tailscale/cmd/dist/dist.go

// Copyright (c) Tailscale Inc & AUTHORS
// SPDX-License-Identifier: BSD-3-Clause

// The dist command builds Tailscale release packages for distribution.
package main

import (
	"cmp"
	"context"
	"errors"
	"flag"
	"log"
	"os"
	"slices"

	"tailscale.com/release/dist"
	"tailscale.com/release/dist/cli"
	"tailscale.com/release/dist/qnap"
	"tailscale.com/release/dist/synology"
	"tailscale.com/release/dist/unixpkgs"
)

var (
	synologyPackageCenter   bool
	gcloudCredentialsBase64 string
	gcloudProject           string
	gcloudKeyring           string
	qnapKeyName             string
	qnapCertificateBase64   string
)

func getTargets() ([]dist.Target, error) {
	var ret []dist.Target

	ret = append(ret, unixpkgs.Targets(unixpkgs.Signers{})...)
	// Synology packages can be built either for sideloading, or for
	// distribution by Synology in their package center. When
	// distributed through the package center, apps can request
	// additional permissions to use a tuntap interface and control
	// the NAS's network stack, rather than be forced to run in
	// userspace mode.
	//
	// Since only we can provide packages to Synology for
	// distribution, we default to building the "sideload" variant of
	// packages that we distribute on pkgs.tailscale.com.
	//
	// To build for package center, run
	// ./tool/go run ./cmd/dist build --synology-package-center synology
	ret = append(ret, synology.Targets(synologyPackageCenter, nil)...)
	qnapSigningArgs := []string{gcloudCredentialsBase64, gcloudProject, gcloudKeyring, qnapKeyName, qnapCertificateBase64}
	if cmp.Or(qnapSigningArgs...) != "" && slices.Contains(qnapSigningArgs, "") {
		return nil, errors.New("all of --gcloud-credentials, --gcloud-project, --gcloud-keyring, --qnap-key-name and --qnap-certificate must be set")
	}
	ret = append(ret, qnap.Targets(gcloudCredentialsBase64, gcloudProject, gcloudKeyring, qnapKeyName, qnapCertificateBase64)...)
	return ret, nil
}

func main() {
	cmd := cli.CLI(getTargets)
	for _, subcmd := range cmd.Subcommands {
		if subcmd.Name == "build" {
			subcmd.FlagSet.BoolVar(&synologyPackageCenter, "synology-package-center", false, "build synology packages with extra metadata for the official package center")
			subcmd.FlagSet.StringVar(&gcloudCredentialsBase64, "gcloud-credentials", "", "base64 encoded GCP credentials (used when signing QNAP builds)")
			subcmd.FlagSet.StringVar(&gcloudProject, "gcloud-project", "", "name of project in GCP KMS (used when signing QNAP builds)")
			subcmd.FlagSet.StringVar(&gcloudKeyring, "gcloud-keyring", "", "path to keyring in GCP KMS (used when signing QNAP builds)")
			subcmd.FlagSet.StringVar(&qnapKeyName, "qnap-key-name", "", "name of GCP key to use when signing QNAP builds")
			subcmd.FlagSet.StringVar(&qnapCertificateBase64, "qnap-certificate", "", "base64 encoded certificate to use when signing QNAP builds")
		}
	}

	if err := cmd.ParseAndRun(context.Background(), os.Args[1:]); err != nil && !errors.Is(err, flag.ErrHelp) {
		log.Fatal(err)
	}
}
release/dist: add forgotten license headers Signed-off-by: David Anderson <danderson@tailscale.com> 2023-02-24 14:19:13 -08:00			`// Copyright (c) Tailscale Inc & AUTHORS`
			`// SPDX-License-Identifier: BSD-3-Clause`

release: open-source release build logic for unix packages Updates tailscale/corp#9221 Signed-off-by: David Anderson <danderson@tailscale.com> 2023-02-24 13:22:21 -08:00			`// The dist command builds Tailscale release packages for distribution.`
			`package main`

			`import (`
cmd/dist,release/dist: sign QNAP builds with a Google Cloud hosted key QNAP now requires builds to be signed with an HSM. This removes support for signing with a local keypair. This adds support for signing with a Google Cloud hosted key. The key should be an RSA key with protection level `HSM` and that uses PSS padding and a SHA256 digest. The GCloud project, keyring and key name are passed in as command-line arguments. The GCloud credentials and the PEM signing certificate are passed in as Base64-encoded command-line arguments. Updates tailscale/corp#23528 Signed-off-by: Percy Wegmann <percy@tailscale.com> 2025-04-15 11:50:39 -05:00			`"cmp"`
release: open-source release build logic for unix packages Updates tailscale/corp#9221 Signed-off-by: David Anderson <danderson@tailscale.com> 2023-02-24 13:22:21 -08:00			`"context"`
			`"errors"`
			`"flag"`
			`"log"`
			`"os"`
cmd/dist,release/dist: sign QNAP builds with a Google Cloud hosted key QNAP now requires builds to be signed with an HSM. This removes support for signing with a local keypair. This adds support for signing with a Google Cloud hosted key. The key should be an RSA key with protection level `HSM` and that uses PSS padding and a SHA256 digest. The GCloud project, keyring and key name are passed in as command-line arguments. The GCloud credentials and the PEM signing certificate are passed in as Base64-encoded command-line arguments. Updates tailscale/corp#23528 Signed-off-by: Percy Wegmann <percy@tailscale.com> 2025-04-15 11:50:39 -05:00			`"slices"`
release: open-source release build logic for unix packages Updates tailscale/corp#9221 Signed-off-by: David Anderson <danderson@tailscale.com> 2023-02-24 13:22:21 -08:00
			`"tailscale.com/release/dist"`
release/dist/cli: factor out the CLI boilerplace from cmd/dist Signed-off-by: David Anderson <danderson@tailscale.com> 2023-02-24 14:15:35 -08:00			`"tailscale.com/release/dist/cli"`
release/dist/qnap: add qnap target builder Creates new QNAP builder target, which builds go binaries then uses docker to build into QNAP packages. Much of the docker/script code here is pulled over from https://github.com/tailscale/tailscale-qpkg, with adaptation into our builder structures. The qnap/Tailscale folder contains static resources needed to build Tailscale qpkg packages, and is an exact copy of the existing folder in the tailscale-qpkg repo. Builds can be run with: ``` sudo ./tool/go run ./cmd/dist build qnap ``` Updates tailscale/tailscale-qpkg#135 Signed-off-by: Sonia Appasamy <sonia@tailscale.com> 2024-04-22 16:42:01 -04:00			`"tailscale.com/release/dist/qnap"`
release/dist/synology: build synology packages with cmd/dist Updates #8217 Signed-off-by: David Anderson <danderson@tailscale.com> 2023-05-26 12:42:05 -07:00			`"tailscale.com/release/dist/synology"`
release: open-source release build logic for unix packages Updates tailscale/corp#9221 Signed-off-by: David Anderson <danderson@tailscale.com> 2023-02-24 13:22:21 -08:00			`"tailscale.com/release/dist/unixpkgs"`
			`)`

release/dist/qnap: add qnap target builder Creates new QNAP builder target, which builds go binaries then uses docker to build into QNAP packages. Much of the docker/script code here is pulled over from https://github.com/tailscale/tailscale-qpkg, with adaptation into our builder structures. The qnap/Tailscale folder contains static resources needed to build Tailscale qpkg packages, and is an exact copy of the existing folder in the tailscale-qpkg repo. Builds can be run with: ``` sudo ./tool/go run ./cmd/dist build qnap ``` Updates tailscale/tailscale-qpkg#135 Signed-off-by: Sonia Appasamy <sonia@tailscale.com> 2024-04-22 16:42:01 -04:00			`var (`
cmd/dist,release/dist: sign QNAP builds with a Google Cloud hosted key QNAP now requires builds to be signed with an HSM. This removes support for signing with a local keypair. This adds support for signing with a Google Cloud hosted key. The key should be an RSA key with protection level `HSM` and that uses PSS padding and a SHA256 digest. The GCloud project, keyring and key name are passed in as command-line arguments. The GCloud credentials and the PEM signing certificate are passed in as Base64-encoded command-line arguments. Updates tailscale/corp#23528 Signed-off-by: Percy Wegmann <percy@tailscale.com> 2025-04-15 11:50:39 -05:00			`synologyPackageCenter bool`
			`gcloudCredentialsBase64 string`
			`gcloudProject string`
			`gcloudKeyring string`
			`qnapKeyName string`
			`qnapCertificateBase64 string`
release/dist/qnap: add qnap target builder Creates new QNAP builder target, which builds go binaries then uses docker to build into QNAP packages. Much of the docker/script code here is pulled over from https://github.com/tailscale/tailscale-qpkg, with adaptation into our builder structures. The qnap/Tailscale folder contains static resources needed to build Tailscale qpkg packages, and is an exact copy of the existing folder in the tailscale-qpkg repo. Builds can be run with: ``` sudo ./tool/go run ./cmd/dist build qnap ``` Updates tailscale/tailscale-qpkg#135 Signed-off-by: Sonia Appasamy <sonia@tailscale.com> 2024-04-22 16:42:01 -04:00			`)`
release/dist/synology: build synology packages with cmd/dist Updates #8217 Signed-off-by: David Anderson <danderson@tailscale.com> 2023-05-26 12:42:05 -07:00
cmd/dist,release/dist: add distsign signing hooks (#9070) Add `dist.Signer` hook which can arbitrarily sign linux/synology artifacts. Plumb it through in `cmd/dist` and remove existing tarball signing key. Distsign signing will happen on a remote machine, not using a local key. Updates #755 Updates #8760 Signed-off-by: Andrew Lytvynov <awly@tailscale.com> 2023-08-24 15:36:47 -06:00			`func getTargets() ([]dist.Target, error) {`
release/dist/synology: build synology packages with cmd/dist Updates #8217 Signed-off-by: David Anderson <danderson@tailscale.com> 2023-05-26 12:42:05 -07:00			`var ret []dist.Target`

cmd/dist,release/dist: add distsign signing hooks (#9070) Add `dist.Signer` hook which can arbitrarily sign linux/synology artifacts. Plumb it through in `cmd/dist` and remove existing tarball signing key. Distsign signing will happen on a remote machine, not using a local key. Updates #755 Updates #8760 Signed-off-by: Andrew Lytvynov <awly@tailscale.com> 2023-08-24 15:36:47 -06:00			`ret = append(ret, unixpkgs.Targets(unixpkgs.Signers{})...)`
release/dist/synology: build synology packages with cmd/dist Updates #8217 Signed-off-by: David Anderson <danderson@tailscale.com> 2023-05-26 12:42:05 -07:00			`// Synology packages can be built either for sideloading, or for`
			`// distribution by Synology in their package center. When`
			`// distributed through the package center, apps can request`
			`// additional permissions to use a tuntap interface and control`
			`// the NAS's network stack, rather than be forced to run in`
			`// userspace mode.`
			`//`
			`// Since only we can provide packages to Synology for`
			`// distribution, we default to building the "sideload" variant of`
			`// packages that we distribute on pkgs.tailscale.com.`
cmd/dist: update logs for synology builds Update logs for synology builds to more clearly callout which variant is being built. The two existing variants are: 1. Sideloaded (can be manual installed on a device by anyone) 2. Package center distribution (by the tailscale team) Updates #cleanup Signed-off-by: Sonia Appasamy <sonia@tailscale.com> 2024-02-08 14:01:23 -05:00			`//`
			`// To build for package center, run`
			`// ./tool/go run ./cmd/dist build --synology-package-center synology`
cmd/dist,release/dist: add distsign signing hooks (#9070) Add `dist.Signer` hook which can arbitrarily sign linux/synology artifacts. Plumb it through in `cmd/dist` and remove existing tarball signing key. Distsign signing will happen on a remote machine, not using a local key. Updates #755 Updates #8760 Signed-off-by: Andrew Lytvynov <awly@tailscale.com> 2023-08-24 15:36:47 -06:00			`ret = append(ret, synology.Targets(synologyPackageCenter, nil)...)`
cmd/dist,release/dist: sign QNAP builds with a Google Cloud hosted key QNAP now requires builds to be signed with an HSM. This removes support for signing with a local keypair. This adds support for signing with a Google Cloud hosted key. The key should be an RSA key with protection level `HSM` and that uses PSS padding and a SHA256 digest. The GCloud project, keyring and key name are passed in as command-line arguments. The GCloud credentials and the PEM signing certificate are passed in as Base64-encoded command-line arguments. Updates tailscale/corp#23528 Signed-off-by: Percy Wegmann <percy@tailscale.com> 2025-04-15 11:50:39 -05:00			`qnapSigningArgs := []string{gcloudCredentialsBase64, gcloudProject, gcloudKeyring, qnapKeyName, qnapCertificateBase64}`
			`if cmp.Or(qnapSigningArgs...) != "" && slices.Contains(qnapSigningArgs, "") {`
			`return nil, errors.New("all of --gcloud-credentials, --gcloud-project, --gcloud-keyring, --qnap-key-name and --qnap-certificate must be set")`
release/dist/qnap: add qnap target builder Creates new QNAP builder target, which builds go binaries then uses docker to build into QNAP packages. Much of the docker/script code here is pulled over from https://github.com/tailscale/tailscale-qpkg, with adaptation into our builder structures. The qnap/Tailscale folder contains static resources needed to build Tailscale qpkg packages, and is an exact copy of the existing folder in the tailscale-qpkg repo. Builds can be run with: ``` sudo ./tool/go run ./cmd/dist build qnap ``` Updates tailscale/tailscale-qpkg#135 Signed-off-by: Sonia Appasamy <sonia@tailscale.com> 2024-04-22 16:42:01 -04:00			`}`
cmd/dist,release/dist: sign QNAP builds with a Google Cloud hosted key QNAP now requires builds to be signed with an HSM. This removes support for signing with a local keypair. This adds support for signing with a Google Cloud hosted key. The key should be an RSA key with protection level `HSM` and that uses PSS padding and a SHA256 digest. The GCloud project, keyring and key name are passed in as command-line arguments. The GCloud credentials and the PEM signing certificate are passed in as Base64-encoded command-line arguments. Updates tailscale/corp#23528 Signed-off-by: Percy Wegmann <percy@tailscale.com> 2025-04-15 11:50:39 -05:00			`ret = append(ret, qnap.Targets(gcloudCredentialsBase64, gcloudProject, gcloudKeyring, qnapKeyName, qnapCertificateBase64)...)`
release/dist/synology: build synology packages with cmd/dist Updates #8217 Signed-off-by: David Anderson <danderson@tailscale.com> 2023-05-26 12:42:05 -07:00			`return ret, nil`
release: open-source release build logic for unix packages Updates tailscale/corp#9221 Signed-off-by: David Anderson <danderson@tailscale.com> 2023-02-24 13:22:21 -08:00			`}`

release/dist/cli: factor out the CLI boilerplace from cmd/dist Signed-off-by: David Anderson <danderson@tailscale.com> 2023-02-24 14:15:35 -08:00			`func main() {`
			`cmd := cli.CLI(getTargets)`
release/dist/synology: build synology packages with cmd/dist Updates #8217 Signed-off-by: David Anderson <danderson@tailscale.com> 2023-05-26 12:42:05 -07:00			`for _, subcmd := range cmd.Subcommands {`
			`if subcmd.Name == "build" {`
			`subcmd.FlagSet.BoolVar(&synologyPackageCenter, "synology-package-center", false, "build synology packages with extra metadata for the official package center")`
cmd/dist,release/dist: sign QNAP builds with a Google Cloud hosted key QNAP now requires builds to be signed with an HSM. This removes support for signing with a local keypair. This adds support for signing with a Google Cloud hosted key. The key should be an RSA key with protection level `HSM` and that uses PSS padding and a SHA256 digest. The GCloud project, keyring and key name are passed in as command-line arguments. The GCloud credentials and the PEM signing certificate are passed in as Base64-encoded command-line arguments. Updates tailscale/corp#23528 Signed-off-by: Percy Wegmann <percy@tailscale.com> 2025-04-15 11:50:39 -05:00			`subcmd.FlagSet.StringVar(&gcloudCredentialsBase64, "gcloud-credentials", "", "base64 encoded GCP credentials (used when signing QNAP builds)")`
			`subcmd.FlagSet.StringVar(&gcloudProject, "gcloud-project", "", "name of project in GCP KMS (used when signing QNAP builds)")`
			`subcmd.FlagSet.StringVar(&gcloudKeyring, "gcloud-keyring", "", "path to keyring in GCP KMS (used when signing QNAP builds)")`
			`subcmd.FlagSet.StringVar(&qnapKeyName, "qnap-key-name", "", "name of GCP key to use when signing QNAP builds")`
			`subcmd.FlagSet.StringVar(&qnapCertificateBase64, "qnap-certificate", "", "base64 encoded certificate to use when signing QNAP builds")`
release/dist/synology: build synology packages with cmd/dist Updates #8217 Signed-off-by: David Anderson <danderson@tailscale.com> 2023-05-26 12:42:05 -07:00			`}`
			`}`

release/dist/cli: factor out the CLI boilerplace from cmd/dist Signed-off-by: David Anderson <danderson@tailscale.com> 2023-02-24 14:15:35 -08:00			`if err := cmd.ParseAndRun(context.Background(), os.Args[1:]); err != nil && !errors.Is(err, flag.ErrHelp) {`
			`log.Fatal(err)`
release: open-source release build logic for unix packages Updates tailscale/corp#9221 Signed-off-by: David Anderson <danderson@tailscale.com> 2023-02-24 13:22:21 -08:00			`}`
			`}`