Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-02-23 08:20:15 -05:00
Code Issues Packages Projects Releases Wiki Activity

Feat/cli multi os arch (#390)

Browse Source 
* Implement multi arch/os pipeline
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
This commit is contained in:
Fabian Kammel 2022-08-23 13:43:20 +02:00 committed by GitHub
parent ec79484948
commit 33626986fe
6 changed files with 85 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
.github/actions/build_cli/action.yml vendored
View File

@ -4,6 +4,14 @@ description: |
are used to sign CLI when inputs are provided. A draft release is published are used to sign CLI when inputs are provided. A draft release is published
when run on v* tag. when run on v* tag.
inputs: inputs:
targetOS:
description: 'Build CLI for this OS. [linux, darwin]'
required: true
default: 'linux'
targetArch:
description: 'Build CLI for this architecture. [amd64, arm64]'
required: true
default: 'amd64'
cosignPublicKey: cosignPublicKey:
description: 'Cosign public key' description: 'Cosign public key'
required: false required: false
@ -27,16 +35,6 @@ runs:
-y -y
shell: bash shell: bash
# TODO: Replace with https://github.com/sigstore/sigstore-installer/tree/initial
# once it has the functionality
- name: Install Cosign
uses: sigstore/cosign-installer@48866aa521d8bf870604709cd43ec2f602d03ff2
- name: Install Rekor
run: |
curl -LO https://github.com/sigstore/rekor/releases/download/v0.9.0/rekor-cli-linux-amd64
sudo install rekor-cli-linux-amd64 /usr/local/bin/rekor-cli
shell: bash
# https://github.blog/2022-04-12-git-security-vulnerability-announced/ # https://github.blog/2022-04-12-git-security-vulnerability-announced/
- name: Mark repository safe - name: Mark repository safe
run: | run: |
@ -48,39 +46,44 @@ runs:
with: with:
go-version: "1.18" go-version: "1.18"
- name: Build hack/pcr-reader
run: |
go build .
echo "$(pwd)" >> $GITHUB_PATH
export PATH="$PATH:$(pwd)"
working-directory: hack/pcr-reader
shell: bash
- name: Build CLI - name: Build CLI
run: | run: |
GIT_TAG=$(git describe --tags --always --dirty --abbrev=0) GIT_TAG=$(git describe --tags --always --dirty --abbrev=0)
mkdir -p build mkdir -p build
cd build cd build
cmake -DCLI_VERSION:STRING=${GIT_TAG} .. cmake -DCLI_VERSION:STRING=${GIT_TAG} ..
make -j`nproc` cli GOOS=${{ inputs.targetOS }} GOARCH=${{ inputs.targetArch }} make -j`nproc` cli
cp constellation constellation-${{ inputs.targetOS }}-${{ inputs.targetArch }}
echo "$(pwd)" >> $GITHUB_PATH echo "$(pwd)" >> $GITHUB_PATH
export PATH="$PATH:$(pwd)" export PATH="$PATH:$(pwd)"
shell: bash shell: bash
# TODO: Replace with https://github.com/sigstore/sigstore-installer/tree/initial
# once it has the functionality
- name: Install Cosign
uses: sigstore/cosign-installer@48866aa521d8bf870604709cd43ec2f602d03ff2
if: ${{ inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' }}
- name: Install Rekor
run: |
curl -LO https://github.com/sigstore/rekor/releases/download/v0.9.0/rekor-cli-linux-amd64
sudo install rekor-cli-linux-amd64 /usr/local/bin/rekor-cli
shell: bash
if: ${{ inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' }}
- name: Sign CLI - name: Sign CLI
run: | run: |
set -e set -e
set -o pipefail set -o pipefail
SIGN_TARGET=constellation-${{ inputs.targetOS }}-${{ inputs.targetArch }}
echo "$COSIGN_PUBLIC_KEY" > cosign.pub echo "$COSIGN_PUBLIC_KEY" > cosign.pub
# Enabling experimental mode also publishes signature to Rekor # Enabling experimental mode also publishes signature to Rekor
COSIGN_EXPERIMENTAL=1 cosign sign-blob --key env://COSIGN_PRIVATE_KEY constellation > constellation.sig COSIGN_EXPERIMENTAL=1 cosign sign-blob --key env://COSIGN_PRIVATE_KEY ${SIGN_TARGET} > ${SIGN_TARGET}.sig
# Verify - As documentation & check # Verify - As documentation & check
# Local Signature (input: artifact, key, signature) # Local Signature (input: artifact, key, signature)
cosign verify-blob --key cosign.pub --signature constellation.sig constellation cosign verify-blob --key cosign.pub --signature ${SIGN_TARGET}.sig ${SIGN_TARGET}
# Transparency Log Signature (input: artifact, key) # Transparency Log Signature (input: artifact, key)
uuid=$(rekor-cli search --artifact constellation | tail -n 1) uuid=$(rekor-cli search --artifact ${SIGN_TARGET} | tail -n 1)
sig=$(rekor-cli get --uuid=$uuid --format=json | jq -r .Body.HashedRekordObj.signature.content) sig=$(rekor-cli get --uuid=$uuid --format=json | jq -r .Body.HashedRekordObj.signature.content)
cosign verify-blob --key cosign.pub --signature <(echo $sig) constellation cosign verify-blob --key cosign.pub --signature <(echo $sig) ${SIGN_TARGET}
shell: bash shell: bash
working-directory: build working-directory: build
env: env:
@ -88,14 +91,3 @@ runs:
COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }} COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
COSIGN_PASSWORD: ${{ inputs.cosignPassword }} COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
if: ${{ inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' }} if: ${{ inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' }}
- name: Release CLI
# GitHub endorsed release project. See: https://github.com/actions/create-release
uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5
if: startsWith(github.ref, 'refs/tags/v')
with:
draft: true
files: |
build/constellation
build/constellation.sig
build/cosign.pub

7
.github/actions/constellation_measure/action.yml vendored
View File

@ -37,6 +37,13 @@ inputs:
runs: runs:
using: 'composite' using: 'composite'
steps: steps:
- name: Build hack/pcr-reader
run: |
go build .
echo "$(pwd)" >> $GITHUB_PATH
working-directory: hack/pcr-reader
shell: bash
# Check /docs/secure_software_distribution.md#sign-measurements # Check /docs/secure_software_distribution.md#sign-measurements
# for why we ignore certain measurement values. # for why we ignore certain measurement values.
- name: Fetch PCRs - name: Fetch PCRs

19
.github/workflows/build-cli.yml vendored
View File

@ -1,19 +0,0 @@
name: Build CLI and prepare release
on:
workflow_dispatch:
jobs:
build-cli:
runs-on: ubuntu-latest
steps:
- name: Checkout
id: checkout
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- name: Build cli
uses: ./.github/actions/build_cli
with:
cosignPublicKey: ${{ secrets.COSIGN_PUBLIC_KEY }}
cosignPrivateKey: ${{ secrets.COSIGN_PRIVATE_KEY }}
cosignPassword: ${{ secrets.COSIGN_PASSWORD }}

49
.github/workflows/release-cli.yml vendored Normal file
View File

@ -0,0 +1,49 @@
name: Build CLI and prepare release
on:
workflow_dispatch:
jobs:
build-cli:
runs-on: ubuntu-latest
steps:
- name: Checkout
id: checkout
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- name: Build cli-linux-amd64
uses: ./.github/actions/build_cli
with:
targetOS: linux
targetArch: amd64
cosignPublicKey: ${{ secrets.COSIGN_PUBLIC_KEY }}
cosignPrivateKey: ${{ secrets.COSIGN_PRIVATE_KEY }}
cosignPassword: ${{ secrets.COSIGN_PASSWORD }}
- name: Build cli-darwin-amd64
uses: ./.github/actions/build_cli
with:
targetOS: darwin
targetArch: amd64
cosignPublicKey: ${{ secrets.COSIGN_PUBLIC_KEY }}
cosignPrivateKey: ${{ secrets.COSIGN_PRIVATE_KEY }}
cosignPassword: ${{ secrets.COSIGN_PASSWORD }}
- name: Build cli-darwin-arm64
uses: ./.github/actions/build_cli
with:
targetOS: darwin
targetArch: arm64
cosignPublicKey: ${{ secrets.COSIGN_PUBLIC_KEY }}
cosignPrivateKey: ${{ secrets.COSIGN_PRIVATE_KEY }}
cosignPassword: ${{ secrets.COSIGN_PASSWORD }}
- name: Release CLI
# GitHub endorsed release project. See: https://github.com/actions/create-release
uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5
if: startsWith(github.ref, 'refs/tags/v')
with:
draft: true
files: |
build/constellation-*
build/cosign.pub

2
CHANGELOG.md
View File

@ -22,6 +22,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Added ### Added
- Support MacOS (arm64 and amd64) for Constellation CLI.
### Changed ### Changed
### Deprecated ### Deprecated

2
docs/release.md
View File

@ -19,7 +19,7 @@ This checklist will prepare `v1.3.0` from `v1.2.0`. Adjust your version numbers
3. Run E2E to confirm stability and [generate measurements](/.github/workflows/e2e-test-manual.yml) 3. Run E2E to confirm stability and [generate measurements](/.github/workflows/e2e-test-manual.yml)
4. Create a new tag in `constellation` on `main` 4. Create a new tag in `constellation` on `main`
* `git tag v1.3.0` * `git tag v1.3.0`
* Run [Build CLI](https://github.com/edgelesssys/constellation/actions/workflows/build-cli.yml) action on the tag * Run [Release CLI](https://github.com/edgelesssys/constellation/actions/workflows/release-cli.yml) action on the tag
* The previous step will create a draft release. Check build output for link to draft release. Review & approve. * The previous step will create a draft release. Check build output for link to draft release. Review & approve.
5. Create a new tag in `constellation-docs` 5. Create a new tag in `constellation-docs`
* `git tag v1.3.0` * `git tag v1.3.0`