working release/attest/sign flow

This commit is contained in:
Lance Vick 2022-12-26 01:22:00 -08:00
parent 7a2c4f4be8
commit 7ad95cf21d
Signed by: lrvick
GPG Key ID: 8E47A1EC35A1551D
2 changed files with 14 additions and 26 deletions

View File

@ -74,11 +74,12 @@ release: | out/release.env out/airgap.iso out/manifest.txt
.PHONY: attest
attest:
$(MAKE) mrproper out/manifest.txt
diff -q out/manifest.txt release/$(VERSION)/manifest.txt;
rm -rf $(CACHE_DIR) $(OUT_DIR)
$(MAKE) $(OUT_DIR)/manifest.txt
diff -q $(OUT_DIR)/manifest.txt release/$(VERSION)/manifest.txt;
.PHONY: sign
sign: $(RELEASE_DIR)/manifest.txt
sign:
set -e; \
git config --get user.signingkey 2>&1 >/dev/null || { \
echo "Error: git user.signingkey is not defined"; \
@ -94,7 +95,7 @@ sign: $(RELEASE_DIR)/manifest.txt
$(RELEASE_DIR)/manifest.txt
.PHONY: verify
verify: $(RELEASE_DIR)/manifest.txt
verify: | $(RELEASE_DIR)/manifest.txt
set -e; \
for file in $(RELEASE_DIR)/manifest.*.asc; do \
echo "\nVerifying: $${file}\n"; \

View File

@ -49,18 +49,23 @@ internet with high integrity on the supply chain of the firmware and OS used.
## Build ##
1. Reproduce existing release, or build fresh if never released:
### Build a new release
```
make VERSION=1.0.0rc1
make VERSION=1.0.0rc1 release
```
2. Compares hashes of newly built iso/rom files with in-tree hashes.txt
### Reproduce an existing release
```
make VERSION=1.0.0rc1 verify
make VERSION=1.0.0rc1 attest
```
### Sign an existing release
```
make VERSION=1.0.0rc1 sign
```
## Install ##
@ -82,24 +87,6 @@ internet with high integrity on the supply chain of the firmware and OS used.
2. Power on, and verify successful remote attestation
3. Boot to airgap via: Options -> Boot Options -> USB Boot
## Release ##
1. Audit dependencies to ensure no relevant CVEs are open at the moment:
```
make audit
```
2. Verify and add detached signature to given release with:
```
make VERSION=1.0.0rc1 verify sign
```
3. Commit signatures.
## Development ##
### Build develop image