130 lines
3.2 KiB
Makefile
130 lines
3.2 KiB
Makefile
VERSION := development
|
|
GIT_REF := $(shell git log -1 --format=%H)
|
|
GIT_AUTHOR := $(shell git log -1 --format=%an)
|
|
GIT_PUBKEY := $(shell git log -1 --format=%GK)
|
|
GIT_TIMESTAMP := $(shell git log -1 --format=%cd --date=iso)
|
|
export
|
|
|
|
## Use env vars from latest release when reproducing
|
|
ifdef REPRODUCE
|
|
include dist/release.env
|
|
export
|
|
endif
|
|
ifdef NOCACHE
|
|
NO_CACHE := --no-cache
|
|
endif
|
|
|
|
.DEFAULT_GOAL :=
|
|
.PHONY: default
|
|
default: \
|
|
out/release.env \
|
|
out/manifest.txt \
|
|
out/airgap.iso
|
|
|
|
## Primary targets
|
|
|
|
out/airgap.iso: Containerfile $(shell git ls-files rootfs)
|
|
SOURCE_DATE_EPOCH=1 \
|
|
docker build \
|
|
--progress=plain \
|
|
--output type=local,rewrite-timestamp=true,dest=out \
|
|
--build-arg SOURCE_DATE_EPOCH=1 \
|
|
--build-arg VERSION="$(VERSION)" \
|
|
--build-arg GIT_REF="$(GIT_REF)" \
|
|
--build-arg GIT_AUTHOR="$(GIT_AUTHOR)" \
|
|
--build-arg GIT_PUBKEY="$(GIT_PUBKEY)" \
|
|
--build-arg GIT_TIMESTAMP="$(GIT_TIMESTAMP)" \
|
|
$(NO_CACHE) \
|
|
-f Containerfile \
|
|
.
|
|
|
|
## Development Targets
|
|
|
|
out/dev-shell.digest: Containerfile | out
|
|
docker build --target dev -f Containerfile -q . > $@
|
|
|
|
.PHONY: shell
|
|
shell: out/dev-shell.digest
|
|
docker run -it $(shell cat $<) /bin/sh
|
|
|
|
.PHONY: vm
|
|
vm: out/dev-shell.digest out/airgap.iso out/sdcard.img
|
|
docker run -it -v ./out:/out $(shell cat $<) sh -c "\
|
|
swtpm socket \
|
|
--tpmstate dir=. \
|
|
--ctrl type=unixio,path=vtpm-sock \
|
|
--tpm2 & \
|
|
qemu-system-x86_64 \
|
|
-m 4G \
|
|
-machine pc \
|
|
-chardev socket,id=chrtpm,path=vtpm-sock \
|
|
-tpmdev emulator,id=tpm0,chardev=chrtpm \
|
|
-device tpm-tis,tpmdev=tpm0 \
|
|
-usb \
|
|
-device sdhci-pci \
|
|
-device sd-card,drive=external \
|
|
-drive id=external,if=none,format=raw,file=out/sdcard.img \
|
|
-device usb-storage,drive=usbdrive \
|
|
-drive id=usbdrive,if=none,format=raw,file=out/airgap.iso \
|
|
-boot order=c \
|
|
-nographic; \
|
|
"
|
|
|
|
## Signing, Verification, and Release Targets
|
|
|
|
.PHONY: clean
|
|
clean:
|
|
rm -rf out
|
|
|
|
.PHONY: release
|
|
release: clean
|
|
$(MAKE) NOCACHE=1 VERSION=$(VERSION)
|
|
rm -rf dist/*
|
|
cp -R out/release.env out/airgap.iso out/manifest.txt dist/
|
|
|
|
.PHONY: sign
|
|
sign:
|
|
set -e; \
|
|
git config --get user.signingkey 2>&1 >/dev/null || { \
|
|
echo "Error: git user.signingkey is not defined"; \
|
|
exit 1; \
|
|
}; \
|
|
fingerprint=$$(\
|
|
git config --get user.signingkey \
|
|
| sed 's/.*\([A-Z0-9]\{16\}\).*/\1/g' \
|
|
); \
|
|
gpg --armor \
|
|
--detach-sig \
|
|
--output dist/manifest.$${fingerprint}.asc \
|
|
dist/manifest.txt
|
|
|
|
.PHONY: verify
|
|
verify: | dist/manifest.txt
|
|
set -e; \
|
|
for file in dist/manifest.*.asc; do \
|
|
echo "\nVerifying: $${file}\n"; \
|
|
gpg --verify $${file} dist/manifest.txt; \
|
|
done;
|
|
|
|
.PHONY: reproduce
|
|
reproduce: clean | out
|
|
$(MAKE) REPRODUCE=true NOCACHE=1
|
|
diff -q out/manifest.txt dist/manifest.txt;
|
|
|
|
out:
|
|
mkdir -p $@
|
|
|
|
out/release.env: $(shell git ls-files) | out
|
|
echo 'VERSION=$(VERSION)' > out/release.env
|
|
echo 'GIT_REF=$(GIT_REF)' >> out/release.env
|
|
echo 'GIT_AUTHOR=$(GIT_AUTHOR)' >> out/release.env
|
|
echo 'GIT_PUBKEY=$(GIT_PUBKEY)' >> out/release.env
|
|
echo 'GIT_TIMESTAMP=$(GIT_TIMESTAMP)' >> out/release.env
|
|
|
|
out/manifest.txt: out/airgap.iso out/release.env | out
|
|
openssl sha256 -r \
|
|
out/airgap.iso \
|
|
out/release.env \
|
|
| sed -e 's/ \*out\// /g' -e 's/ \.\// /g' \
|
|
> $@
|