TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-08-12 05:37:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

cmd/dist,release/dist: add distsign signing hooks (#9070)

Browse Source 
Add `dist.Signer` hook which can arbitrarily sign linux/synology
artifacts. Plumb it through in `cmd/dist` and remove existing tarball
signing key. Distsign signing will happen on a remote machine, not using
a local key.

Updates #755
Updates #8760

Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
This commit is contained in:
Andrew Lytvynov
2023-08-24 15:36:47 -06:00
committed by GitHub
parent dc8287ab3b
commit b42c4e2da1
7 changed files with 62 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
release/dist/unixpkgs/pkgs.go vendored
View File

@@ -7,9 +7,6 @@ package unixpkgs
import (
"archive/tar"
"compress/gzip"
"crypto"
"crypto/rand"
"crypto/sha512"
"errors"
"fmt"
"io"
@@ -26,7 +23,7 @@ import (
type tgzTarget struct {
filenameArch string // arch to use in filename instead of deriving from goEnv["GOARCH"]
goEnv map[string]string
signer crypto.Signer
signer dist.Signer
}
func (t *tgzTarget) arch() string {
@@ -73,11 +70,7 @@ func (t *tgzTarget) Build(b *dist.Build) ([]string, error) {
return nil, err
}
defer f.Close()
// Hash the final output we're writing to the file, after tar and gzip
// writers did their thing.
h := sha512.New()
hw := io.MultiWriter(f, h)
gw := gzip.NewWriter(hw)
gw := gzip.NewWriter(f)
defer gw.Close()
tw := tar.NewWriter(gw)
defer tw.Close()
@@ -161,15 +154,11 @@ func (t *tgzTarget) Build(b *dist.Build) ([]string, error) {
files := []string{filename}
if t.signer != nil {
sig, err := t.signer.Sign(rand.Reader, h.Sum(nil), crypto.SHA512)
if err != nil {
outSig := out + ".sig"
if err := t.signer.SignFile(out, outSig); err != nil {
return nil, err
}
sigFilename := out + ".sig"
if err := os.WriteFile(sigFilename, sig, 0644); err != nil {
return nil, err
}
files = append(files, filename+".sig")
files = append(files, filepath.Base(outSig))
}
return files, nil
@@ -291,7 +280,7 @@ func (t *debTarget) Build(b *dist.Build) ([]string, error) {
type rpmTarget struct {
goEnv map[string]string
signFn func(io.Reader) ([]byte, error)
signer dist.Signer
}
func (t *rpmTarget) os() string {
@@ -387,7 +376,7 @@ func (t *rpmTarget) Build(b *dist.Build) ([]string, error) {
Group: "Network",
Signature: nfpm.RPMSignature{
PackageSignature: nfpm.PackageSignature{
SignFn: t.signFn,
SignFn: t.signer,
},
},
},