From b9ce64f97380caff1565f49ec3fd9bec56d2d518 Mon Sep 17 00:00:00 2001
From: fiftydinar <65243233+fiftydinar@users.noreply.github.com>
Date: Sat, 7 Dec 2024 21:15:44 +0100
Subject: [PATCH] chore(signing): Switch fully from `/usr/etc/` to `/etc/`

Fixes: #319

I only tested this in non-Universal Blue image. With & without rechunk.

Before:
```
[11:39:42 g.i/h/rechunk:v1.0.1] => WARNING: FOUND /usr/etc. MERGING TO ETC FOR COMPATIBILITY
[11:39:42 g.i/h/rechunk:v1.0.1] => EXPECT PERMISSIONS ISSUES ON THE MERGED PATHS
[11:39:42 g.i/h/rechunk:v1.0.1] => The following files from /usr/etc will be merged to /etc:
[11:39:42 g.i/h/rechunk:v1.0.1] => ./usr/etc
[11:39:42 g.i/h/rechunk:v1.0.1] => |-- containers
[11:39:42 g.i/h/rechunk:v1.0.1] => |   |-- policy.json
[11:39:42 g.i/h/rechunk:v1.0.1] => |   `-- registries.d
[11:39:42 g.i/h/rechunk:v1.0.1] => |       `-- gidro-os.yaml
[11:39:42 g.i/h/rechunk:v1.0.1] => `-- pki
[11:39:42 g.i/h/rechunk:v1.0.1] =>     `-- containers
[11:39:42 g.i/h/rechunk:v1.0.1] =>         `-- gidro-os.pub
[11:39:42 g.i/h/rechunk:v1.0.1] =>
[11:39:42 g.i/h/rechunk:v1.0.1] => 5 directories, 3 files
```

After:
```
[18:26:31 g.i/h/rechunk:v1.0.1] => WARNING: FOUND /usr/etc. MERGING TO ETC FOR COMPATIBILITY
[18:26:31 g.i/h/rechunk:v1.0.1] => EXPECT PERMISSIONS ISSUES ON THE MERGED PATHS
[18:26:31 g.i/h/rechunk:v1.0.1] => The following files from /usr/etc will be merged to /etc:
[18:26:31 g.i/h/rechunk:v1.0.1] => ./usr/etc
[18:26:31 g.i/h/rechunk:v1.0.1] => `-- pki
[18:26:31 g.i/h/rechunk:v1.0.1] =>     `-- containers
[18:26:31 g.i/h/rechunk:v1.0.1] =>         `-- gidro-os.pub
[18:26:31 g.i/h/rechunk:v1.0.1] =>
[18:26:31 g.i/h/rechunk:v1.0.1] => 3 directories, 1 file
```

Only thing remaining is to see if copying .pub keys to `/etc/` only will work, as it caused issues before. That would get rid of all files in `/usr/etc/`.

https://github.com/blue-build/cli/blob/a8cac2adc90fa842e4565bc1825e588df4f5bcbd/template/templates/Containerfile.j2#L26
---
 modules/signing/signing.sh | 43 +++++++++++++++++---------------------
 1 file changed, 19 insertions(+), 24 deletions(-)

diff --git a/modules/signing/signing.sh b/modules/signing/signing.sh
index f1565a6..c68ae55 100644
--- a/modules/signing/signing.sh
+++ b/modules/signing/signing.sh
@@ -3,40 +3,35 @@
 # Tell build process to exit if there are any errors.
 set -euo pipefail
 
-# Don't migrate this module from utilizing `/usr/etc/` to `/etc/` yet, as Ublue needs to solve this issue
-# https://github.com/ublue-os/config/pull/311
-CONTAINER_DIR="/usr/etc/containers"
+CONTAINER_DIR="/etc/containers"
 MODULE_DIRECTORY="${MODULE_DIRECTORY:-"/tmp/modules"}"
 IMAGE_NAME_FILE="${IMAGE_NAME//\//_}"
 
-echo "Setting up container signing in policy.json and cosign.yaml for $IMAGE_NAME"
-echo "Registry to write: $IMAGE_REGISTRY"
+echo "Setting up container signing in policy.json and cosign.yaml for ${IMAGE_NAME}"
+echo "Registry to write: ${IMAGE_REGISTRY}"
 
-if ! [ -d "$CONTAINER_DIR" ]; then
-    mkdir -p "$CONTAINER_DIR"
+if ! [ -d "${CONTAINER_DIR}" ]; then
+  mkdir -p "${CONTAINER_DIR}"
 fi
 
-if ! [ -d $CONTAINER_DIR/registries.d ]; then
-   mkdir -p "$CONTAINER_DIR/registries.d"
+if ! [ -d "${CONTAINER_DIR}/registries.d" ]; then
+  mkdir -p "${CONTAINER_DIR}/registries.d"
 fi
 
-if ! [ -d "/usr/etc/pki/containers" ]; then
-    mkdir -p "/usr/etc/pki/containers"
+if ! [ -d "/etc/pki/containers" ]; then
+  mkdir -p "/etc/pki/containers"
 fi
 
-if ! [ -f "$CONTAINER_DIR/policy.json" ]; then
-    cp "$MODULE_DIRECTORY/signing/policy.json" "$CONTAINER_DIR/policy.json"
+if ! [ -f "/etc/pki/containers/${IMAGE_NAME_FILE}.pub" ]; then
+    cp "/usr/share/ublue-os/cosign.pub" "/etc/pki/containers/${IMAGE_NAME_FILE}.pub"
 fi
 
-if ! [ -f "/usr/etc/pki/containers/$IMAGE_NAME_FILE.pub" ]; then
-    cp "/usr/share/ublue-os/cosign.pub" "/usr/etc/pki/containers/$IMAGE_NAME_FILE.pub"
-fi
-
-POLICY_FILE="$CONTAINER_DIR/policy.json"
+TEMPLATE_POLICY="${MODULE_DIRECTORY}/signing/policy.json"
+POLICY_FILE="${CONTAINER_DIR}/policy.json"
 
-jq --arg image_registry "$IMAGE_REGISTRY" \
-   --arg image_name "$IMAGE_NAME" \
-   --arg image_name_file "$IMAGE_NAME_FILE" \
+jq --arg image_registry "${IMAGE_REGISTRY}" \
+   --arg image_name "${IMAGE_NAME}" \
+   --arg image_name_file "${IMAGE_NAME_FILE}" \
    '.transports.docker |= 
     { ($image_registry + "/" + $image_name): [
         {
@@ -46,7 +41,7 @@ jq --arg image_registry "$IMAGE_REGISTRY" \
                 "type": "matchRepository"
             }
         }
-    ] } + .' "$POLICY_FILE" > /tmp/tmp-policy.json && mv /tmp/tmp-policy.json "$POLICY_FILE"
+    ] } + .' "${TEMPLATE_POLICY}" > "${POLICY_FILE}"
 
-mv "$MODULE_DIRECTORY/signing/registry-config.yaml" "$CONTAINER_DIR/registries.d/$IMAGE_NAME_FILE.yaml"
-sed -i "s ghcr.io/IMAGENAME $IMAGE_REGISTRY g" "$CONTAINER_DIR/registries.d/$IMAGE_NAME_FILE.yaml"
+mv "${MODULE_DIRECTORY}/signing/registry-config.yaml" "${CONTAINER_DIR}/registries.d/${IMAGE_NAME_FILE}.yaml"
+sed -i "s ghcr.io/IMAGENAME ${IMAGE_REGISTRY} g" "${CONTAINER_DIR}/registries.d/${IMAGE_NAME_FILE}.yaml"