WIP: update the salt script + releases files

This commit is contained in:
Pierre Alain 2024-10-17 07:45:42 +02:00
parent fc75cce37c
commit de9a6ccc86
8 changed files with 22 additions and 22 deletions

View File

@ -23,7 +23,7 @@ jobs:
- run: ./build-with.sh docker - run: ./build-with.sh docker
- run: sh -exc 'if [ $(sha256sum dist/qubes-firewall.xen | cut -d " " -f 1) = $(grep "SHA2 last known" build-with.sh | rev | cut -d ":" -f 1 | rev | cut -d "\"" -f 1 | tr -d " ") ]; then echo "SHA256 MATCHES"; else exit 42; fi' - run: sh -exc 'if [ $(sha256sum dist/qubes-firewall.xen) = $(cat qubes-firewall.sha256) ]; then echo "SHA256 MATCHES"; else exit 42; fi'
- name: Upload Artifact - name: Upload Artifact
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@v3

View File

@ -23,7 +23,7 @@ jobs:
- run: ./build-with.sh podman - run: ./build-with.sh podman
- run: sh -exc 'if [ $(sha256sum dist/qubes-firewall.xen | cut -d " " -f 1) = $(grep "SHA2 last known" build-with.sh | rev | cut -d ":" -f 1 | rev | cut -d "\"" -f 1 | tr -d " ") ]; then echo "SHA256 MATCHES"; else exit 42; fi' - run: sh -exc 'if [ $(sha256sum dist/qubes-firewall.xen) = $(cat qubes-firewall.sha256) ]; then echo "SHA256 MATCHES"; else exit 42; fi'
- name: Upload Artifact - name: Upload Artifact
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@v3

View File

@ -32,4 +32,4 @@ WORKDIR /tmp/orb-build
CMD opam exec -- sh -exc 'mirage configure -t xen --extra-repos=\ CMD opam exec -- sh -exc 'mirage configure -t xen --extra-repos=\
opam-overlays:https://github.com/dune-universe/opam-overlays.git#4e75ee36715b27550d5bdb87686bb4ae4c9e89c4,\ opam-overlays:https://github.com/dune-universe/opam-overlays.git#4e75ee36715b27550d5bdb87686bb4ae4c9e89c4,\
mirage-overlays:https://github.com/dune-universe/mirage-opam-overlays.git#797cb363df3ff763c43c8fbec5cd44de2878757e \ mirage-overlays:https://github.com/dune-universe/mirage-opam-overlays.git#797cb363df3ff763c43c8fbec5cd44de2878757e \
&& make depend && make tar' && make depend && make unikernel'

View File

@ -1,13 +1,8 @@
tar: build unikernel: build
rm -rf _build/mirage-firewall
mkdir _build/mirage-firewall
cp dist/qubes-firewall.xen dist/qubes-firewall.xen.debug cp dist/qubes-firewall.xen dist/qubes-firewall.xen.debug
strip dist/qubes-firewall.xen strip dist/qubes-firewall.xen
cp dist/qubes-firewall.xen _build/mirage-firewall/vmlinuz cp dist/qubes-firewall.xen .
touch _build/mirage-firewall/modules.img sha256sum qubes-firewall.xen
cat /dev/null | gzip -n > _build/mirage-firewall/initramfs
tar cjf mirage-firewall.tar.bz2 -C _build --mtime=./build-with.sh mirage-firewall
sha256sum mirage-firewall.tar.bz2 > mirage-firewall.sha256
fetchmotron: qubes_firewall.xen fetchmotron: qubes_firewall.xen
test-mirage qubes_firewall.xen mirage-fw-test & test-mirage qubes_firewall.xen mirage-fw-test &

View File

@ -10,7 +10,8 @@
{% set DownloadVM = "DownloadVmMirage" %} {% set DownloadVM = "DownloadVmMirage" %}
{% set MirageFW = "sys-mirage-fw" %} {% set MirageFW = "sys-mirage-fw" %}
{% set GithubUrl = "https://github.com/mirage/qubes-mirage-firewall" %} {% set GithubUrl = "https://github.com/mirage/qubes-mirage-firewall" %}
{% set Filename = "mirage-firewall.tar.bz2" %} {% set Kernel = "qubes-firewall.xen" %}
{% set Shasum = "qubes-firewall-release.sha256" %}
{% set MirageInstallDir = "/var/lib/qubes/vm-kernels/mirage-firewall" %} {% set MirageInstallDir = "/var/lib/qubes/vm-kernels/mirage-firewall" %}
#download and install the latest version #download and install the latest version
@ -28,13 +29,14 @@ create-downloader-VM:
- template: {{ DownloadVMTemplate }} - template: {{ DownloadVMTemplate }}
- include-in-backups: false - include-in-backups: false
{% set DownloadBinary = GithubUrl ~ "/releases/download/" ~ Release ~ "/" ~ Filename %} {% set DownloadBinary = GithubUrl ~ "/releases/download/" ~ Release ~ "/" ~ Kernel %}
{% set DownloadShasum = GithubUrl ~ "/releases/download/" ~ Release ~ "/" ~ Shasum %}
download-and-unpack-in-DownloadVM4mirage: download-and-unpack-in-DownloadVM4mirage:
cmd.run: cmd.run:
- names: - names:
- qvm-run --pass-io {{ DownloadVM }} {{ "curl -L -O " ~ DownloadBinary }} - qvm-run --pass-io {{ DownloadVM }} {{ "curl -L -O " ~ DownloadBinary }}
- qvm-run --pass-io {{ DownloadVM }} {{ "tar -xvjf " ~ Filename }} - qvm-run --pass-io {{ DownloadVM }} {{ "curl -L -O " ~ DownloadShasum }}
- require: - require:
- create-downloader-VM - create-downloader-VM
@ -42,15 +44,15 @@ download-and-unpack-in-DownloadVM4mirage:
check-checksum-in-DownloadVM: check-checksum-in-DownloadVM:
cmd.run: cmd.run:
- names: - names:
- qvm-run --pass-io {{ DownloadVM }} {{ "\"echo \\\"Checksum of last build on github:\\\";curl -s https://raw.githubusercontent.com/mirage/qubes-mirage-firewall/main/build-with.sh | grep \\\"SHA2 last known:\\\" | cut -d\' \' -f5 | tr -d \\\\\\\"\"" }} - qvm-run --pass-io {{ DownloadVM }} {{ "\"echo \\\"Checksum of release on github:\\\";cat " ~ Shasum ~ " | cut -d\' \' -f1\"" }}
- qvm-run --pass-io {{ DownloadVM }} {{ "\"echo \\\"Checksum of downloaded local file:\\\";sha256sum ~/mirage-firewall/vmlinuz | cut -d\' \' -f1\"" }} - qvm-run --pass-io {{ DownloadVM }} {{ "\"echo \\\"Checksum of downloaded local file:\\\";sha256sum " ~ Kernel ~ " | cut -d\' \' -f1\"" }}
- qvm-run --pass-io {{ DownloadVM }} {{ "\"diff <(curl -s https://raw.githubusercontent.com/mirage/qubes-mirage-firewall/main/build-with.sh | grep \\\"SHA2 last known:\\\" | cut -d\' \' -f5 | tr -d \\\\\\\") <(sha256sum ~/mirage-firewall/vmlinuz | cut -d\' \' -f1) && echo \\\"Checksums DO match.\\\" || (echo \\\"Checksums do NOT match.\\\";exit 101)\"" }} #~/mirage-firewall/modules.img - qvm-run --pass-io {{ DownloadVM }} {{ "\"diff <(cat " ~ Shasum ~ " | cut -d\' \' -f1) <(sha256sum " ~ Kernel ~ " | cut -d\' \' -f1) && echo \\\"Checksums DO match.\\\" || (echo \\\"Checksums do NOT match.\\\";exit 101)\"" }}
- require: - require:
- download-and-unpack-in-DownloadVM4mirage - download-and-unpack-in-DownloadVM4mirage
copy-mirage-kernel-to-dom0: copy-mirage-kernel-to-dom0:
cmd.run: cmd.run:
- name: mkdir -p {{ MirageInstallDir }}; qvm-run --pass-io --no-gui {{ DownloadVM }} "cat ~/mirage-firewall/vmlinuz" > {{ MirageInstallDir ~ "/vmlinuz" }} - name: mkdir -p {{ MirageInstallDir }}; qvm-run --pass-io --no-gui {{ DownloadVM }} "cat " ~ Kernel > {{ MirageInstallDir ~ "/" ~ Kernel }}
- require: - require:
- download-and-unpack-in-DownloadVM4mirage - download-and-unpack-in-DownloadVM4mirage
- check-checksum-in-DownloadVM - check-checksum-in-DownloadVM
@ -90,7 +92,7 @@ create-sys-mirage-fw:
cleanup-in-DownloadVM: cleanup-in-DownloadVM:
cmd.run: cmd.run:
- names: - names:
- qvm-run -a --pass-io --no-gui {{ DownloadVM }} "{{ "rm " ~ Filename ~ "; rm -R ~/mirage-firewall" }}" - qvm-run -a --pass-io --no-gui {{ DownloadVM }} "{{ "rm " ~ Kernel ~ " " ~ Shasum }}"
- require: - require:
- create-initramfs - create-initramfs

View File

@ -19,6 +19,7 @@ echo Building $builder image with dependencies..
$builder build -t qubes-mirage-firewall . $builder build -t qubes-mirage-firewall .
echo Building Firewall... echo Building Firewall...
$builder run --rm -i -v `pwd`:/tmp/orb-build:Z qubes-mirage-firewall $builder run --rm -i -v `pwd`:/tmp/orb-build:Z qubes-mirage-firewall
echo "SHA2 of build: $(sha256sum ./dist/qubes-firewall.xen)" echo "SHA2 of build: $(sha256sum ./dist/qubes-firewall.xen | cut -d' ' -f1)"
echo "SHA2 last known: 78a1ee52574b9a4fc5eda265922bcbcface90f7c43ed7a68dc8e201a2ac0a7dc" echo "SHA2 current head: $(cat qubes-firewall.sha256 | cut -d' ' -f1)"
echo "(hashes should match for released versions)" echo "SHA2 last release: $(cat qubes-firewall-release.sha256 | cut -d' ' -f1)"
echo "(hashes should match for head versions)"

View File

@ -0,0 +1 @@
78a1ee52574b9a4fc5eda265922bcbcface90f7c43ed7a68dc8e201a2ac0a7dc dist/qubes-firewall.xen

1
qubes-firewall.sha256 Normal file
View File

@ -0,0 +1 @@
78a1ee52574b9a4fc5eda265922bcbcface90f7c43ed7a68dc8e201a2ac0a7dc dist/qubes-firewall.xen