From 5c4144d38a2a61e44ca704ffdf2d50bbcb9ff7ed Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Wed, 3 Jul 2024 00:56:06 +0100 Subject: [PATCH] chore: add fix-key-and-update.sh script to resolve cosign pub key issues (#298) * chore: add fix-key-and-update.sh script to resolve cosign pub key issues * Remove x flag from script since we have echo commands * Keep the backup file in place --- scripts/fix-key-and-update.sh | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100755 scripts/fix-key-and-update.sh diff --git a/scripts/fix-key-and-update.sh b/scripts/fix-key-and-update.sh new file mode 100755 index 00000000..267e1d94 --- /dev/null +++ b/scripts/fix-key-and-update.sh @@ -0,0 +1,26 @@ +#!/usr/bin/bash +# +# This is a tool to provide easy change to the new Universal Blue image signing key, updated July 2, 2024. +# +# Note: this is required for upgrades to images published after July 1, 2024, and will prevent downgrading +# to images published before July 2, 2024. +# +set -eu + +# Require root privileges +if [ "$EUID" -ne 0 ]; then + echo "Please run as root" + exit 1 +fi + +# Fetch the new public key from ublue-os's github repo, updating the local copy. +echo "Fetching the new public key from ublue-os's github repo..." +curl https://raw.githubusercontent.com/ublue-os/main/main/cosign.pub > /etc/pki/containers/ublue-os.pub + +# Ensure the path to the public key matches the local copy location. +echo "Updating the path to the public key in the container policy..." +sed -i.bak "s#/usr/etc/pki/containers/ublue-os.pub#/etc/pki/containers/ublue-os.pub#" /etc/containers/policy.json + +# Update system, respecting new public signing key. +echo "Updating the system..." +rpm-ostree update