chore: add fix-key-and-update.sh script to resolve cosign pub key iss…

…ues (#298) * chore: add fix-key-and-update.sh script to resolve cosign pub key issues * Remove x flag from script since we have echo commands * Keep the backup file in place
ublue-os · Jul 2, 2024 · 5c4144d · 5c4144d
1 parent 04ee659
commit 5c4144d
Showing 1 changed file with 26 additions and 0 deletions.
diff --git a/scripts/fix-key-and-update.sh b/scripts/fix-key-and-update.sh
@@ -0,0 +1,26 @@
+#!/usr/bin/bash
+#
+# This is a tool to provide easy change to the new Universal Blue image signing key, updated July 2, 2024.
+#
+# Note: this is required for upgrades to images published after July 1, 2024, and will prevent downgrading
+# to images published before July 2, 2024.
+#
+set -eu
+
+# Require root privileges
+if [ "$EUID" -ne 0 ]; then
+  echo "Please run as root"
+  exit 1
+fi
+
+# Fetch the new public key from ublue-os's github repo, updating the local copy.
+echo "Fetching the new public key from ublue-os's github repo..."
+curl https://raw.githubusercontent.com/ublue-os/main/main/cosign.pub > /etc/pki/containers/ublue-os.pub
+
+# Ensure the path to the public key matches the local copy location.
+echo "Updating the path to the public key in the container policy..."
+sed -i.bak "s#/usr/etc/pki/containers/ublue-os.pub#/etc/pki/containers/ublue-os.pub#" /etc/containers/policy.json
+
+# Update system, respecting new public signing key.
+echo "Updating the system..."
+rpm-ostree update