Revising keys for server, attempting to base server on bootc

2025-11-24 15:22:12 -05:00
parent fca3d78b06
commit 052e71db4d
4 changed files with 110 additions and 12 deletions
@@ -10,25 +10,28 @@ WORKDIR /gocryptfs
 RUN ./build-without-openssl.bash

 # ====== Stage 2: Server image ======
-FROM quay.io/fedora/fedora-silverblue:43
+FROM quay.io/fedora/fedora-bootc:43

 COPY --from=builder /gocryptfs/gocryptfs /usr/bin/gocryptfs

-# Install ZFS repository & build deps & zfs
-RUN dnf5 install -y https://github.com/zfsonlinux/zfsonlinux.github.com/raw/master/fedora/zfs-release-3-0$(rpm --eval "%{dist}").noarch.rpm && \
+COPY gpg-keys/* /keys/
+
+# Import keys, install ZFS repository & build deps & zfs
+RUN rpm --import \
+      /keys/OpenZFS \
+      /keys/Smallstep \
+      /keys/zrepl-rpm-pkgs \
+      /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-43-x86_64 && \
+    rm -rf /keys && \
+    dnf5 install -y https://github.com/zfsonlinux/zfsonlinux.github.com/raw/master/fedora/zfs-release-3-0$(rpm --eval "%{dist}").noarch.rpm && \
    dnf5 install -y \
      kernel-devel kernel-devel-matched kernel-headers kernel-srpm-macros && \
    dnf5 install -y zfs && \
    dkms autoinstall -k $(rpm -qa kernel --queryformat '%{VERSION}-%{RELEASE}.%{ARCH}') && \
    dnf5 clean all

-# Install zrepl repository
-COPY supermicro-x10drh/zrepl.asc /var/roothome/zrepl.asc
-RUN rpm --import /var/roothome/zrepl.asc
-COPY supermicro-x10drh/zrepl.repo /etc/yum.repos.d/zrepl.repo
-
-# Install smallstep repository
-COPY supermicro-x10drh/smallstep.repo /etc/yum.repos.d/smallstep.repo
+# Install smallstep & zrepl repository
+COPY supermicro-x10drh/*.repo /etc/yum.repos.d/

 RUN dnf5 install -y \
      ansible \
@@ -67,6 +70,10 @@ RUN dnf5 install -y \
 RUN test -f /usr/lib/sysusers.d/libvirt.conf || echo -e 'g libvirt 963' > /usr/lib/sysusers.d/libvirt.conf && \
    test -f /usr/lib/sysusers.d/qat.conf || echo -e 'g qat 995' > /usr/lib/sysusers.d/qat.conf

-# Cleanup image for linting & verify image is good
-RUN rm -rf /var /boot && mkdir /var /boot && \
+# The first check makes sure that we have exactly 4 gpg pubkeys trusted in the rpmdb (the ones from the base image).
+# Any more than that means that dnf automatically added a new one, which is shady!
+# Then: cleanup image for linting
+# Finally: verify image is good
+RUN [[ 4 -eq $(rpm -qa gpg-pubkey* | wc -l) ]] && \
+    rm -rf /var /boot && mkdir /var /boot && \
    bootc container lint --fatal-warnings --skip baseimage-composefs
@@ -0,0 +1,56 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGLYiZQBEADFiO0tDOd+EOS2tLvLI+0fvX8xWPR+cohAnvMJFWciUt0ucN3c
+XHkEwbTkZNzJJ3s2AIVzq+zhi8SF3t/y0VIiK4pba5OOp14HvzkxBPStPw6Q7KNG
+x07QZxrQ5BwKW2IU1HNUm+bsj8pKjoYWFc2XAzvOR8I/247RyiNVHLD385oHRR6T
+DQKv0ZLwEekokgqqtJwapjCm5nUmwxr4FmBQKzu7bHYS/hqv4q1z2d5YY23UQ9B0
+gazILmenU/xgIHWkPl/7HHetq0zbFrgFao9TfRkaMHLubmX34N7xJD99wszy8ZR0
+yf+b/16oQrNY3BRsD2ZMO5I3elRPYdaXvRvwuzYGVpULWdEEaDr2FaA+JnEJHZac
+v9EdZhROROKIZI1BxPOeNxIlumAgSXTIvFIC2sRGWb7/a/WbI+N7bGXcMENn2s7d
+xiRHhAkdehqY6iWwLFX7jmueesL46Qzsaqn+547aHivuBxETPWuvLs+ANzmqBP4
+T5NP2VVpux9in5VOP5JbE+kRZRH3HrTMQJBMIqFhUFYlkfFBbVDsgZLEFMBpNbZx
+4+xcIp2Qe3ODv1+gL2ocOaYmPdMKDoLk/+qecDiZGChHJlUk2MWLEJ+yZ0ZN3RWw
+hb+JB8xoJVTRQrOgToPHaVeRTSwRmwMTGICLIG3KRxZ6aKgBEfjqGyeKLwARAQAB
+tB1PcGVuWkZTIDxyZWxlYXNlQG9wZW56ZnMub3JnPokCNwQTAQoAIQUCYtiJlAIb
+AwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRClmf1enbhBQTixD/9IxQ/StgUv
+pf/qybWa38dEI2Iri+UvR6zy9Nja9SJ2rBrSF5umNNsuRxTD2qvbjNcvOt40sFoj
+pM8aS8JO0Rv5ouMh/Kxbpn0fyzvXVpx3c/ulCHRC38Dnw9G/HijYwxGy+WbysbGF
+HwxepI5MTdImbSJnteNx0q/2SPWCK+KdSTXcbKM113QDXM9b8mJFdOvRa0Mxfu0y
+7qFz+yNmTDZ/tCNoWCCa4G3lmpDosCIjnDoHoethwVvf/M1THRYeXLT8SQEOXJDp
+gT5K0ffzFbqnbio+3r4EDjCZFM+ZKfaRb5kSDdt+xYreW6Q35OIsoVZsEHeAy+J8
+gmk2HGmHCZ8nzO2iUFkq4OQWtOubmYpSB49CDn8zEplhy72BNFL6MTBH9RsaLOBH
+uJbmZFwrFRA6aq5c/NKY2PsgWlxKx3no2grScQC/VmGWu1YZ/rnkiPSf2l+PmFWo
+EvJyElSj52NmpJv0KfggDNGm4j7Axo9uxRMetO0g0Ee1xS0d2ApcpgCd5DmRYcEt
+bUoj/qDdtlTJSLJLClWswEjxYM54NmPE2/Fp8qv58iFJgQsrgaB9RK0VShA8+zK2
+/lbv7aTlQ1SUBdryvMXb9W+xupjzBW1M4rJACZyJegQlnuBYmtlcYW2RarESWmEY
+5vBCc5OBlsKFDLkmHITiFIvotDsDsDS+tokBHAQQAQoABgUCYtiNdgAKCRCp1aHA
+8Uq2IM4EB/oCB0Wwysk08Xgl3nfpZccliG+QSL8Rj4FVV/eJUq+V8kxlkFDGeql/
+f5Qhji0ma8jIJyB8gsi6g/3HVJK7ry5XwHWBPyTv6NR+PrfB2tGrbN7S4R+S5rd7
+yfgRkvsP7+DjUQcMkzY8oXvy0YR84QcO2f+zcqZmY6trwn+p1S4HNjpG/28vZrix
+Ytdogg8b9F1OFtfJiCQABC1XnT3R8mvIcwCjtkvwJY8L30CNkBZ6svOyVfRVsEG1
+HQl1bPo8LTLpDQU52uC41J89i0heBxv9tIUTrbxJIPx5l9QvQYSJ8pKTRxyAFrlR
+n5ANBdk+deEpazZWoZmbDVsPMYXnTwzGuQINBGLYiZQBEACyqsd/q4GWA8MJuk2h
+q/qqKGBf6xU3GBPDm0CF0EWB1sTKx17Rl9cwe7wyDrB0iw4w4bcfujO/k7y6rNGQ
+7PuBpG17dMsQM9H5DBPptO0e00jn5DBNcgSvgTSJpXIzC0VBrfPRDTpZmBP6GWuI
+/Xqa8RahhpEZmXOqxfOi1qZsD8+gDAv2G595025/9nf/KfbYZTibVWurkzHx/URG
+GASMnip3Y0q7Plo3CjEP28EvtyK3fA+OpCOuHYbhJVJGKsVszP/ZRppjjh2yS4hz
+EB6u41Zv0h5/imBFxMyCF3Q44ZvxeMyEXRZG9Omh7swqu3HW/BspEnefxCvc+zp5
+CW6Pjs5yVx4CKzb+Uo7fR7tnUwbKXvUnKJLWO+POFUn7sc3wtY8WpS9XSXIfwLHX
+oiDqirGO3sKG/Mm9ydQL794zykjm6tM32A1VJT7Lz9eLAyo4BQl04X8na/O+kBbR
+0LB7EEhpHokx5cD3NALfKa6S7ZK0/rsrH5n/7RsKnEunyoUjViOnSRbfuz19bV7b
+A6SxrLkY+RRW7GVUHvPIYwOAlifCUQVFnezc9HEMMr5aM0D0PppKwDoJhisLttQN
+FLp9pagcIAg7bxTtvRPJxPgXSeAbI0WOYpyD1dHy4YN1OpY4x0kONB+6rxAKEwUp
+HzDmDSXXLYcFyXFDiNDPwWTaKwARAQABiQIeBBgBCgAJBQJi2ImUAhsMAAoJEKWZ
+/V6duEFBeP8P9Ah4NUIX9AetziaKsG9nxMSc6O1C3BFr05ZRXT1ochHlJZEkI850
+EdLZv5e6cxO4Xuobb0DsdmsMavd0v739SpBqzXh+xvr5Y7JmwTiMzTrcJumHEVbs
+9bUxCIrB2ORgbR3ZrgCK2tjB8EtTQRAaDnh3UdQIY58KVpgVLtY1uOEuP3Vi76i+
+RgPZtLSooPrIyL9uFD3bfn5Ebuml2mHlw/MEBTLCMh2gKqnYzYbB1C7OmqwM5RtM
+SeVWFTctFHo/P9nkE8OSr29MCx7MKalYrS1rU6O8Cg2S7CIOQ/MHpepcs8Z7M1jn
+suYWBkgzX/hnOwCNkoWQv/LRh9HTcRe4bYctsGKb35dUAArah0xB2BpQ+srw5IOf
+C2spzYmFB2rx/wNSftEmAT7YwDlhFsS0/fGAPkW6Um2h3H0L2lLVG5XgBbfpY1my
+o80d20LSVbvftDhAeR9/Dj3Plgve5tIdUZLNN6CXmAUJYlGkLdv03hQ69lIFkwPO
+dn3ycQkk86Pnwt+DY2nUHsxFcEstZIASCr+htCv2YI/MYDWfDpO7j2TfCqspXV+7
+FgeCqkEZ1d8uha1/3VQmGXKHOQwc2YZ42k+at8LzlgseGdez+OBh4rc2WM3csB34
+yBGA1C8bQc8pIpWQ/eR8VGdmg1BYhrrSlyhepSjhBZ3UP3HjPL9WhoA=
+=g37Q
+-----END PGP PUBLIC KEY BLOCK-----
@@ -0,0 +1,35 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mDMEY26u4hYJKwYBBAHaRw8BAQdA7LMqWx9TbSPUghA98U/9B8J/GYk8DENiYUod
+fuHDALC0J1NtYWxsc3RlcCBPcHMgPHRlY2hhZG1pbkBzbWFsbHN0ZXAuY29tPoiO
+BBMWCgA2FiEEeOgokNQNXTl9GTmfiJsZOR93REMFAmNuruICGwMECwkIBwQVCgkI
+BRYCAwEAAh4FAheAAAoJEIibGTkfd0RDQSsBAOhuUfoizetfeAVoJUwn1Px1h+OD
+dQNpzf8o2tF+fwm8AP428LeFCZG5LQQXk5SZFCcOvfQU6fpk1Zd8TlsaREDWDrkC
+DQRjbq9xARAAux27pk6Zw+4PoOBw+s0jUbbPZwyo3jTzJgxv9pH96kofY13xAuD8
+T2m5wh7/ZHmg1IBTXL3pwgxGs28RF4YjQgfwk2svvcBNpG221Tci1M6Yg8zwqNfy
+Z2KSAEGfoazITOdcAj4IhAiR9oZ8GE6ODN3T77VEavsGy1q8OgVrRlQuz418LSsd
+oVH75wPIDNrj0IRCHj8SI/1aZhDsZCbiIT9w7QQI1rtKqxZVUe5MtHSQmQb7lLvq
+HBkfJHgr+qLMw/7w7PVSZ62aZ5UlnE+gtSAxjGEqPzexMiikMkZ3pmC0u+R5h9dE
+wawHSYWcgRluIeeKJ5q/xxx1PtYaGCBqBrubBI1xEhgOBbdFmhZnfJYRSYXkxWtX
+PIeZeHWoeteuMtlmEza91kU3ypcxLLGMbkAHpon92amj1lVre9yZOCRliLfoHTa3
+HWgrjqjGCYk+4fxxjLxcm0GMXc/R0rPn2ISVhPM+3uic0EECya36IBCN6CR7cy7Z
+MSzU/ycEuTBCpqoCMiyxpVsnrkIAoesHD/znoB4rv8FM6sJpE4nA7PSXdcdGOf/j
+F2pJLgLAaLyoKflvYJ+g8mPJMwWw+FmUV7PgVIl/vajDiULD6T+B7DQfWszXSdqG
+HQvHTv9zh1C4+hFRRiseY24o5577COgzwLK56j7Afzh1uBMyoO5wRKsAEQEAAYkC
+rgQYFgoAIBYhBHjoKJDUDV05fRk5n4ibGTkfd0RDBQJjbq9xAhsCAkAJEIibGTkf
+d0RDwXQgBBkBCgAdFiEExj6yRTZfoHtxBoBJHkOFnLhVIjwFAmNur3EACgkQHkOF
+nLhVIjx/lhAAtj+HraJ5i8WzYFvmdYXq8klQIh7gC8cNPJP6+JML0rEEyrZOlA6t
+rpFHpYLO2qAbH9anDceOAIiqL5TBZ406BhTVitU29S/XjL570r0JiXbfxokV31If
+e2GyxMbPDmIH8JzyVCDRG1xI+pHPytJqa09C2YJSLXrN1jTRx66TlzRzD52JOB05
+TcICEuJvl0nnBmvLLjLkI7JJ1qFiZSsv39ceoLPQxYf0/WkXzBAkS9ij52xNWhJP
+RSX6/wlu1FcZ1uhTC8ZYkPhSf1wtimdNSef056FH3FokrLOdRTBz61nXv85rpJYy
+xXnoVFJgUeUKXurO7Wkdvo620VqYOWgiF0AQpSk4yinCiYlj8QkUbX13C2p3tnKh
+WtzS4/oRu9/fReaY3Lx6ILL204Tnn9Tgn+FEAL+P5pioUcUMrui5IUChMzlreKuT
+mXBOu2gbq5kS0qfY61xfJrsI+ShpfHyW51QaH8tei3l4QeJlrExKFo4oyZOhbFOK
+P3hBOkfPL0N7fYb9qj2zhBsdhVWUbFvUG4UofY6f9Wgch7IVzy57yNfxrDq7Ctul
+wd2S6YgJ2qXppFedNlykehlIWpH3bpXQ9kUyhvwWCTqaNW/q1FzsF2V7LsK0vHsV
+XgewEYGB+XCDZ/AznaiBQr5jS7ynDeC8vOL+FB7XRxATbc46W6QQ7gph1wEAi35H
+YS9tkQp7dOKrIUW2DxzG9pKhXMhGTqtpjVNd8doA/0IpycvsqLpY7Jfxb2CT3s+C
+Z6N4GhcQKQkHVsV4Nm4P
+=YjzQ
+-----END PGP PUBLIC KEY BLOCK-----