org.osbuild.ostree.sign: Support ostree sign to sign commits

This form of signatures has been (build-time-optionally) supported
since ostree 2020.4 as an alternative to the old gpg signatures. With
the current work on composefs[1] they are becomming more important, as
they will allow verification of the commit (and thus the composefs
image) during boot, giving us a full trusted boot chain all the way
into the ostree userspace.

Note: `ostree sign` used to require libsodium and was thus disabled in
e.g. the Fedora build of ostree. However, recently[2] it is also supported
with openssl, which will let it be more widely used.

[1] ostreedev/ostree#2921
[2] ostreedev/ostree#2922

stages/org.osbuild.ostree.sign

@@ -0,0 +1,54 @@
+#!/usr/bin/python3
+"""Sign a commit in an ostree repo
+
+Given an ostree commit (referenced by a ref) in a repo and an ed25519
+secret key this adds a signature to the commit detached metadata.
+This commit can then be used to validate the commit, during ostree
+pull, during boot, or at any other time.
+
+"""
+
+import base64
+import os
+import subprocess
+import sys
+
+from osbuild import api
+from osbuild.util import ostree
+
+SCHEMA_2 = """
+"options": {
+  "additionalProperties": false,
+  "required": ["repo", "ref", "key"],
+  "properties": {
+    "repo": {
+      "description": "Location of the OSTree repo.",
+      "type": "string"
+    },
+    "ref": {
+      "description": "OSTree branch name or commit to sign",
+      "type": "string",
+      "default": ""
+    },
+    "key": {
+      "description": "Path to the secret key",
+      "type": "string"
+    }
+  }
+}
+"""
+
+def main(tree, options):
+    repo = os.path.join(tree, options["repo"].lstrip("/"))
+    ref = options["ref"]
+    keyfile = os.path.join(tree, options["key"].lstrip("/"))
+
+    ostree.cli("sign", ref, **{"repo": repo, "keys-file": keyfile })
+
+if __name__ == '__main__':
+    stage_args = api.arguments()
+
+    r = main(stage_args["tree"],
+             stage_args["options"])
+
+    sys.exit(r)