Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: update secureboot enrolment password #60

Merged
merged 7 commits into from
Aug 8, 2024
Merged

chore: update secureboot enrolment password #60

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
c61299a
chore: update secureboot enrollment password
p5 Aug 8, 2024
b4d7ffe
Rename images to remove "base-"
p5 Aug 8, 2024
1f3fcf4
Properly remove base- from the name
p5 Aug 8, 2024
6f877f1
Actually change image names
p5 Aug 8, 2024
d438dfa
Remove hyphen from before base
p5 Aug 8, 2024
56cfad5
Remove duplicate checkout
p5 Aug 8, 2024
9d55cee
Update README with SecureBoot information and remove outdated selinux…
p5 Aug 8, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 13 additions & 9 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,8 +43,6 @@ jobs:
uses: ublue-os/remove-unwanted-software@v7
with:
remove-android: 'true'
- name: Checkout
uses: actions/checkout@v2

- name: Checkout Push to Registry action
uses: actions/checkout@v4
Expand Down Expand Up @@ -78,15 +76,21 @@ jobs:
done
echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT

IMAGE_NAME="cosmic-${{ matrix.flavor }}"
if [[ "$IMAGE_NAME" == *-base* ]]; then
IMAGE_NAME="${IMAGE_NAME//-base/}"
fi
echo "IMAGE_NAME=${IMAGE_NAME}" >> $GITHUB_ENV

# Build metadata
- name: Image Metadata
uses: docker/metadata-action@v5
id: meta
with:
images: |
cosmic-${{ matrix.flavor }}
${{ env.IMAGE_NAME }}
labels: |
org.opencontainers.image.title=cosmic-${{ matrix.flavor }}
org.opencontainers.image.title=${{ env.IMAGE_NAME }}
org.opencontainers.image.version=${{ matrix.version }}
org.opencontainers.image.description=${{ env.description }}
io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/cosmic/main/README.md
Expand Down Expand Up @@ -126,11 +130,11 @@ jobs:
with:
rechunk: 'ghcr.io/hhd-dev/rechunk:v0.8.1'
ref: 'raw-img'
prev-ref: "${{ env.IMAGE_REGISTRY }}/cosmic-${{ matrix.flavor }}:${{ matrix.version }}"
prev-ref: "${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ matrix.version }}"
skip_compression: true
version: ${{ matrix.version }}
labels: |
org.opencontainers.image.title=cosmic-${{ matrix.flavor }}
org.opencontainers.image.title=${{ env.IMAGE_NAME }}
org.opencontainers.image.description=${{ env.description }}
io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/cosmic/main/README.md
io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4
Expand All @@ -140,7 +144,7 @@ jobs:
IMAGE=$(podman pull ${{ steps.rechunk.outputs.ref }})
sudo rm -rf ${{ steps.rechunk.outputs.output }}
for tag in ${{ steps.generate-tags.outputs.alias_tags }}; do
podman tag $IMAGE cosmic-${{ matrix.flavor }}:$tag
podman tag $IMAGE ${{ env.IMAGE_NAME }}:$tag
done

# Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR.
Expand All @@ -166,7 +170,7 @@ jobs:
id: push
with:
registry: ${{ steps.registry_case.outputs.lowercase }}
image: cosmic-${{ matrix.flavor }}
image: ${{ env.IMAGE_NAME }}
tags: ${{ steps.generate-tags.outputs.alias_tags }}
extra-args: |
--disable-content-trust
Expand All @@ -178,7 +182,7 @@ jobs:
- name: Sign container image
if: github.event_name != 'pull_request'
run: |
cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/cosmic-${{ matrix.flavor }}@${TAGS}
cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${{ env.IMAGE_NAME }}@${TAGS}
env:
TAGS: ${{ steps.push.outputs.digest }}
COSIGN_EXPERIMENTAL: false
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/build_iso.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ jobs:
strategy:
fail-fast: false
matrix:
image_name: [cosmic-silverblue, cosmic-base, cosmic-silverblue-nvidia, cosmic-base-nvidia]
image_name: [cosmic, cosmic-nvidia, cosmic-silverblue,cosmic-silverblue-nvidia]
fedora_version: [40]

steps:
Expand All @@ -41,7 +41,7 @@ jobs:
version: ${{ matrix.fedora_version }}
image_tag: ${{ matrix.fedora_version }}-amd64
secure_boot_key_url: 'https://github.com/ublue-os/akmods/raw/main/certs/public_key.der'
enrollment_password: 'ublue-os'
enrollment_password: 'universalblue'
iso_name: ${{ matrix.image_name }}-${{ matrix.fedora_version }}.iso

- name: Upload ISOs and Checksum to Job Artifacts
Expand Down
33 changes: 25 additions & 8 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@

> NOTES:
> These images are not associated with System76! If you have issues, please understand they might be COSMIC related, OR they might be related to this image.
> The COSMIC Desktop Environment is still PRE ALPHA. Do not daily drive this image on your main workstation unless you know what you're doing.
> The COSMIC Desktop Environment is still ALPHA. Do not daily drive this image on your main workstation unless you know what you're doing.

Like Fedora? Want to try the latest from the work in progress Cosmic Desktop Environment? Want to help find bugs and/or contribute to Cosmic development, but don't want to work in a VM or install Pop!_OS? None of the above things but something else??!?

Expand All @@ -13,15 +13,9 @@ Go ahead and try one of the ostree images I've created here!

Install a Fedora Atomic Desktop, like [Fedora Silverblue](https://fedoraproject.org/atomic-desktops/silverblue/).

#### Warning
This image requires disabling SELinux. **This is NOT recommended for production** and is a temporary situation until this work is finished in upstream Fedora.

sudo setenforce 0 && getenforce

You can view the SELinux config in `/etc/selinux/config`

#### Variants
- `cosmic-base`: Just the COSMIC Desktop
- `cosmic`: Just the COSMIC Desktop
- `cosmic-silverblue`: Recommended, Fedora Silverblue with COSMIC Desktop added
- `cosmic-kinoite`: Fedora Kinoite with COSMIC Desktop addded

Expand All @@ -35,6 +29,29 @@ Rebase to the signed image

rpm-ostree rebase --reboot ostree-image-signed:docker://ghcr.io/ublue-os/VARIANT:40-amd64


### Secure Boot

Secure Boot is supported by default on our systems, providing an additional layer of security. After the first installation, you will be prompted to enroll the secure boot key in the BIOS.

Enter the password `universalblue`
when prompted to enroll our key.

If this step is not completed during the initial setup, you can manually enroll the key by running the following command in the terminal:

`
ujust enroll-secure-boot-key
`

Secure boot is supported with our custom key. The pub key can be found in the root of the akmods repository [here](https://github.com/ublue-os/akmods/raw/main/certs/public_key.der).
If you'd like to enroll this key prior to installation or rebase, download the key and run the following:

```bash
sudo mokutil --timeout -1
sudo mokutil --import secure_boot.der
```


### Enabling the display manager

Log in with your username and password, then run:
Expand Down
Loading