fix: restore cosign pubkey on setup so clean reinstall keeps image verification
Unit Tests / test (push) Successful in 9m50s
Unit Tests / test (push) Successful in 9m50s
`make reinstall`/`uninstall` run `rm -rf config/`, which deletes the git-tracked
config/cosign/cosign.pub. Nothing recreated it, so after any clean reinstall the
bind-mounted key was missing and cosign verification failed for EVERY store
service under the default enforce mode ("loading public key: open
/app/config/cosign/cosign.pub: no such file or directory") — store installs were
completely broken on a fresh install. Found during clean-build pic1 verification.
setup_cell.ensure_cosign_pubkey() now restores the key from git HEAD on every
setup (best-effort; warns rather than fails outside a git checkout). Also fixes
the stale service_composer comment that claimed a Dockerfile COPY that never
existed.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
@@ -62,6 +62,38 @@ def ensure_file(rel):
|
||||
print(f'[EXISTS] {rel}')
|
||||
|
||||
|
||||
def ensure_cosign_pubkey():
|
||||
"""Restore the tracked cosign public key if a config wipe removed it.
|
||||
|
||||
`config/cosign/cosign.pub` is a git-tracked asset bind-mounted into cell-api
|
||||
and used to verify store-service image signatures. `make reinstall`/
|
||||
`uninstall` run `rm -rf config/`, which deletes it from the working tree, and
|
||||
nothing else recreates it — leaving every store install broken under the
|
||||
default enforce mode. Restore it from HEAD here (setup runs on every
|
||||
install/reinstall). Best-effort: if this is not a git checkout, warn rather
|
||||
than fail — install.sh surfaces the same warning.
|
||||
"""
|
||||
rel = os.path.join('config', 'cosign', 'cosign.pub')
|
||||
path = os.path.join(ROOT, rel)
|
||||
if os.path.exists(path) and os.path.getsize(path) > 0:
|
||||
print(f'[EXISTS] {rel}')
|
||||
return
|
||||
os.makedirs(os.path.dirname(path), exist_ok=True)
|
||||
try:
|
||||
blob = subprocess.run(
|
||||
['git', '-C', ROOT, 'show', 'HEAD:config/cosign/cosign.pub'],
|
||||
capture_output=True, check=True).stdout
|
||||
if blob:
|
||||
with open(path, 'wb') as f:
|
||||
f.write(blob)
|
||||
print(f'[RESTORED] {rel} (from git HEAD)')
|
||||
return
|
||||
except Exception as e:
|
||||
print(f'[WARN] could not restore {rel} from git: {e}')
|
||||
print(f'[WARN] {rel} is missing — store-service image signature '
|
||||
'verification will fail under enforce mode until it is provided')
|
||||
|
||||
|
||||
def ensure_caddy_ca_cert():
|
||||
cert_dir = os.path.join(ROOT, 'config', 'caddy', 'certs')
|
||||
ca_key = os.path.join(cert_dir, 'ca.key')
|
||||
@@ -402,6 +434,7 @@ def main():
|
||||
for f in REQUIRED_FILES:
|
||||
ensure_file(f)
|
||||
|
||||
ensure_cosign_pubkey()
|
||||
ensure_caddy_ca_cert()
|
||||
priv, _pub = generate_wg_keys()
|
||||
write_wg0_conf(priv, vpn_address, wg_port)
|
||||
|
||||
Reference in New Issue
Block a user