add release verification and signing

This commit is contained in:
Lance Vick 2020-07-19 01:31:10 -07:00
parent 4904c3f8d1
commit d48965252a
Signed by: lrvick
GPG Key ID: 8E47A1EC35A1551D
2 changed files with 60 additions and 13 deletions

5
.gitignore vendored Normal file
View File

@ -0,0 +1,5 @@
.*
build/
release/develop
release/*/*.iso
release/*/*.rom

View File

@ -1,12 +1,15 @@
NAME := airgap NAME := airgap
IMAGE := local/$(NAME):latest IMAGE := local/$(NAME):latest
TARGET := librem13v4 TARGET := x86_64
GIT_DATETIME := \ DEVICES := librem13v4 librem15v4
$(shell git log -1 --format=%cd --date=format:'%Y-%m-%d %H:%M:%S' config)
GIT_REF := $(shell git log -1 --format=%H config) GIT_REF := $(shell git log -1 --format=%H config)
GIT_AUTHOR := $(shell git log -1 --format=%an config) GIT_AUTHOR := $(shell git log -1 --format=%an config)
GIT_KEY := $(shell git log -1 --format=%GP config) GIT_KEY := $(shell git log -1 --format=%GP config)
GIT_EPOCH := $(shell git log -1 --format=%at config) GIT_EPOCH := $(shell git log -1 --format=%at config)
GIT_DATETIME := \
$(shell git log -1 --format=%cd --date=format:'%Y-%m-%d %H:%M:%S' config)
VERSION := "develop"
RELEASE_DIR := release/$(VERSION)
ifeq ($(strip $(shell git status --porcelain 2>/dev/null)),) ifeq ($(strip $(shell git status --porcelain 2>/dev/null)),)
GIT_STATE=clean GIT_STATE=clean
else else
@ -21,7 +24,23 @@ executables = $(docker)
## Primary Targets ## Primary Targets
.PHONY: all .PHONY: all
all: fetch build all: image fetch build hash
.PHONY: build
build: build-os build-fw
.PHONY: verify
verify:
mkdir -p build/verify/$(VERSION)
openssl sha256 $(RELEASE_DIR)/*.rom > build/verify/$(VERSION)/hashes.txt
openssl sha256 $(RELEASE_DIR)/*.iso >> build/verify/$(VERSION)/hashes.txt
diff -q build/verify/$(VERSION)/hashes.txt $(RELEASE_DIR)/hashes.txt;
.PHONY: sign
sign: $(RELEASE_DIR)/*.rom $(RELEASE_DIR)/*.iso
for file in $^; do \
gpg --armor --detach-sig "$${file}"; \
done
.PHONY: image .PHONY: image
image: image:
@ -31,14 +50,6 @@ image:
$(IMAGE_OPTIONS) \ $(IMAGE_OPTIONS) \
$(PWD) $(PWD)
.PHONY: build
build:
$(contain) build
mkdir -p release/$(TARGET)
cp $(OUT_DIR)/rootfs.iso9660 release/$(TARGET)/airgap.iso
cp $(OUT_DIR)/rootfs.cpio release/$(TARGET)/initrd
cp $(OUT_DIR)/bzImage release/$(TARGET)/bzImage
.PHONY: fetch .PHONY: fetch
fetch: fetch:
mkdir -p build release mkdir -p build release
@ -48,6 +59,36 @@ fetch:
clean: clean:
$(contain) clean $(contain) clean
.PHONY: mrproper
mrproper:
rm -rf build
.PHONY: build-os
build-os:
$(contain) build-os
mkdir -p $(RELEASE_DIR)
cp $(OUT_DIR)/rootfs.iso9660 $(RELEASE_DIR)/airgap_$(TARGET).iso
.PHONY: build-fw
build-fw:
$(contain) build-fw
mkdir -p $(RELEASE_DIR)
for device in $(DEVICES); do \
cp \
build/heads/build/$${device}/coreboot.rom \
$(RELEASE_DIR)/$${device}.rom ; \
done
.PHONY: hash
hash:
if [ ! -f release/$(VERSION)/hashes.txt ]; then \
openssl sha256 release/$(VERSION)/*.rom \
> release/$(VERSION)/hashes.txt; \
openssl sha256 release/$(VERSION)/*.iso \
>> release/$(VERSION)/hashes.txt; \
fi
## Development Targets ## Development Targets
.PHONY: shell .PHONY: shell
@ -100,7 +141,8 @@ contain := \
--name "$(NAME)" \ --name "$(NAME)" \
--hostname "$(NAME)" \ --hostname "$(NAME)" \
--user $(userid):$(groupid) \ --user $(userid):$(groupid) \
--env TARGET=$(TARGET) \ --env TARGET="$(TARGET)" \
--env DEVICES="$(DEVICES)" \
--env GIT_DATETIME="$(GIT_DATETIME)" \ --env GIT_DATETIME="$(GIT_DATETIME)" \
--env GIT_EPOCH="$(GIT_EPOCH)" \ --env GIT_EPOCH="$(GIT_EPOCH)" \
--env GIT_REF="$(GIT_REF)" \ --env GIT_REF="$(GIT_REF)" \