blue-build · gmpinder · Mar 24, 2024 · Mar 23, 2024 · Mar 23, 2024 · Mar 23, 2024
@@ -33,8 +33,7 @@ modules:
       remove:
         - org.gnome.eog
 
-  # Needs a bug to be fixed to allow / in image name
-  # - type: signing
+  - type: signing
 
   - type: test-module
 
@@ -154,3 +154,10 @@ fn modules_exists() -> bool {
     let mod_path = Path::new("modules");
     mod_path.exists() && mod_path.is_dir()
 }
+
+mod filters {
+    #[allow(clippy::unnecessary_wraps)]
+    pub fn replace<T: std::fmt::Display>(input: T, from: char, to: &str) -> askama::Result<String> {
+        Ok(format!("{input}").replace(from, to))
+    }
+}
@@ -1,27 +1,4 @@
-# This stage is responsible for holding onto
-# your config without copying it directly into
-# the final image
-FROM scratch as stage-config
-COPY ./config /config
-
-# Copy modules
-# The default modules are inside blue-build/modules
-# Custom modules overwrite defaults
-FROM scratch as stage-modules
-COPY --from=ghcr.io/blue-build/modules:latest /modules /modules
-{%- if self::modules_exists() %}
-COPY ./modules /modules
-{%- endif %}
-
-{%- include "modules/akmods/akmods.j2" %}
-
-# This stage is responsible for holding onto
-# exports like the exports.sh
-FROM docker.io/alpine as stage-exports
-COPY <<EOF /exports.sh
-{{ self::print_export_script() }}
-EOF
-RUN chmod +x /exports.sh
+{%- include "stages.j2" %}
 
 FROM {{ recipe.base_image }}:{{ recipe.image_version }}
 
@@ -43,27 +20,10 @@ ARG IMAGE_REGISTRY={{ registry }}
 ARG IMAGE_REGISTRY=localhost
 {%- endif %}
 
-{%- if self::has_cosign_file() %}
-COPY cosign.pub /usr/share/ublue-os/cosign.pub
-{%- endif %}
-
 ARG CONFIG_DIRECTORY="/tmp/config"
 ARG IMAGE_NAME="{{ recipe.name }}"
 ARG BASE_IMAGE="{{ recipe.base_image }}"
 
-COPY --from=gcr.io/projectsigstore/cosign /ko-app/cosign /usr/bin/cosign
-COPY --from=docker.io/mikefarah/yq /usr/bin/yq /usr/bin/yq
-COPY --from=ghcr.io/blue-build/cli:
-{%- if let Some(tag) = recipe.blue_build_tag -%}
-{{ tag }}
-{%- else -%}
-latest-installer
-{%- endif %} /out/bluebuild /usr/bin/bluebuild
-
 SHELL ["bash", "-c"]
 
-{%- include "modules/modules.j2" %}
-
-# Added in case a user adds something else using the
-# 'containerfile' module
-RUN rm -fr /tmp/* /var/* && ostree container commit
+{% include "modules/modules.j2" %}
@@ -1,3 +1,14 @@
+# Key RUN
+RUN --mount=type=bind,from=stage-keys,src=/keys,dst=/tmp/keys \
+  cp /tmp/keys/* /usr/etc/pki/containers/ \
+  && ostree container commit
+
+# Bin RUN
+RUN --mount=type=bind,from=stage-bins,src=/bins,dst=/tmp/bins \
+  cp /tmp/bins/* /usr/bin/ \
+  && ostree container commit
+
+# Module RUNs
 {%- for module in recipe.modules_ext.modules %}
   {%- if let Some(type) = module.module_type %}
     {%- if type == "containerfile" %}

@@ -0,0 +1,52 @@
+# This stage is responsible for holding onto
+# your config without copying it directly into
+# the final image
+FROM scratch as stage-config
+COPY ./config /config
+
+# Copy modules
+# The default modules are inside blue-build/modules
+# Custom modules overwrite defaults
+FROM scratch as stage-modules
+COPY --from=ghcr.io/blue-build/modules:latest /modules /modules
+{%- if self::modules_exists() %}
+COPY ./modules /modules
+{%- endif %}
+
+# Bins to install
+# These are basic tools that are added to all images.
+# Generally used for the build process. We use a multi
+# stage process so that adding the bins into the image
+# can be added to the ostree commits.
+FROM scratch as stage-bins
+
+COPY --from=gcr.io/projectsigstore/cosign /ko-app/cosign /bins/cosign
+COPY --from=docker.io/mikefarah/yq /usr/bin/yq /bins/yq
+COPY --from=ghcr.io/blue-build/cli:
+{%- if let Some(tag) = recipe.blue_build_tag -%}
+{{ tag }}
+{%- else -%}
+latest-installer
+{%- endif %} /out/bluebuild /bins/bluebuild
+
+# Keys for pre-verified images
+# Used to copy the keys into the final image
+# and perform an ostree commit.
+#
+# Currently only holds the current image's
+# public key.
+FROM scratch as stage-keys
+
+{%- if self::has_cosign_file() %}
+COPY cosign.pub /keys/{{ recipe.name|replace('/', "_") }}.pub
+{%- endif %}
+
+{%- include "modules/akmods/akmods.j2" %}
+
+# This stage is responsible for holding onto
+# exports like the exports.sh
+FROM docker.io/alpine as stage-exports
+COPY <<EOF /exports.sh
+{{ self::print_export_script() }}
+EOF
+RUN chmod +x /exports.sh