https://github.com/jayhemsley/secureblue

https://github.com/jayhemsley/secureblue

atomic bluebuild bluebuild-image custom-image image-based immutable linux linux-custom-image oci oci-image operating-system

Last synced: 8 months ago
JSON representation

• Host: GitHub
• URL: https://github.com/jayhemsley/secureblue
• Owner: jayhemsley
• License: apache-2.0
• Created: 2025-07-11T19:02:28.000Z (9 months ago)
• Default Branch: main
• Last Pushed: 2025-07-11T19:38:40.000Z (9 months ago)
• Last Synced: 2025-07-11T21:05:44.693Z (9 months ago)
• Topics: atomic, bluebuild, bluebuild-image, custom-image, image-based, immutable, linux, linux-custom-image, oci, oci-image, operating-system
• Language: Shell
• Size: 19.5 KB
• Stars: 0
• Watchers: 0
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE
  • Codeowners: .github/CODEOWNERS

Awesome Lists containing this project

README

          
# Secureblue (Customized)   [![bluebuild build badge](https://github.com/jayhemsley/secureblue/actions/workflows/build.yml/badge.svg)](https://github.com/jayhemsley/secureblue/actions/workflows/build.yml)

Secureblue image with some changes. Based off the BlueBuild Template.

Resources:

- [Documentation](https://blue-build.org/learn/getting-started/)

- [Template Repository](https://github.com/blue-build/template)

## Installation

> [!WARNING]  

> [This is an experimental feature](https://www.fedoraproject.org/wiki/Changes/OstreeNativeContainerStable), try at your own discretion.

To rebase an existing atomic Fedora installation to the latest build:

- First rebase to the unsigned image, to get the proper signing keys and policies installed:

  ```

  rpm-ostree rebase ostree-unverified-registry:ghcr.io/jayhemsley/secureblue:latest

  ```

- Reboot to complete the rebase:

  ```

  systemctl reboot

  ```

- Then rebase to the signed image, like so:

  ```

  rpm-ostree rebase ostree-image-signed:docker://ghcr.io/jayhemsley/secureblue:latest

  ```

- Reboot again to complete the installation

  ```

  systemctl reboot

  ```

The `latest` tag will automatically point to the latest build. That build will still always use the Fedora version specified in `recipe.yml`, so you won't get accidentally updated to the next major version.

## ISO

If build on Fedora Atomic, you can generate an offline ISO with the instructions available [here](https://blue-build.org/learn/universal-blue/#fresh-install-from-an-iso). These ISOs cannot unfortunately be distributed on GitHub for free due to large sizes, so for public projects something else has to be used for hosting.

## Verification

These images are signed with [Sigstore](https://www.sigstore.dev/)'s [cosign](https://github.com/sigstore/cosign). You can verify the signature by downloading the `cosign.pub` file from this repo and running the following command:

```bash

cosign verify --key cosign.pub ghcr.io/jayhemsley/secureblue

```