working release/attest/sign flow

This commit is contained in:
Lance Vick 2022-12-26 01:22:00 -08:00
parent 7a2c4f4be8
commit 7ad95cf21d
Signed by: lrvick
GPG Key ID: 8E47A1EC35A1551D
2 changed files with 14 additions and 26 deletions

View File

@ -74,11 +74,12 @@ release: | out/release.env out/airgap.iso out/manifest.txt
.PHONY: attest .PHONY: attest
attest: attest:
$(MAKE) mrproper out/manifest.txt rm -rf $(CACHE_DIR) $(OUT_DIR)
diff -q out/manifest.txt release/$(VERSION)/manifest.txt; $(MAKE) $(OUT_DIR)/manifest.txt
diff -q $(OUT_DIR)/manifest.txt release/$(VERSION)/manifest.txt;
.PHONY: sign .PHONY: sign
sign: $(RELEASE_DIR)/manifest.txt sign:
set -e; \ set -e; \
git config --get user.signingkey 2>&1 >/dev/null || { \ git config --get user.signingkey 2>&1 >/dev/null || { \
echo "Error: git user.signingkey is not defined"; \ echo "Error: git user.signingkey is not defined"; \
@ -94,7 +95,7 @@ sign: $(RELEASE_DIR)/manifest.txt
$(RELEASE_DIR)/manifest.txt $(RELEASE_DIR)/manifest.txt
.PHONY: verify .PHONY: verify
verify: $(RELEASE_DIR)/manifest.txt verify: | $(RELEASE_DIR)/manifest.txt
set -e; \ set -e; \
for file in $(RELEASE_DIR)/manifest.*.asc; do \ for file in $(RELEASE_DIR)/manifest.*.asc; do \
echo "\nVerifying: $${file}\n"; \ echo "\nVerifying: $${file}\n"; \

View File

@ -49,18 +49,23 @@ internet with high integrity on the supply chain of the firmware and OS used.
## Build ## ## Build ##
1. Reproduce existing release, or build fresh if never released: ### Build a new release
``` ```
make VERSION=1.0.0rc1 make VERSION=1.0.0rc1 release
``` ```
2. Compares hashes of newly built iso/rom files with in-tree hashes.txt ### Reproduce an existing release
``` ```
make VERSION=1.0.0rc1 verify make VERSION=1.0.0rc1 attest
``` ```
### Sign an existing release
```
make VERSION=1.0.0rc1 sign
```
## Install ## ## Install ##
@ -82,24 +87,6 @@ internet with high integrity on the supply chain of the firmware and OS used.
2. Power on, and verify successful remote attestation 2. Power on, and verify successful remote attestation
3. Boot to airgap via: Options -> Boot Options -> USB Boot 3. Boot to airgap via: Options -> Boot Options -> USB Boot
## Release ##
1. Audit dependencies to ensure no relevant CVEs are open at the moment:
```
make audit
```
2. Verify and add detached signature to given release with:
```
make VERSION=1.0.0rc1 verify sign
```
3. Commit signatures.
## Development ## ## Development ##
### Build develop image ### Build develop image