cmd/dist,release/dist: add distsign signing hooks (#9070)

Add `dist.Signer` hook which can arbitrarily sign linux/synology artifacts. Plumb it through in `cmd/dist` and remove existing tarball signing key. Distsign signing will happen on a remote machine, not using a local key. Updates #755 Updates #8760 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
2025-08-12 05:37:32 +00:00 · 2023-08-24 15:36:47 -06:00
parent dc8287ab3b
commit b42c4e2da1
7 changed files with 62 additions and 49 deletions
--- a/release/dist/synology/pkgs.go
+++ b/release/dist/synology/pkgs.go
@@ -25,6 +25,7 @@ type target struct {
 	dsmMajorVersion int
 	goenv           map[string]string
 	packageCenter   bool
+	signer          dist.Signer
 }

 func (t *target) String() string {
@@ -37,15 +38,10 @@ func (t *target) Build(b *dist.Build) ([]string, error) {
 		return nil, err
 	}

-	out, err := t.buildSPK(b, inner)
-	if err != nil {
-		return nil, err
-	}
-
-	return []string{out}, nil
+	return t.buildSPK(b, inner)
 }

-func (t *target) buildSPK(b *dist.Build, inner *innerPkg) (string, error) {
+func (t *target) buildSPK(b *dist.Build, inner *innerPkg) ([]string, error) {
 	filename := fmt.Sprintf("tailscale-%s-%s-%d-dsm%d.spk", t.filenameArch, b.Version.Short, b.Version.Synology[t.dsmMajorVersion], t.dsmMajorVersion)
 	out := filepath.Join(b.Out, filename)
 	log.Printf("Building %s", filename)
@@ -57,7 +53,7 @@ func (t *target) buildSPK(b *dist.Build, inner *innerPkg) (string, error) {

 	f, err := os.Create(out)
 	if err != nil {
-		return "", err
+		return nil, err
 	}
 	defer f.Close()
 	tw := tar.NewWriter(f)
@@ -78,17 +74,27 @@ func (t *target) buildSPK(b *dist.Build, inner *innerPkg) (string, error) {
 		static("scripts/preupgrade", "scripts/preupgrade", 0644),
 	)
 	if err != nil {
-		return "", err
+		return nil, err
 	}

 	if err := tw.Close(); err != nil {
-		return "", err
+		return nil, err
 	}
 	if err := f.Close(); err != nil {
-		return "", err
+		return nil, err
 	}

-	return out, nil
+	files := []string{out}
+
+	if t.signer != nil {
+		outSig := out + ".sig"
+		if err := t.signer.SignFile(out, outSig); err != nil {
+			return nil, err
+		}
+		files = append(files, outSig)
+	}
+
+	return files, nil
 }

 func (t *target) mkInfo(b *dist.Build, uncompressedSz int64) []byte {
--- a/release/dist/synology/targets.go
+++ b/release/dist/synology/targets.go
@@ -26,7 +26,7 @@ var v7Models = []string{
 	"monaco",
 }

-func Targets(forPackageCenter bool) []dist.Target {
+func Targets(forPackageCenter bool, signer dist.Signer) []dist.Target {
 	var ret []dist.Target
 	for _, dsmVersion := range []int{6, 7} {
 		ret = append(ret,
@@ -38,6 +38,7 @@ func Targets(forPackageCenter bool) []dist.Target {
 					"GOARCH": "amd64",
 				},
 				packageCenter: forPackageCenter,
+				signer:        signer,
 			},
 			&target{
 				filenameArch:    "i686",
@@ -47,6 +48,7 @@ func Targets(forPackageCenter bool) []dist.Target {
 					"GOARCH": "386",
 				},
 				packageCenter: forPackageCenter,
+				signer:        signer,
 			},
 			&target{
 				filenameArch:    "armv8",
@@ -56,6 +58,7 @@ func Targets(forPackageCenter bool) []dist.Target {
 					"GOARCH": "arm64",
 				},
 				packageCenter: forPackageCenter,
+				signer:        signer,
 			})

 		// On older ARMv5 and ARMv7 platforms, synology used a whole
@@ -71,6 +74,7 @@ func Targets(forPackageCenter bool) []dist.Target {
 					"GOARM":  "5",
 				},
 				packageCenter: forPackageCenter,
+				signer:        signer,
 			})
 		}
 		for _, v7Arch := range v7Models {
@@ -83,6 +87,7 @@ func Targets(forPackageCenter bool) []dist.Target {
 					"GOARM":  "7",
 				},
 				packageCenter: forPackageCenter,
+				signer:        signer,
 			})
 		}
 	}