chore: update secureboot enrolment password (#60)

* chore: update secureboot enrollment password * Rename images to remove "base-" * Properly remove base- from the name * Actually change image names * Remove hyphen from before base * Remove duplicate checkout Correctly check for base string in image name * Update README with SecureBoot information and remove outdated selinux info
ublue-os · Aug 8, 2024 · 538a3e0 · 538a3e0
1 parent 70b8887
commit 538a3e0
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 19 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -43,8 +43,6 @@ jobs:
  uses: ublue-os/remove-unwanted-software@v7
  with:
  remove-android: 'true'
- - name: Checkout
- uses: actions/checkout@v2
 
  - name: Checkout Push to Registry action
  uses: actions/checkout@v4
@@ -78,15 +76,21 @@ jobs:
  done
  echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT
 
+ IMAGE_NAME="cosmic-${{ matrix.flavor }}"
+ if [[ "$IMAGE_NAME" == *-base* ]]; then
+ IMAGE_NAME="${IMAGE_NAME//-base/}"
+ fi
+ echo "IMAGE_NAME=${IMAGE_NAME}" >> $GITHUB_ENV
+
  # Build metadata
  - name: Image Metadata
  uses: docker/metadata-action@v5
  id: meta
  with:
  images: |
- cosmic-${{ matrix.flavor }}
+ ${{ env.IMAGE_NAME }}
  labels: |
- org.opencontainers.image.title=cosmic-${{ matrix.flavor }}
+ org.opencontainers.image.title=${{ env.IMAGE_NAME }}
  org.opencontainers.image.version=${{ matrix.version }}
  org.opencontainers.image.description=${{ env.description }}
  io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/cosmic/main/README.md
@@ -126,11 +130,11 @@ jobs:
  with:
  rechunk: 'ghcr.io/hhd-dev/rechunk:v0.8.1'
  ref: 'raw-img'
- prev-ref: "${{ env.IMAGE_REGISTRY }}/cosmic-${{ matrix.flavor }}:${{ matrix.version }}"
+ prev-ref: "${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ matrix.version }}"
  skip_compression: true
  version: ${{ matrix.version }}
  labels: |
- org.opencontainers.image.title=cosmic-${{ matrix.flavor }}
+ org.opencontainers.image.title=${{ env.IMAGE_NAME }}
  org.opencontainers.image.description=${{ env.description }}
  io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/cosmic/main/README.md
  io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4
@@ -140,7 +144,7 @@ jobs:
  IMAGE=$(podman pull ${{ steps.rechunk.outputs.ref }})
  sudo rm -rf ${{ steps.rechunk.outputs.output }}
  for tag in ${{ steps.generate-tags.outputs.alias_tags }}; do
- podman tag $IMAGE cosmic-${{ matrix.flavor }}:$tag
+ podman tag $IMAGE ${{ env.IMAGE_NAME }}:$tag
  done
 
  # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR.
@@ -166,7 +170,7 @@ jobs:
  id: push
  with:
  registry: ${{ steps.registry_case.outputs.lowercase }}
- image: cosmic-${{ matrix.flavor }}
+ image: ${{ env.IMAGE_NAME }}
  tags: ${{ steps.generate-tags.outputs.alias_tags }}
  extra-args: |
  --disable-content-trust
@@ -178,7 +182,7 @@ jobs:
  - name: Sign container image
  if: github.event_name != 'pull_request'
  run: |
- cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/cosmic-${{ matrix.flavor }}@${TAGS}
+ cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${{ env.IMAGE_NAME }}@${TAGS}
  env:
  TAGS: ${{ steps.push.outputs.digest }}
  COSIGN_EXPERIMENTAL: false

diff --git a/.github/workflows/build_iso.yml b/.github/workflows/build_iso.yml
@@ -24,7 +24,7 @@ jobs:
  strategy:
  fail-fast: false
  matrix:
- image_name: [cosmic-silverblue, cosmic-base, cosmic-silverblue-nvidia, cosmic-base-nvidia]
+ image_name: [cosmic, cosmic-nvidia, cosmic-silverblue,cosmic-silverblue-nvidia]
  fedora_version: [40]
 
  steps:
@@ -41,7 +41,7 @@ jobs:
  version: ${{ matrix.fedora_version }}
  image_tag: ${{ matrix.fedora_version }}-amd64
  secure_boot_key_url: 'https://github.com/ublue-os/akmods/raw/main/certs/public_key.der'
- enrollment_password: 'ublue-os'
+ enrollment_password: 'universalblue'
  iso_name: ${{ matrix.image_name }}-${{ matrix.fedora_version }}.iso
 
  - name: Upload ISOs and Checksum to Job Artifacts

diff --git a/README.md b/README.md
@@ -3,7 +3,7 @@
 
 > NOTES:
 > These images are not associated with System76! If you have issues, please understand they might be COSMIC related, OR they might be related to this image.
-> The COSMIC Desktop Environment is still PRE ALPHA. Do not daily drive this image on your main workstation unless you know what you're doing.
+> The COSMIC Desktop Environment is still ALPHA. Do not daily drive this image on your main workstation unless you know what you're doing.
 
 Like Fedora? Want to try the latest from the work in progress Cosmic Desktop Environment? Want to help find bugs and/or contribute to Cosmic development, but don't want to work in a VM or install Pop!_OS? None of the above things but something else??!?
 
@@ -13,15 +13,9 @@ Go ahead and try one of the ostree images I've created here!
 
 Install a Fedora Atomic Desktop, like [Fedora Silverblue](https://fedoraproject.org/atomic-desktops/silverblue/).
 
-#### Warning
-This image requires disabling SELinux. **This is NOT recommended for production** and is a temporary situation until this work is finished in upstream Fedora. 
-
- sudo setenforce 0 && getenforce
-
-You can view the SELinux config in `/etc/selinux/config`
 
 #### Variants
-- `cosmic-base`: Just the COSMIC Desktop
+- `cosmic`: Just the COSMIC Desktop
 - `cosmic-silverblue`: Recommended, Fedora Silverblue with COSMIC Desktop added
 - `cosmic-kinoite`: Fedora Kinoite with COSMIC Desktop addded
 
@@ -35,6 +29,29 @@ Rebase to the signed image
 
  rpm-ostree rebase --reboot ostree-image-signed:docker://ghcr.io/ublue-os/VARIANT:40-amd64
 
+
+### Secure Boot
+
+Secure Boot is supported by default on our systems, providing an additional layer of security. After the first installation, you will be prompted to enroll the secure boot key in the BIOS.
+
+Enter the password `universalblue` 
+when prompted to enroll our key.
+
+If this step is not completed during the initial setup, you can manually enroll the key by running the following command in the terminal:
+
+`
+ujust enroll-secure-boot-key
+`
+
+Secure boot is supported with our custom key. The pub key can be found in the root of the akmods repository [here](https://github.com/ublue-os/akmods/raw/main/certs/public_key.der).
+If you'd like to enroll this key prior to installation or rebase, download the key and run the following:
+
+```bash
+sudo mokutil --timeout -1
+sudo mokutil --import secure_boot.der
+```
+
+
 ### Enabling the display manager
 
 Log in with your username and password, then run: