From 7ad95cf21d8c39aea34280d2149f73f96eb250ed Mon Sep 17 00:00:00 2001 From: "Lance R. Vick" Date: Mon, 26 Dec 2022 01:22:00 -0800 Subject: [PATCH] working release/attest/sign flow --- Makefile | 9 +++++---- README.md | 31 +++++++++---------------------- 2 files changed, 14 insertions(+), 26 deletions(-) diff --git a/Makefile b/Makefile index b9910a2..b533687 100644 --- a/Makefile +++ b/Makefile @@ -74,11 +74,12 @@ release: | out/release.env out/airgap.iso out/manifest.txt .PHONY: attest attest: - $(MAKE) mrproper out/manifest.txt - diff -q out/manifest.txt release/$(VERSION)/manifest.txt; + rm -rf $(CACHE_DIR) $(OUT_DIR) + $(MAKE) $(OUT_DIR)/manifest.txt + diff -q $(OUT_DIR)/manifest.txt release/$(VERSION)/manifest.txt; .PHONY: sign -sign: $(RELEASE_DIR)/manifest.txt +sign: set -e; \ git config --get user.signingkey 2>&1 >/dev/null || { \ echo "Error: git user.signingkey is not defined"; \ @@ -94,7 +95,7 @@ sign: $(RELEASE_DIR)/manifest.txt $(RELEASE_DIR)/manifest.txt .PHONY: verify -verify: $(RELEASE_DIR)/manifest.txt +verify: | $(RELEASE_DIR)/manifest.txt set -e; \ for file in $(RELEASE_DIR)/manifest.*.asc; do \ echo "\nVerifying: $${file}\n"; \ diff --git a/README.md b/README.md index 7cd81b7..a60c2f4 100644 --- a/README.md +++ b/README.md @@ -49,18 +49,23 @@ internet with high integrity on the supply chain of the firmware and OS used. ## Build ## -1. Reproduce existing release, or build fresh if never released: +### Build a new release ``` - make VERSION=1.0.0rc1 + make VERSION=1.0.0rc1 release ``` -2. Compares hashes of newly built iso/rom files with in-tree hashes.txt +### Reproduce an existing release ``` - make VERSION=1.0.0rc1 verify + make VERSION=1.0.0rc1 attest ``` +### Sign an existing release + + ``` + make VERSION=1.0.0rc1 sign + ``` ## Install ## @@ -82,24 +87,6 @@ internet with high integrity on the supply chain of the firmware and OS used. 2. Power on, and verify successful remote attestation 3. Boot to airgap via: Options -> Boot Options -> USB Boot - -## Release ## - -1. Audit dependencies to ensure no relevant CVEs are open at the moment: - - ``` - make audit - ``` - -2. Verify and add detached signature to given release with: - - ``` - make VERSION=1.0.0rc1 verify sign - ``` - -3. Commit signatures. - - ## Development ## ### Build develop image