forked from public/airgap
1
0
Fork 0

overhaul release process for easier attestation

This commit is contained in:
Lance Vick 2022-12-24 15:56:16 -08:00
parent 6c119eb085
commit a9f79a4597
Signed by: lrvick
GPG Key ID: 8E47A1EC35A1551D
2 changed files with 80 additions and 34 deletions

113
Makefile
View File

@ -29,13 +29,16 @@ executables = $(docker) git patch
include $(PWD)/config/config.env include $(PWD)/config/config.env
.DEFAULT_GOAL := all ## Use env vars from existing release if present
ifneq (,$(wildcard $(RELEASE_DIR)/release.env))
include $(RELEASE_DIR)/release.env
export
endif
.DEFAULT_GOAL := out/manifest.txt
## Primary Targets ## Primary Targets
.PHONY: build
build: build-os build-fw
.PHONY: fetch .PHONY: fetch
fetch: $(CACHE_DIR)/toolchain.tar fetch: $(CACHE_DIR)/toolchain.tar
mkdir -p build release mkdir -p build release
@ -50,9 +53,6 @@ mrproper:
docker image rm -f $(IMAGE) docker image rm -f $(IMAGE)
rm -rf $(CACHE_DIR) rm -rf $(CACHE_DIR)
.PHONY: build-os
build-os: $(CACHE_DIR)/toolchain.tar $(RELEASE_DIR)/airgap_$(ARCH).iso
.PHONY: build-fw .PHONY: build-fw
build-fw: $(CACHE_DIR)/toolchain.tar build-fw: $(CACHE_DIR)/toolchain.tar
$(call toolchain,$(USER),"build-fw") $(call toolchain,$(USER),"build-fw")
@ -65,41 +65,67 @@ build-fw: $(CACHE_DIR)/toolchain.tar
## Release Targets ## Release Targets
.PHONY: release
release: \
$(RELEASE_DIR)/airgap.iso \
$(RELEASE_DIR)/release.env \
$(RELEASE_DIR)/manifest.txt
.PHONY: audit .PHONY: audit
audit: $(CACHE_DIR)/toolchain.tar audit: $(CACHE_DIR)/toolchain.tar
mkdir -p $(CACHE_DIR)/audit mkdir -p $(CACHE_DIR)/audit
$(call toolchain,$(USER),"audit") $(call toolchain,$(USER),"audit")
.PHONY: hash .PHONY: attest
hash: attest: \
if [ ! -f release/$(VERSION)/hashes.txt ]; then \ $(RELEASE_DIR)/airgap.iso \
openssl sha256 -r release/$(VERSION)/*.rom \ $(RELEASE_DIR)/release.env \
> release/$(VERSION)/hashes.txt; \ $(RELEASE_DIR)/manifest.txt
openssl sha256 -r release/$(VERSION)/*.iso \
>> release/$(VERSION)/hashes.txt; \
fi
.PHONY: verify $(MAKE) mrproper out/manifest.txt
verify: diff -q $(OUT_DIR)/manifest.txt $(RELEASE_DIR)/manifest.txt;
mkdir -p $(CACHE_DIR)/audit/$(VERSION)
openssl sha256 -r $(RELEASE_DIR)/*.rom \
> $(CACHE_DIR)/audit/$(VERSION)/release_hashes.txt
openssl sha256 -r $(RELEASE_DIR)/*.iso \
>> $(CACHE_DIR)/audit/$(VERSION)/release_hashes.txt
diff -q $(CACHE_DIR)/audit/$(VERSION)/release_hashes.txt $(RELEASE_DIR)/hashes.txt;
.PHONY: sign .PHONY: sign
sign: $(RELEASE_DIR)/*.rom $(RELEASE_DIR)/*.iso sign: $(RELEASE_DIR)/manifest.txt
set -e; \ set -e; \
for file in $^; do \ git config --get user.signingkey 2>&1 >/dev/null || { \
gpg --armor --detach-sig "$${file}"; \ echo "Error: git user.signingkey is not defined"; \
fingerprint=$$(\ exit 1; \
gpg --list-packets $${file}.asc \ }; \
| grep "issuer key ID" \ fingerprint=$$(\
| sed 's/.*\([A-Z0-9]\{16\}\).*/\1/g' \ git config --get user.signingkey \
); \ | sed 's/.*\([A-Z0-9]\{16\}\).*/\1/g' \
mv $${file}.asc $${file}.$${fingerprint}.asc; \ ); \
done gpg --armor \
--detach-sig \
--output $(RELEASE_DIR)/manifest.$${fingerprint}.asc \
$(RELEASE_DIR)/manifest.txt
.PHONY: verify
verify: $(RELEASE_DIR)/manifest.txt
set -e; \
for file in $(RELEASE_DIR)/manifest.*.asc; do \
echo "\nVerifying: $${file}\n"; \
gpg --verify $${file} $(RELEASE_DIR)/manifest.txt; \
done;
$(RELEASE_DIR):
mkdir -p $(RELEASE_DIR)
$(RELEASE_DIR)/release.env: \
$(RELEASE_DIR) \
$(OUT_DIR)/release.env
cp out/release.env $(RELEASE_DIR)/release.env
$(RELEASE_DIR)/airgap.iso: \
$(RELEASE_DIR) \
$(OUT_DIR)/airgap.iso
cp out/airgap.iso $(RELEASE_DIR)/airgap.iso
$(RELEASE_DIR)/manifest.txt: \
$(RELEASE_DIR) \
$(OUT_DIR)/manifest.txt
cp out/manifest.txt $(RELEASE_DIR)/manifest.txt
## Development Targets ## Development Targets
@ -158,7 +184,19 @@ $(CACHE_DIR)/buildroot: $(CACHE_DIR)/toolchain.tar
$(CACHE_DIR)/heads: $(CACHE_DIR)/toolchain.tar $(CACHE_DIR)/heads: $(CACHE_DIR)/toolchain.tar
$(call git_clone,heads,$(HEADS_REPO),$(HEADS_REF)) $(call git_clone,heads,$(HEADS_REPO),$(HEADS_REF))
$(OUT_DIR)/airgap.iso: $(CACHE_DIR)/buildroot $(OUT_DIR):
mkdir -p $(OUT_DIR)
$(OUT_DIR)/release.env: $(OUT_DIR)
echo 'VERSION=$(VERSION)' > $(OUT_DIR)/release.env
echo 'GIT_REF=$(GIT_REF)' >> $(OUT_DIR)/release.env
echo 'GIT_AUTHOR=$(GIT_AUTHOR)' >> $(OUT_DIR)/release.env
echo 'GIT_KEY=$(GIT_KEY)' >> $(OUT_DIR)/release.env
echo 'GIT_DATETIME=$(GIT_DATETIME)' >> $(OUT_DIR)/release.env
$(OUT_DIR)/airgap.iso: \
$(CACHE_DIR)/buildroot \
$(OUT_DIR)/release.env
$(call apply_patches,buildroot,$(BR2_EXTERNAL)/patches) $(call apply_patches,buildroot,$(BR2_EXTERNAL)/patches)
$(call toolchain,$(USER)," \ $(call toolchain,$(USER)," \
cd buildroot; \ cd buildroot; \
@ -171,6 +209,13 @@ $(OUT_DIR)/airgap.iso: $(CACHE_DIR)/buildroot
cp $(CACHE_DIR)/buildroot/output/images/rootfs.iso9660 \ cp $(CACHE_DIR)/buildroot/output/images/rootfs.iso9660 \
$(OUT_DIR)/airgap.iso $(OUT_DIR)/airgap.iso
$(OUT_DIR)/manifest.txt: \
$(OUT_DIR)/airgap.iso \
$(OUT_DIR)/release.env
cd $(OUT_DIR); \
openssl sha256 -r release.env > manifest.txt; \
openssl sha256 -r airgap.iso >> manifest.txt;
## Make Helpers ## Make Helpers
check_executables := $(foreach exec,$(executables),\$(if \ check_executables := $(foreach exec,$(executables),\$(if \

View File

@ -15,6 +15,7 @@ cat << "EOF"
|___/ |_| |___/ |_|
EOF EOF
echo " Build Details:" echo " Build Details:"
echo " - Version: $VERSION"
echo " - Date: $GIT_DATETIME" echo " - Date: $GIT_DATETIME"
echo " - Tree State: $GIT_STATE" echo " - Tree State: $GIT_STATE"
echo " - Committer: $GIT_AUTHOR" echo " - Committer: $GIT_AUTHOR"