions

ci(bluebuild): add cosign keypair signing infra
Some checks failed
Build veilor-os OCI (BlueBuild) / Build + push OCI (push) Failing after 3m18s
Details

Browse source 
Generated a cosign keypair for v0.7 OCI signing.
- bluebuild/cosign.pub committed alongside the recipe
- cosign.key stored on operator workstation only (chmod 600)
- COSIGN_PRIVATE_KEY Forgejo Actions secret set to the same key
- Workflow stages the secret to bluebuild/cosign.key at build time
  (chmod 600), where the BlueBuild signing module picks it up
- .gitignore guards against any cosign.key accidental commit
- Restored the type:signing module in recipe.yml

The 'stage-keys' COPY step in BlueBuild's generated containerfile
fails without cosign.pub adjacent to recipe.yml even when
type:signing is removed; re-add the module + provide real keys.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
claude-veilor-bot 2026-05-06 17:48:58 +01:00
parent 92653cca50
commit 17c678e515
4 changed files with 26 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
.github/workflows/build-bluebuild.yml vendored
View file

@ -113,6 +113,22 @@ jobs:
fi fi
podman pull ghcr.io/secureblue/kinoite-main-hardened:latest podman pull ghcr.io/secureblue/kinoite-main-hardened:latest
- name: Stage cosign private key for signing module
env:
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
run: |
set -euo pipefail
if [ -z "${COSIGN_PRIVATE_KEY:-}" ]; then
echo "[ERR] COSIGN_PRIVATE_KEY secret missing"
exit 1
fi
# bluebuild signing module reads from this env var when
# building the cosign.key bind stage. Also write to bluebuild/
# so it sits next to cosign.pub for local reproducible runs.
mkdir -p bluebuild
printf '%s' "$COSIGN_PRIVATE_KEY" > bluebuild/cosign.key
chmod 600 bluebuild/cosign.key
- name: Build OCI image with BlueBuild CLI container - name: Build OCI image with BlueBuild CLI container
id: bluebuild id: bluebuild
# blue-build/github-action requires docker buildx which podman # blue-build/github-action requires docker buildx which podman

1
.gitignore vendored
View file

@ -16,3 +16,4 @@ test/veilor-vm.nvram*
test/auto-install-vm.qcow2 test/auto-install-vm.qcow2
test/auto-install-vm.nvram* test/auto-install-vm.nvram*
.claude/worktrees/ .claude/worktrees/
**/cosign.key

4
bluebuild/cosign.pub Normal file
View file

@ -0,0 +1,4 @@
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE5xQcyP7FHNSiG7+VLsN2ViWlvvIB
FYmu2XmPah7/VBlmuQ88H0ZbqCqqnS2u9x5+P1OMaMK+//k89V0Blrx65Q==
-----END PUBLIC KEY-----

11
bluebuild/recipe.yml
View file

@ -149,9 +149,8 @@ modules:
- veilor-postinstall.service - veilor-postinstall.service
- veilor-doctor.timer - veilor-doctor.timer
# ── 10. signing — DEFERRED ────────────────────────────────────── # ── 10. signing config ──────────────────────────────────────────
# The BlueBuild `type: signing` module expects a cosign.pub + # cosign.pub committed alongside this recipe; cosign.key kept off
# cosign.key pair next to the recipe. Generate + ship those in a # repo and provided to CI as Forgejo secret COSIGN_PRIVATE_KEY.
# follow-up commit once the operator has rotated the key offline # The action exports it to /tmp at build time.
# and stashed cosign.key as a Forgejo Actions secret. Skip for the - type: signing
# first green build.