forked from public/airgap
working release/attest/sign flow
This commit is contained in:
parent
7a2c4f4be8
commit
7ad95cf21d
9
Makefile
9
Makefile
|
@ -74,11 +74,12 @@ release: | out/release.env out/airgap.iso out/manifest.txt
|
||||||
|
|
||||||
.PHONY: attest
|
.PHONY: attest
|
||||||
attest:
|
attest:
|
||||||
$(MAKE) mrproper out/manifest.txt
|
rm -rf $(CACHE_DIR) $(OUT_DIR)
|
||||||
diff -q out/manifest.txt release/$(VERSION)/manifest.txt;
|
$(MAKE) $(OUT_DIR)/manifest.txt
|
||||||
|
diff -q $(OUT_DIR)/manifest.txt release/$(VERSION)/manifest.txt;
|
||||||
|
|
||||||
.PHONY: sign
|
.PHONY: sign
|
||||||
sign: $(RELEASE_DIR)/manifest.txt
|
sign:
|
||||||
set -e; \
|
set -e; \
|
||||||
git config --get user.signingkey 2>&1 >/dev/null || { \
|
git config --get user.signingkey 2>&1 >/dev/null || { \
|
||||||
echo "Error: git user.signingkey is not defined"; \
|
echo "Error: git user.signingkey is not defined"; \
|
||||||
|
@ -94,7 +95,7 @@ sign: $(RELEASE_DIR)/manifest.txt
|
||||||
$(RELEASE_DIR)/manifest.txt
|
$(RELEASE_DIR)/manifest.txt
|
||||||
|
|
||||||
.PHONY: verify
|
.PHONY: verify
|
||||||
verify: $(RELEASE_DIR)/manifest.txt
|
verify: | $(RELEASE_DIR)/manifest.txt
|
||||||
set -e; \
|
set -e; \
|
||||||
for file in $(RELEASE_DIR)/manifest.*.asc; do \
|
for file in $(RELEASE_DIR)/manifest.*.asc; do \
|
||||||
echo "\nVerifying: $${file}\n"; \
|
echo "\nVerifying: $${file}\n"; \
|
||||||
|
|
31
README.md
31
README.md
|
@ -49,18 +49,23 @@ internet with high integrity on the supply chain of the firmware and OS used.
|
||||||
|
|
||||||
## Build ##
|
## Build ##
|
||||||
|
|
||||||
1. Reproduce existing release, or build fresh if never released:
|
### Build a new release
|
||||||
|
|
||||||
```
|
```
|
||||||
make VERSION=1.0.0rc1
|
make VERSION=1.0.0rc1 release
|
||||||
```
|
```
|
||||||
|
|
||||||
2. Compares hashes of newly built iso/rom files with in-tree hashes.txt
|
### Reproduce an existing release
|
||||||
|
|
||||||
```
|
```
|
||||||
make VERSION=1.0.0rc1 verify
|
make VERSION=1.0.0rc1 attest
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Sign an existing release
|
||||||
|
|
||||||
|
```
|
||||||
|
make VERSION=1.0.0rc1 sign
|
||||||
|
```
|
||||||
|
|
||||||
## Install ##
|
## Install ##
|
||||||
|
|
||||||
|
@ -82,24 +87,6 @@ internet with high integrity on the supply chain of the firmware and OS used.
|
||||||
2. Power on, and verify successful remote attestation
|
2. Power on, and verify successful remote attestation
|
||||||
3. Boot to airgap via: Options -> Boot Options -> USB Boot
|
3. Boot to airgap via: Options -> Boot Options -> USB Boot
|
||||||
|
|
||||||
|
|
||||||
## Release ##
|
|
||||||
|
|
||||||
1. Audit dependencies to ensure no relevant CVEs are open at the moment:
|
|
||||||
|
|
||||||
```
|
|
||||||
make audit
|
|
||||||
```
|
|
||||||
|
|
||||||
2. Verify and add detached signature to given release with:
|
|
||||||
|
|
||||||
```
|
|
||||||
make VERSION=1.0.0rc1 verify sign
|
|
||||||
```
|
|
||||||
|
|
||||||
3. Commit signatures.
|
|
||||||
|
|
||||||
|
|
||||||
## Development ##
|
## Development ##
|
||||||
|
|
||||||
### Build develop image
|
### Build develop image
|
||||||
|
|
Loading…
Reference in New Issue