working release/attest/sign flow
This commit is contained in:
parent
7a2c4f4be8
commit
7ad95cf21d
9
Makefile
9
Makefile
|
@ -74,11 +74,12 @@ release: | out/release.env out/airgap.iso out/manifest.txt
|
|||
|
||||
.PHONY: attest
|
||||
attest:
|
||||
$(MAKE) mrproper out/manifest.txt
|
||||
diff -q out/manifest.txt release/$(VERSION)/manifest.txt;
|
||||
rm -rf $(CACHE_DIR) $(OUT_DIR)
|
||||
$(MAKE) $(OUT_DIR)/manifest.txt
|
||||
diff -q $(OUT_DIR)/manifest.txt release/$(VERSION)/manifest.txt;
|
||||
|
||||
.PHONY: sign
|
||||
sign: $(RELEASE_DIR)/manifest.txt
|
||||
sign:
|
||||
set -e; \
|
||||
git config --get user.signingkey 2>&1 >/dev/null || { \
|
||||
echo "Error: git user.signingkey is not defined"; \
|
||||
|
@ -94,7 +95,7 @@ sign: $(RELEASE_DIR)/manifest.txt
|
|||
$(RELEASE_DIR)/manifest.txt
|
||||
|
||||
.PHONY: verify
|
||||
verify: $(RELEASE_DIR)/manifest.txt
|
||||
verify: | $(RELEASE_DIR)/manifest.txt
|
||||
set -e; \
|
||||
for file in $(RELEASE_DIR)/manifest.*.asc; do \
|
||||
echo "\nVerifying: $${file}\n"; \
|
||||
|
|
31
README.md
31
README.md
|
@ -49,18 +49,23 @@ internet with high integrity on the supply chain of the firmware and OS used.
|
|||
|
||||
## Build ##
|
||||
|
||||
1. Reproduce existing release, or build fresh if never released:
|
||||
### Build a new release
|
||||
|
||||
```
|
||||
make VERSION=1.0.0rc1
|
||||
make VERSION=1.0.0rc1 release
|
||||
```
|
||||
|
||||
2. Compares hashes of newly built iso/rom files with in-tree hashes.txt
|
||||
### Reproduce an existing release
|
||||
|
||||
```
|
||||
make VERSION=1.0.0rc1 verify
|
||||
make VERSION=1.0.0rc1 attest
|
||||
```
|
||||
|
||||
### Sign an existing release
|
||||
|
||||
```
|
||||
make VERSION=1.0.0rc1 sign
|
||||
```
|
||||
|
||||
## Install ##
|
||||
|
||||
|
@ -82,24 +87,6 @@ internet with high integrity on the supply chain of the firmware and OS used.
|
|||
2. Power on, and verify successful remote attestation
|
||||
3. Boot to airgap via: Options -> Boot Options -> USB Boot
|
||||
|
||||
|
||||
## Release ##
|
||||
|
||||
1. Audit dependencies to ensure no relevant CVEs are open at the moment:
|
||||
|
||||
```
|
||||
make audit
|
||||
```
|
||||
|
||||
2. Verify and add detached signature to given release with:
|
||||
|
||||
```
|
||||
make VERSION=1.0.0rc1 verify sign
|
||||
```
|
||||
|
||||
3. Commit signatures.
|
||||
|
||||
|
||||
## Development ##
|
||||
|
||||
### Build develop image
|
||||
|
|
Loading…
Reference in New Issue