Add CAS Codenotary & cleanup old stuff (#1213)

* Add CAS Codenotary * Update docs/add-ons/security.md Co-authored-by: Joakim Sørensen <joasoe@gmail.com> Co-authored-by: Joakim Sørensen <joasoe@gmail.com>
2025-07-13 04:16:29 +00:00 · 2022-06-23 14:54:21 +02:00 · 2022-06-23 14:54:21 +02:00 · 9cc60fa935
commit 9cc60fa935
parent 0d4a63a449
3 changed files with 16 additions and 33 deletions
--- a/docs/add-ons/configuration.md
+++ b/docs/add-ons/configuration.md
@ -183,6 +183,7 @@ Note:  Avoid the use of this filename for anything other than add-on configurati
 | `backup_pre` | string | | Command to execute in the context of the add-on before the backup is taken.
 | `backup_post` | string | | Command to execute in the context of the add-on after the backup was taken.
 | `backup_exclude` | list | | List of file/path (with glob support) that are excluded from backups.
+| `codenotary` | email | | Email address of the signer of this image used by Codenotary CAS.
 | `advanced` | bool | `false` | Set this to `true` to require the user to have enabled "Advanced" mode for it to show.
 | `stage` | string | `stable` | Flag add-on with follow attribute: `stable`, `experimental` or `deprecated`. Add-ons set to `experimental` or `deprecated` will not show up in the store unless the user enables advanced mode.
 | `init` | bool | `true` | Set this to `false` to disable the Docker default system init. Use this if the image has its own init system (Like [s6-overlay](https://github.com/just-containers/s6-overlay)). *Note: Starting in V3 of S6 setting this to `false` is required or the addon won't start, see [here](https://developers.home-assistant.io/blog/2022/05/12/s6-overlay-base-images) for more information.*
--- a/docs/add-ons/security.md
+++ b/docs/add-ons/security.md
@ -18,6 +18,10 @@ For access to Supervisor API you need to define a role or you run in default mod
 | `manager` | Is for Add-ons that run CLIs and need extended rights |
 | `admin` | Have access to every API call. That is the only one they can disable/enable the Add-on protection mode |

+## Codenotary CAS
+
+You can sign your images and also verify our base image which you build from to provide a full chain of trust. This feature us supported by our [Builder](https://github.com/home-assistant/builder) and the [build config](/docs/add-ons/configuration#add-on-extended-build). For enable this feature on the Supervisor for your Add-on, you simple need add your email address to the Add-on configuration `codenotary`.
+
 ## Protection

 Default, all add-ons run in protection enabled mode. This mode prevents the add-on from getting any rights on the system. If an add-on requires more rights, you can disable this protection via the API add-on options for that add-on. But be careful, an add-on with disabled protection can destroy your system!
@ -30,6 +34,7 @@ As a developer, follow the following best practices to make your add-on secure:
 - Create an AppArmor profile
 - Map folders read only if you don't need write access
 - If you need any API access, make sure that you do not grant permission that aren't needed
+- Sign the image with [Codenotary CAS](https://cas.codenotary.com/)

 ## Use Home Assistant User backend

--- a/docs/api/supervisor/endpoints.md
+++ b/docs/api/supervisor/endpoints.md
@ -13,14 +13,13 @@ To see more details about each endpoint, click on it to expand it.
 ### Addons

 <ApiEndpoint path="/addons" method="get">
-Return overview information about add-ons and add-on repositories.
+Return overview information about installed add-ons.

 **Payload:**

 | key          | type | description                                        |
 | ------------ | ---- | -------------------------------------------------- |
 | addons       | list | A list of [Addon models](api/supervisor/models.md#addon)           |
-| repositories | list | A list of [Repository models](api/supervisor/models.md#repository) |

 **Example response:**

@ -45,15 +44,6 @@ Return overview information about add-ons and add-on repositories.
      "icon": false,
      "logo": false
    }
-  ],
-  "repositories": [
-    {
-      "slug": "12345678",
-      "name": "Awesome repository",
-      "source": "https://github.com/awesome/repository",
-      "url": null,
-      "maintainer": "Awesome maintainer <awesome@example.com>"
-    }
  ]
 }
 ```
@ -155,6 +145,7 @@ Get details about an add-on
 | video               | boolean            | `true` if video is enabled                                                             |
 | watchdog            | boolean            | `true` if watchdog is enabled                                                          |
 | webui               | string or null     | The URL to the web UI for the add-on                                                   |
+| signed              | boolean            | True if the image is signed and trust                                                  |

 **Example response:**

@ -233,7 +224,8 @@ Get details about an add-on
  "version": "1.0.0",
  "video": false,
  "watchdog": true,
-  "webui": "http://[HOST]:1337/xy/zx"
+  "webui": "http://[HOST]:1337/xy/zx",
+  "signed": false
 }
 ```

@ -1535,13 +1527,12 @@ Returns information about available updates
 **Returned data:**

 | key | type | description |
-- | -- | --
-update_type | string | `addon`, `os`, `core` or `supervisor`
-name | string | Returns the name (only if the `update_type` is `addon`)
-icon | string | Returns the path for the icon if any (only if the `update_type` is `addon`)
-version_latest | string | Returns the available version
-panel_path | string | Returns path where the UI can be loaded
-
+| -- | -- | -- |
+| update_type | string | `addon`, `os`, `core` or `supervisor` |
+| name | string | Returns the name (only if the `update_type` is `addon`) |
+| icon | string | Returns the path for the icon if any (only if the `update_type` is `addon`) |
+| version_latest | string | Returns the available version |
+| panel_path | string | Returns path where the UI can be loaded |

 </ApiEndpoint>

@ -2442,7 +2433,6 @@ Returns information about the supervisor
 | debug               | bool         | Debug is active                                               |
 | debug_block         | bool         | `true` if debug block is enabled                              |
 | diagnostics         | bool or null | Sending diagnostics is enabled                                |
-| addons              | list         | A list of installed [Addon models](api/supervisor/models.md#addon)            |
 | addons_repositories | list         | A list of add-on repository URL's as strings                  |

 **Example response:**
@ -2463,19 +2453,6 @@ Returns information about the supervisor
  "debug": false,
  "debug_block": false,
  "diagnostics": null,
-  "addons": [
-    {
-      "name": "Awesome add-on",
-      "slug": "7kshd7_awesome",
-      "description": "Awesome description",
-      "repository": "https://example.com/addons",
-      "version": "1.0.0",
-      "installed": "1.0.0",
-      "icon": false,
-      "logo": true,
-      "state": "started"
-    }
-  ],
  "addons_repositories": ["https://example.com/addons"]
 }
 ```