From c61299af8cf6dc07aa9e72b6f10d1b70fccc2014 Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Thu, 8 Aug 2024 17:49:06 +0100 Subject: [PATCH 1/7] chore: update secureboot enrollment password --- .github/workflows/build_iso.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build_iso.yml b/.github/workflows/build_iso.yml index 375b983..9d0fa71 100644 --- a/.github/workflows/build_iso.yml +++ b/.github/workflows/build_iso.yml @@ -41,7 +41,7 @@ jobs: version: ${{ matrix.fedora_version }} image_tag: ${{ matrix.fedora_version }}-amd64 secure_boot_key_url: 'https://github.com/ublue-os/akmods/raw/main/certs/public_key.der' - enrollment_password: 'ublue-os' + enrollment_password: 'universalblue' iso_name: ${{ matrix.image_name }}-${{ matrix.fedora_version }}.iso - name: Upload ISOs and Checksum to Job Artifacts From b4d7ffe376dcd229070a7f4029ac2f8909608244 Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Thu, 8 Aug 2024 18:07:28 +0100 Subject: [PATCH 2/7] Rename images to remove "base-" --- .github/workflows/build.yml | 20 +++++++++++++------- .github/workflows/build_iso.yml | 2 +- 2 files changed, 14 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ded1e40..a1ea59f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -78,15 +78,21 @@ jobs: done echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT + IMAGE_NAME="cosmic-${{ matrix.flavor }}" + if [[[ "$IMAGE_NAME" == base-* ]]]; then + echo "IMAGE_NAME=${IMAGE_NAME#base-}" >> $GITHUB_ENV + fi + echo "IMAGE_NAME=${IMAGE_NAME}" >> $GITHUB_ENV + # Build metadata - name: Image Metadata uses: docker/metadata-action@v5 id: meta with: images: | - cosmic-${{ matrix.flavor }} + ${{ env.IMAGE_NAME }} labels: | - org.opencontainers.image.title=cosmic-${{ matrix.flavor }} + org.opencontainers.image.title=${{ env.IMAGE_NAME }} org.opencontainers.image.version=${{ matrix.version }} org.opencontainers.image.description=${{ env.description }} io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/cosmic/main/README.md @@ -126,11 +132,11 @@ jobs: with: rechunk: 'ghcr.io/hhd-dev/rechunk:v0.8.1' ref: 'raw-img' - prev-ref: "${{ env.IMAGE_REGISTRY }}/cosmic-${{ matrix.flavor }}:${{ matrix.version }}" + prev-ref: "${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ matrix.version }}" skip_compression: true version: ${{ matrix.version }} labels: | - org.opencontainers.image.title=cosmic-${{ matrix.flavor }} + org.opencontainers.image.title=${{ env.IMAGE_NAME }} org.opencontainers.image.description=${{ env.description }} io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/cosmic/main/README.md io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4 @@ -140,7 +146,7 @@ jobs: IMAGE=$(podman pull ${{ steps.rechunk.outputs.ref }}) sudo rm -rf ${{ steps.rechunk.outputs.output }} for tag in ${{ steps.generate-tags.outputs.alias_tags }}; do - podman tag $IMAGE cosmic-${{ matrix.flavor }}:$tag + podman tag $IMAGE ${{ env.IMAGE_NAME }}:$tag done # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR. @@ -166,7 +172,7 @@ jobs: id: push with: registry: ${{ steps.registry_case.outputs.lowercase }} - image: cosmic-${{ matrix.flavor }} + image: ${{ env.IMAGE_NAME }} tags: ${{ steps.generate-tags.outputs.alias_tags }} extra-args: | --disable-content-trust @@ -178,7 +184,7 @@ jobs: - name: Sign container image if: github.event_name != 'pull_request' run: | - cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/cosmic-${{ matrix.flavor }}@${TAGS} + cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${{ env.IMAGE_NAME }}@${TAGS} env: TAGS: ${{ steps.push.outputs.digest }} COSIGN_EXPERIMENTAL: false diff --git a/.github/workflows/build_iso.yml b/.github/workflows/build_iso.yml index 9d0fa71..d6cfe53 100644 --- a/.github/workflows/build_iso.yml +++ b/.github/workflows/build_iso.yml @@ -24,7 +24,7 @@ jobs: strategy: fail-fast: false matrix: - image_name: [cosmic-silverblue, cosmic-base, cosmic-silverblue-nvidia, cosmic-base-nvidia] + image_name: [cosmic, cosmic-nvidia, cosmic-silverblue,cosmic-silverblue-nvidia] fedora_version: [40] steps: From 1f3fcf453ed59a4db193ced692fe0d71d6358657 Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Thu, 8 Aug 2024 18:11:13 +0100 Subject: [PATCH 3/7] Properly remove base- from the name --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a1ea59f..650c7a7 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -80,7 +80,7 @@ jobs: IMAGE_NAME="cosmic-${{ matrix.flavor }}" if [[[ "$IMAGE_NAME" == base-* ]]]; then - echo "IMAGE_NAME=${IMAGE_NAME#base-}" >> $GITHUB_ENV + echo "IMAGE_NAME=${IMAGE_NAME//base-/}" >> $GITHUB_ENV fi echo "IMAGE_NAME=${IMAGE_NAME}" >> $GITHUB_ENV From 6f877f1eb87001a422da9e711efe9492827b29a4 Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Thu, 8 Aug 2024 18:16:05 +0100 Subject: [PATCH 4/7] Actually change image names --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 650c7a7..7f990ee 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -80,7 +80,7 @@ jobs: IMAGE_NAME="cosmic-${{ matrix.flavor }}" if [[[ "$IMAGE_NAME" == base-* ]]]; then - echo "IMAGE_NAME=${IMAGE_NAME//base-/}" >> $GITHUB_ENV + IMAGE_NAME="${IMAGE_NAME//base-/}" fi echo "IMAGE_NAME=${IMAGE_NAME}" >> $GITHUB_ENV From d438dfa5b5197c608714351b755843db23ace397 Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Thu, 8 Aug 2024 18:19:24 +0100 Subject: [PATCH 5/7] Remove hyphen from before base --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7f990ee..5f836c5 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -79,8 +79,8 @@ jobs: echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT IMAGE_NAME="cosmic-${{ matrix.flavor }}" - if [[[ "$IMAGE_NAME" == base-* ]]]; then - IMAGE_NAME="${IMAGE_NAME//base-/}" + if [[[ "$IMAGE_NAME" == -base* ]]]; then + IMAGE_NAME="${IMAGE_NAME//-base/}" fi echo "IMAGE_NAME=${IMAGE_NAME}" >> $GITHUB_ENV From 56cfad560e09a00cd41c829d7ee5e3d2f8db92cc Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Thu, 8 Aug 2024 18:24:24 +0100 Subject: [PATCH 6/7] Remove duplicate checkout Correctly check for base string in image name --- .github/workflows/build.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5f836c5..3c83178 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -43,8 +43,6 @@ jobs: uses: ublue-os/remove-unwanted-software@v7 with: remove-android: 'true' - - name: Checkout - uses: actions/checkout@v2 - name: Checkout Push to Registry action uses: actions/checkout@v4 @@ -79,7 +77,7 @@ jobs: echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT IMAGE_NAME="cosmic-${{ matrix.flavor }}" - if [[[ "$IMAGE_NAME" == -base* ]]]; then + if [[ "$IMAGE_NAME" == *-base* ]]; then IMAGE_NAME="${IMAGE_NAME//-base/}" fi echo "IMAGE_NAME=${IMAGE_NAME}" >> $GITHUB_ENV From 9d55ceeedc8dec0c0e92331bcf43461af2319e21 Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Thu, 8 Aug 2024 18:29:36 +0100 Subject: [PATCH 7/7] Update README with SecureBoot information and remove outdated selinux info --- README.md | 33 +++++++++++++++++++++++++-------- 1 file changed, 25 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 7d7dff6..5589a45 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@ > NOTES: > These images are not associated with System76! If you have issues, please understand they might be COSMIC related, OR they might be related to this image. -> The COSMIC Desktop Environment is still PRE ALPHA. Do not daily drive this image on your main workstation unless you know what you're doing. +> The COSMIC Desktop Environment is still ALPHA. Do not daily drive this image on your main workstation unless you know what you're doing. Like Fedora? Want to try the latest from the work in progress Cosmic Desktop Environment? Want to help find bugs and/or contribute to Cosmic development, but don't want to work in a VM or install Pop!_OS? None of the above things but something else??!? @@ -13,15 +13,9 @@ Go ahead and try one of the ostree images I've created here! Install a Fedora Atomic Desktop, like [Fedora Silverblue](https://fedoraproject.org/atomic-desktops/silverblue/). -#### Warning -This image requires disabling SELinux. **This is NOT recommended for production** and is a temporary situation until this work is finished in upstream Fedora. - - sudo setenforce 0 && getenforce - -You can view the SELinux config in `/etc/selinux/config` #### Variants -- `cosmic-base`: Just the COSMIC Desktop +- `cosmic`: Just the COSMIC Desktop - `cosmic-silverblue`: Recommended, Fedora Silverblue with COSMIC Desktop added - `cosmic-kinoite`: Fedora Kinoite with COSMIC Desktop addded @@ -35,6 +29,29 @@ Rebase to the signed image rpm-ostree rebase --reboot ostree-image-signed:docker://ghcr.io/ublue-os/VARIANT:40-amd64 + +### Secure Boot + +Secure Boot is supported by default on our systems, providing an additional layer of security. After the first installation, you will be prompted to enroll the secure boot key in the BIOS. + +Enter the password `universalblue` +when prompted to enroll our key. + +If this step is not completed during the initial setup, you can manually enroll the key by running the following command in the terminal: + +` +ujust enroll-secure-boot-key +` + +Secure boot is supported with our custom key. The pub key can be found in the root of the akmods repository [here](https://github.com/ublue-os/akmods/raw/main/certs/public_key.der). +If you'd like to enroll this key prior to installation or rebase, download the key and run the following: + +```bash +sudo mokutil --timeout -1 +sudo mokutil --import secure_boot.der +``` + + ### Enabling the display manager Log in with your username and password, then run: