Start creating base images

.gitlab-ci.yml

@@ -9,36 +9,9 @@ workflow:
     - if: "$CI_COMMIT_BRANCH"
 
 stages:
+  - base-images
   - build
 
-build-image:
-  stage: build
-  interruptible: true
-  image: ghcr.io/blue-build/cli:$TAG
-  services:
-    - docker:dind
-  parallel:
-    matrix:
-      - RECIPE:
-          - cp-laptop.yml
-          - jp-desktop-nvidia.yml
-          - wke-server.yml
-          - wke-worker.yml
-          - jp-laptop.yml
-        TAG: main
-        BB_CACHE_LAYERS: 'true'
-        BB_BUILD_PUSH: 'true'
-      # - RECIPE: jp-desktop-nvidia.yml
-      #   TAG: 519-device-or-resource-busy-when-trying-to-rechunk-the-image-in-gitlab-ci
-      #   BB_BUILD_PUSH: 'true'
-      #   BB_BUILD_RECHUNK: 'true'
-      # - RECIPE: wke-server.yml
-      #   TAG: 519-device-or-resource-busy-when-trying-to-rechunk-the-image-in-gitlab-ci
-      #   BB_BUILD_DRIVER: podman
-      #   BB_BUILD_SQUASH: 'true'
-      #   BB_BUILD_RECHUNK:
-      #     - 'true'
-      #     - 'false'
 variables:
   DOCKER_HOST: tcp://docker:2376
   DOCKER_TLS_CERTDIR: /certs
@@ -47,9 +20,49 @@ build-image:
   RUST_LOG_STYLE: always
   BB_SIGNING_DRIVER: sigstore
   CLICOLOR_FORCE: 1
+  TAG: main
+
+.build:
+  services:
+    - docker:dind
+  interruptible: true
+  image: ghcr.io/blue-build/cli:$TAG
   before_script:
     - curl --silent "https://gitlab.com/gitlab-org/incubation-engineering/mobile-devops/download-secure-files/-/raw/main/installer" | bash
     - export COSIGN_PRIVATE_KEY=$(cat .secure_files/cosign.key)
-  script:
     - sleep 5
+  script:
     - bluebuild build "./recipes/${RECIPE}"
+
+base-images:
+  extends:
+    - .build
+  # stage: base-images
+  stage: build
+  parallel:
+    matrix:
+      - RECIPE:
+          - base-kinoite.yml
+          - base-cosmic.yml
+          - base-kinoite-nvidia.yml
+          - base-cosmic-nvidia.yml
+        TAG: 519-device-or-resource-busy-when-trying-to-rechunk-the-image-in-gitlab-ci
+        # BB_BUILD_PUSH: 'true'
+        # BB_BUILD_RECHUNK: 'true'
+
+build-image:
+  extends:
+    - .build
+  stage: build
+  # needs:
+  #   - base-images
+  parallel:
+    matrix:
+      - RECIPE:
+          - cp-laptop.yml
+          - jp-desktop-nvidia.yml
+          - wke-server.yml
+          - wke-worker.yml
+          - jp-laptop.yml
+        BB_CACHE_LAYERS: 'true'
+        BB_BUILD_PUSH: 'true'

files/scripts/sign-check.sh

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+
+# Copyright 2025 Universal Blue
+# Copyright 2025 The Secureblue Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is
+# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and limitations under the License.
+
+set -oue pipefail
+
+KERNEL="$1"
+module="$2"
+PUBLIC_CERT="$3"
+
+kmod_sig="/tmp/kmod.sig"
+kmod_p7s="/tmp/kmod.p7s"
+kmod_data="/tmp/kmod.data"
+/usr/src/kernels/"${KERNEL}"/scripts/extract-module-sig.pl -s "${module}" > "${kmod_sig}"
+openssl pkcs7 -inform der -in "${kmod_sig}" -out "${kmod_p7s}"
+/usr/src/kernels/"${KERNEL}"/scripts/extract-module-sig.pl -0 "${module}" > "${kmod_data}"
+if openssl cms -verify -binary -inform PEM \
+    -in "${kmod_p7s}" \
+    -content "${kmod_data}" \
+    -certfile "${PUBLIC_CERT}" \
+    -out "/dev/null" \
+    -nointern -noverify
+  then
+  echo "Signature Verified for ${module}"
+else
+  echo "Signature Failed for ${module}"
+  exit 1
+fi

files/scripts/signkernel.sh

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+
+# Copyright 2025 Universal Blue
+# Copyright 2025 The Secureblue Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is
+# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and limitations under the License.
+
+set -oue pipefail
+
+KERNEL_VERSION="$(rpm -q "kernel" --queryformat '%{VERSION}-%{RELEASE}.%{ARCH}')"
+
+PUBLIC_KEY_DER_PATH="../system/etc/pki/akmods/certs/akmods-secureblue.der"
+PUBLIC_KEY_CRT_PATH="./certs/public_key.crt"
+PRIVATE_KEY_PATH="/tmp/certs/private_key.priv"
+
+openssl x509 -in "$PUBLIC_KEY_DER_PATH" -out "$PUBLIC_KEY_CRT_PATH"
+sbsign --cert "$PUBLIC_KEY_CRT_PATH" --key "$PRIVATE_KEY_PATH" /usr/lib/modules/"${KERNEL_VERSION}"/vmlinuz --output /usr/lib/modules/"${KERNEL_VERSION}"/vmlinuz
+sbverify --list /usr/lib/modules/"${KERNEL_VERSION}"/vmlinuz

files/scripts/signmodules.sh

@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+
+# Copyright 2025 Universal Blue
+# Copyright 2025 The Secureblue Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is
+# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and limitations under the License.
+
+set -oue pipefail
+
+MODULE_NAME="${1-}"
+if [ -z "$MODULE_NAME" ]; then
+  echo "MODULE_NAME is empty. Exiting..."
+  exit 1
+fi
+
+KERNEL_VERSION="$(rpm -q "kernel" --queryformat '%{VERSION}-%{RELEASE}.%{ARCH}')"
+
+PUBLIC_KEY_DER_PATH="../system/etc/pki/akmods/certs/akmods-secureblue.der"
+PUBLIC_KEY_CRT_PATH="./certs/public_key.crt"
+PRIVATE_KEY_PATH="/tmp/certs/private_key.priv"
+openssl x509 -in "$PUBLIC_KEY_DER_PATH" -out "$PUBLIC_KEY_CRT_PATH"
+
+PRIVATE_KEY_PATH="/tmp/certs/private_key.priv"
+SIGNING_KEY="./certs/signing_key.pem"
+cat "$PRIVATE_KEY_PATH" <(echo) "$PUBLIC_KEY_CRT_PATH" >> "$SIGNING_KEY"
+
+for module in /usr/lib/modules/"${KERNEL_VERSION}"/extra/"${MODULE_NAME}"/*.ko*; do
+  module_basename="${module:0:-3}"
+  module_suffix="${module: -3}"
+  if [[ "$module_suffix" == ".xz" ]]; then
+    xz --decompress "$module"
+    openssl cms -sign -signer "${SIGNING_KEY}" -binary -in "$module_basename" -outform DER -out "${module_basename}.cms" -nocerts -noattr -nosmimecap
+    /usr/src/kernels/"${KERNEL_VERSION}"/scripts/sign-file -s "${module_basename}.cms" sha256 "${PUBLIC_KEY_CRT_PATH}" "${module_basename}"
+    /bin/bash ./sign-check.sh "${KERNEL_VERSION}" "${module_basename}" "${PUBLIC_KEY_CRT_PATH}"
+    xz -C crc32 -f "${module_basename}"
+  elif [[ "$module_suffix" == ".gz" ]]; then
+    gzip -d "$module"
+    openssl cms -sign -signer "${SIGNING_KEY}" -binary -in "$module_basename" -outform DER -out "${module_basename}.cms" -nocerts -noattr -nosmimecap
+    /usr/src/kernels/"${KERNEL_VERSION}"/scripts/sign-file -s "${module_basename}.cms" sha256 "${PUBLIC_KEY_CRT_PATH}" "${module_basename}"
+    /bin/bash ./sign-check.sh "${KERNEL_VERSION}" "${module_basename}" "${PUBLIC_KEY_CRT_PATH}"
+    gzip -9f "${module_basename}"
+  else
+    openssl cms -sign -signer "${SIGNING_KEY}" -binary -in "$module" -outform DER -out "${module}.cms" -nocerts -noattr -nosmimecap
+    /usr/src/kernels/"${KERNEL_VERSION}"/scripts/sign-file -s "${module}.cms" sha256 "${PUBLIC_KEY_CRT_PATH}" "${module}"
+    /bin/bash ./sign-check.sh "${KERNEL_VERSION}" "${module}" "${PUBLIC_KEY_CRT_PATH}"
+  fi
+done

recipes/base-cosmic-nvidia.yml

@@ -0,0 +1,30 @@
+---
+# yaml-language-server: $schema=https://schema.blue-build.org/recipe-v1.json
+name: cosmic-nvidia
+base-image: quay.io/fedora/fedora-bootc
+image-version: 42
+description: The base image of Wunker OS
+modules:
+  # Latest build
+  - type: dnf
+    repos:
+      cleanup: true
+      copr:
+        - ryanabx/cosmic-epoch
+    install:
+      packages:
+        - cosmic-desktop
+
+  # Official release
+  # - type: dnf
+  #   group-install:
+  #     packages:
+  #       - cosmic-desktop-environment
+
+  # Setup cosmic greeter as DM
+  - type: systemd
+    system:
+      enabled:
+        - cosmic-greeter
+  - from-file: common/nvidia.yml
+  - from-file: common/base-common.yml

recipes/base-cosmic.yml

@@ -0,0 +1,28 @@
+---
+# yaml-language-server: $schema=https://schema.blue-build.org/recipe-v1.json
+name: cosmic
+base-image: ghcr.io/ublue-os/base-main
+image-version: 42
+description: The base image of Wunker OS
+modules:
+  - type: dnf
+    repos:
+      cleanup: true
+      copr:
+        - ryanabx/cosmic-epoch
+    install:
+      packages:
+        - cosmic-desktop
+
+  # Official release
+  # - type: dnf
+  #   group-install:
+  #     packages:
+  #       - cosmic-desktop-environment
+
+  # Setup cosmic greeter as DM
+  - type: systemd
+    system:
+      enabled:
+        - cosmic-greeter
+  - from-file: common/base-common.yml

recipes/base-kinoite-nvidia.yml

@@ -0,0 +1,18 @@
+---
+# yaml-language-server: $schema=https://schema.blue-build.org/recipe-v1.json
+name: kinoite-nvidia
+base-image: ghcr.io/ublue-os/kinoite-main
+image-version: 42
+description: The base image of Wunker OS
+modules:
+  - type: dnf
+    group-install:
+      packages:
+        - kde-desktop
+  - type: systemd
+    system:
+      enabled:
+        - sddm
+  - from-file: common/nvidia.yml
+  - from-file: common/base-common.yml
+

recipes/base-kinoite.yml

@@ -0,0 +1,16 @@
+---
+# yaml-language-server: $schema=https://schema.blue-build.org/recipe-v1.json
+name: kinoite
+base-image: ghcr.io/ublue-os/kinoite-main
+image-version: 42
+description: The base image of Wunker OS
+modules:
+  - type: dnf
+    group-install:
+      packages:
+        - kde-desktop
+  - type: systemd
+    system:
+      enabled:
+        - sddm
+  - from-file: common/base-common.yml

recipes/common/base-common.yml

@@ -0,0 +1,12 @@
+modules:
+  - type: script
+    snippets:
+      - systemctl set-default graphical.target
+  - from-file: common/updates.yml
+  - from-file: common/bluebuild-logo.yml
+  - type: os-release
+    properties:
+      NAME: WunkerOS
+      ID: wunker_os
+      PRETTY_NAME: Wunker OS
+  - from-file: common/post-build.yml

recipes/common/nvidia.yml

@@ -0,0 +1,18 @@
+---
+# yaml-language-server: $schema=https://schema.blue-build.org/module-list-v1.json
+modules:
+  - type: dnf
+    repos:
+      cleanup: true
+      nonfree: rpmfusion
+    install:
+      packages:
+        - akmod-nvidia
+  - type: script
+    snippets:
+      - echo "%_with_kmod_nvidia_open 1" > /etc/rpm/macros.nvidia-kmod
+      - akmods --kernels "$(rpm -q "kernel" --queryformat '%{VERSION}-%{RELEASE}.%{ARCH}')" --rebuild
+  - type: files
+    files:
+      - source: nvidia-kargs
+        destination: /usr/lib/bootc/kargs.d

recipes/common/post-build.yml

@@ -1,11 +1,5 @@
 modules:
-  # - type: script
-  #   snippets:
-  #     - ldconfig
   - type: initramfs
-    # env:
+    env:
-    #   DRACUT_NO_XATTR: '1'
+      DRACUT_NO_XATTR: '1'
     source: local
-  # - type: script
-  #   scripts:
-  #     - initramfs.sh