Verify Signature of extension prior to installation

Heavybullets8 · Nov 27, 2024 · 90e9c7a · 90e9c7a
1 parent 1323311
commit 90e9c7a
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 3 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,6 @@
 FROM alpine:3.20
 
-RUN apk add --no-cache crane bash curl libuuid libblkid
+RUN apk add --no-cache cosign crane bash curl libuuid libblkid
 
 COPY entrypoint.sh /entrypoint.sh
 

diff --git a/entrypoint.sh b/entrypoint.sh
@@ -15,6 +15,17 @@ elif ! ZFS_IMAGE=$(crane export "ghcr.io/siderolabs/extensions:${TALOS_VERSION}"
     exit_bool=true
 fi
 
+if [ "$exit_bool" = false ]; then
+    echo "Verifying ZFS image signature..."
+    if ! cosign verify \
+        --certificate-identity-regexp '@siderolabs\.com$' \
+        --certificate-oidc-issuer https://accounts.google.com \
+        "$ZFS_IMAGE" > /dev/null 2>&1; then
+        echo "Error: Image signature verification failed for $ZFS_IMAGE."
+        exit_bool=true
+    fi
+fi
+
 if [ "$PUSHOVER_NOTIFICATION" = true ]; then
     if [ -z "$PUSHOVER_USER_KEY" ]; then
         echo "Error: \"PUSHOVER_USER_KEY\" is missing while \"PUSHOVER_NOTIFICATION\" is \"true\"."
@@ -38,8 +49,8 @@ if [ "$exit_bool" = true ]; then
 fi
 
 echo "Installing ZFS from $ZFS_IMAGE..."
-if ! crane export "$ZFS_IMAGE" | tar --strip-components=1 -x -C / ;then
-    echo "Error: Failed to extract ZFS extension"
+if ! crane export "$ZFS_IMAGE" | tar --strip-components=1 -x -C / ; then
+    echo "Error: Failed to extract ZFS extension."
     exit 1
 fi
 echo