update readme

Author: GloriousEggroll

README.md

@@ -19,7 +19,7 @@ Valve says the official container runtimes and SDKs are built with `flatdeb-stea
 - A source-visible pipeline.
 - A patch point before package rebuilds.
 - A package-assembled base image rather than a downloaded runtime image.
-- Your previous `umu-sdk` style of customization preserved as an optional final overlay stage.
+- Previous `umu-sdk` customization preserved as an optional final overlay stage.
 
 ## Important scope note
 
@@ -38,23 +38,6 @@ This is the **closest public equivalent** to Valve's pipeline that can be run in
 - `overlays/rootfs/` — optional file overlay copied into the exported rootfs before the final image is built.
 - `scripts/hooks/post-extract.sh` — optional shell customization hook after rootfs export.
 
-## How the old `umu-sdk` model fits in
-
-Your old flow was:
-
-1. pull a prebuilt image,
-2. apply changes,
-3. publish a new image.
-
-This repo keeps the same *shape* for the last step, but changes the upstream stage:
-
-1. build the UMU base image from SteamRT package metadata and sources,
-2. tag that as the local base image,
-3. run `docker/overlay.Dockerfile` on top of it,
-4. export artifacts.
-
-So the “apply changes on top of an image” part survives, but the image you are extending is one you built locally from public SteamRT inputs.
-
 ## Releasing
 
 Push a tag such as:

scripts/fetch-metadata.sh

@@ -64,48 +64,56 @@ popd >/dev/null
 upstream_build_id="$(tr -d '\n' < "${UPSTREAM_DIR}/${buildid_file}")"
 resolved_version="$(tr -d '\n' < "${UPSTREAM_DIR}/VERSION.txt")"
 resolved_uuid="$(tr -d '\n' < "${UPSTREAM_DIR}/UUID.txt")"
+container_platform="$(runtime_platform "${arch}")"
+arch_tag="$(sanitize_arch "${arch}")"
 
-cat > "${BUILD_DIR}/build.env" <<ENV
-ROOT_DIR=${ROOT_DIR}
-BUILD_DIR=${BUILD_DIR}
-DIST_DIR=${DIST_DIR}
-UPSTREAM_DIR=${UPSTREAM_DIR}
-SOURCE_CACHE_DIR=${SOURCE_CACHE_DIR}
-SOURCE_TREE_DIR=${SOURCE_TREE_DIR}
-PATCHED_REPO_DIR=${PATCHED_REPO_DIR}
-OVERLAY_DIR=${OVERLAY_DIR}
-PATCHES_DIR=${PATCHES_DIR}
-HOOKS_DIR=${HOOKS_DIR}
-DOCKER_DIR=${DOCKER_DIR}
-SNIPER_SNAPSHOT=${snapshot}
-SNIPER_SUITE=${suite}
-SNIPER_VARIANT=${variant}
-SNIPER_ARCH=${arch}
-SNIPER_BASE_URL=${SNIPER_BASE_URL}
-SNIPER_APT_URL=${SNIPER_APT_URL}
-SNIPER_APT_DIST=${SNIPER_APT_DIST}
-SNIPER_APT_COMPONENTS=${SNIPER_APT_COMPONENTS}
-DEBIAN_MIRROR=${DEBIAN_MIRROR}
-DEBIAN_SECURITY_MIRROR=${DEBIAN_SECURITY_MIRROR}
-DEBIAN_RELEASE=${DEBIAN_RELEASE}
-SNIPER_ARTIFACT_PREFIX=${artifact_prefix}
-UPSTREAM_BASE_URL=${base_url}
-UPSTREAM_BUILDID_FILE=${buildid_file}
-UPSTREAM_OS_RELEASE_FILE=${os_release_file}
-UPSTREAM_MANIFEST_FILE=${manifest_file}
-UPSTREAM_BUILT_USING_FILE=${built_using_file}
-UPSTREAM_SOURCE_REQUIRED_FILE=${source_required_file}
-UPSTREAM_SYSROOT_DOCKERFILE=${sysroot_dockerfile}
-UPSTREAM_SOURCES_INDEX=${sources_index}
-UPSTREAM_BUILD_ID=${upstream_build_id}
-UPSTREAM_VERSION=${resolved_version}
-UPSTREAM_UUID=${resolved_uuid}
-UMU_RUNTIME_PREFIX=${UMU_RUNTIME_PREFIX}
-UMU_IMAGE_NAME=${UMU_IMAGE_NAME}
-DEFAULT_CMD=${DEFAULT_CMD}
-ENABLE_LEGACY_OVERLAY=${ENABLE_LEGACY_OVERLAY}
-CONTAINER_PLATFORM=$(runtime_platform "${arch}")
-ARCH_TAG=$(sanitize_arch "${arch}")
-ENV
+write_env() {
+    local key="$1"
+    local value="$2"
+    printf '%s=%q\n' "$key" "$value"
+}
+
+{
+    write_env ROOT_DIR "${ROOT_DIR}"
+    write_env BUILD_DIR "${BUILD_DIR}"
+    write_env DIST_DIR "${DIST_DIR}"
+    write_env UPSTREAM_DIR "${UPSTREAM_DIR}"
+    write_env SOURCE_CACHE_DIR "${SOURCE_CACHE_DIR}"
+    write_env SOURCE_TREE_DIR "${SOURCE_TREE_DIR}"
+    write_env PATCHED_REPO_DIR "${PATCHED_REPO_DIR}"
+    write_env OVERLAY_DIR "${OVERLAY_DIR}"
+    write_env PATCHES_DIR "${PATCHES_DIR}"
+    write_env HOOKS_DIR "${HOOKS_DIR}"
+    write_env DOCKER_DIR "${DOCKER_DIR}"
+    write_env SNIPER_SNAPSHOT "${snapshot}"
+    write_env SNIPER_SUITE "${suite}"
+    write_env SNIPER_VARIANT "${variant}"
+    write_env SNIPER_ARCH "${arch}"
+    write_env SNIPER_BASE_URL "${SNIPER_BASE_URL}"
+    write_env SNIPER_APT_URL "${SNIPER_APT_URL}"
+    write_env SNIPER_APT_DIST "${SNIPER_APT_DIST}"
+    write_env SNIPER_APT_COMPONENTS "${SNIPER_APT_COMPONENTS}"
+    write_env DEBIAN_MIRROR "${DEBIAN_MIRROR}"
+    write_env DEBIAN_SECURITY_MIRROR "${DEBIAN_SECURITY_MIRROR}"
+    write_env DEBIAN_RELEASE "${DEBIAN_RELEASE}"
+    write_env SNIPER_ARTIFACT_PREFIX "${artifact_prefix}"
+    write_env UPSTREAM_BASE_URL "${base_url}"
+    write_env UPSTREAM_BUILDID_FILE "${buildid_file}"
+    write_env UPSTREAM_OS_RELEASE_FILE "${os_release_file}"
+    write_env UPSTREAM_MANIFEST_FILE "${manifest_file}"
+    write_env UPSTREAM_BUILT_USING_FILE "${built_using_file}"
+    write_env UPSTREAM_SOURCE_REQUIRED_FILE "${source_required_file}"
+    write_env UPSTREAM_SYSROOT_DOCKERFILE "${sysroot_dockerfile}"
+    write_env UPSTREAM_SOURCES_INDEX "${sources_index}"
+    write_env UPSTREAM_BUILD_ID "${upstream_build_id}"
+    write_env UPSTREAM_VERSION "${resolved_version}"
+    write_env UPSTREAM_UUID "${resolved_uuid}"
+    write_env UMU_RUNTIME_PREFIX "${UMU_RUNTIME_PREFIX}"
+    write_env UMU_IMAGE_NAME "${UMU_IMAGE_NAME}"
+    write_env DEFAULT_CMD "${DEFAULT_CMD}"
+    write_env ENABLE_LEGACY_OVERLAY "${ENABLE_LEGACY_OVERLAY}"
+    write_env CONTAINER_PLATFORM "${container_platform}"
+    write_env ARCH_TAG "${arch_tag}"
+} > "${BUILD_DIR}/build.env"
 
 log "Resolved upstream build ID: ${upstream_build_id}"

scripts/grabkeys.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+mkdir -p keys
+
+export GNUPGHOME="$(mktemp -d)"
+chmod 700 "$GNUPGHOME"
+: > "$GNUPGHOME/common.conf"
+
+git clone https://gitlab.steamos.cloud/steamrt/flatdeb-steam
+
+gpg --homedir "$GNUPGHOME" --import \
+  flatdeb-steam/suites/8abddd96-valve-archive-steamos-release-key.gpg \
+  flatdeb-steam/suites/c948c57e-steam-runtime-2025.gpg
+
+gpg --homedir "$GNUPGHOME" \
+  --output keys/steamrt-archive-keyring.gpg \
+  --export
+
+gpg --show-keys --keyid-format LONG keys/steamrt-archive-keyring.gpg
+
+rm -Rf flatdeb-steam

scripts/keys/steamrt-archive-keyring.gpg

@@ -26,17 +26,21 @@ def main() -> int:
             install_specs.append(spec)
             seen.add(spec)
 
+    steamrt_keyring_dest = '/usr/share/keyrings/steamrt-archive-keyring.gpg'
+    steamrt_keyring_src = os.environ.get('STEAMRT_KEYRING_SRC', 'keys/steamrt-archive-keyring.gpg')
+
     lines = [
         'FROM debian:bullseye-slim',
         'ENV DEBIAN_FRONTEND=noninteractive',
         'RUN dpkg --add-architecture i386 || true',
-        'RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates gnupg dirmngr && rm -rf /var/lib/apt/lists/*',
+        f'COPY {steamrt_keyring_src} {steamrt_keyring_dest}',
+        'RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates && rm -rf /var/lib/apt/lists/*',
     ]
 
     sources_lines = [
         f'deb {os.environ["DEBIAN_MIRROR"]} {os.environ["DEBIAN_RELEASE"]} main contrib non-free',
         f'deb {os.environ["DEBIAN_SECURITY_MIRROR"]} {os.environ["DEBIAN_RELEASE"]}-security main contrib non-free',
-        f'deb {os.environ["SNIPER_APT_URL"]} {os.environ["SNIPER_APT_DIST"]} {os.environ["SNIPER_APT_COMPONENTS"]}',
+        f'deb [signed-by={steamrt_keyring_dest}] {os.environ["SNIPER_APT_URL"]} {os.environ["SNIPER_APT_DIST"]} {os.environ["SNIPER_APT_COMPONENTS"]}',
     ]
     printf_args = ' '.join(f'"{line}"' for line in sources_lines)
     lines.append(f'RUN printf "%s\\n" {printf_args} > /etc/apt/sources.list')
@@ -50,11 +54,12 @@ def main() -> int:
     lines.append('RUN apt-get update')
     if install_specs:
         joined = ' \\\n    '.join(install_specs)
-        lines.append(
+        install_cmd = (
             'RUN apt-get install -y --no-install-recommends \\\n    '
             + joined
-            + '\n && apt-get clean && rm -rf /var/lib/apt/lists/*'
+            + ' \\\n && apt-get clean && rm -rf /var/lib/apt/lists/*'
         )
+        lines.append(install_cmd)
 
     output.write_text('\n'.join(lines) + '\n', encoding='utf-8')
     return 0