ci(bluebuild): add cosign keypair signing infra

Generated a cosign keypair for v0.7 OCI signing. - bluebuild/cosign.pub committed alongside the recipe - cosign.key stored on operator workstation only (chmod 600) - COSIGN_PRIVATE_KEY Forgejo Actions secret set to the same key - Workflow stages the secret to bluebuild/cosign.key at build time (chmod 600), where the BlueBuild signing module picks it up - .gitignore guards against any cosign.key accidental commit - Restored the type:signing module in recipe.yml The 'stage-keys' COPY step in BlueBuild's generated containerfile fails without cosign.pub adjacent to recipe.yml even when type:signing is removed; re-add the module + provide real keys. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-06 17:48:58 +01:00 · 2026-05-06 17:48:58 +01:00 · 17c678e515
commit 17c678e515
parent 92653cca50
4 changed files with 26 additions and 6 deletions
--- a/.github/workflows/build-bluebuild.yml
+++ b/.github/workflows/build-bluebuild.yml
@ -113,6 +113,22 @@ jobs:
          fi
          podman pull ghcr.io/secureblue/kinoite-main-hardened:latest

+      - name: Stage cosign private key for signing module
+        env:
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+        run: |
+          set -euo pipefail
+          if [ -z "${COSIGN_PRIVATE_KEY:-}" ]; then
+            echo "[ERR] COSIGN_PRIVATE_KEY secret missing"
+            exit 1
+          fi
+          # bluebuild signing module reads from this env var when
+          # building the cosign.key bind stage. Also write to bluebuild/
+          # so it sits next to cosign.pub for local reproducible runs.
+          mkdir -p bluebuild
+          printf '%s' "$COSIGN_PRIVATE_KEY" > bluebuild/cosign.key
+          chmod 600 bluebuild/cosign.key
+
      - name: Build OCI image with BlueBuild CLI container
        id: bluebuild
        # blue-build/github-action requires docker buildx which podman
--- a/.gitignore
+++ b/.gitignore
@ -16,3 +16,4 @@ test/veilor-vm.nvram*
 test/auto-install-vm.qcow2
 test/auto-install-vm.nvram*
 .claude/worktrees/
+**/cosign.key
--- a/bluebuild/cosign.pub
+++ b/bluebuild/cosign.pub
@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE5xQcyP7FHNSiG7+VLsN2ViWlvvIB
+FYmu2XmPah7/VBlmuQ88H0ZbqCqqnS2u9x5+P1OMaMK+//k89V0Blrx65Q==
+-----END PUBLIC KEY-----
--- a/bluebuild/recipe.yml
+++ b/bluebuild/recipe.yml
@ -149,9 +149,8 @@ modules:
        - veilor-postinstall.service
        - veilor-doctor.timer

-  # ── 10. signing — DEFERRED ──────────────────────────────────────
-  # The BlueBuild `type: signing` module expects a cosign.pub +
-  # cosign.key pair next to the recipe. Generate + ship those in a
-  # follow-up commit once the operator has rotated the key offline
-  # and stashed cosign.key as a Forgejo Actions secret. Skip for the
-  # first green build.
+  # ── 10. signing config ──────────────────────────────────────────
+  # cosign.pub committed alongside this recipe; cosign.key kept off
+  # repo and provided to CI as Forgejo secret COSIGN_PRIVATE_KEY.
+  # The action exports it to /tmp at build time.
+  - type: signing