cmd/dist,release/dist: add distsign signing hooks (#9070)

Add `dist.Signer` hook which can arbitrarily sign linux/synology
artifacts. Plumb it through in `cmd/dist` and remove existing tarball
signing key. Distsign signing will happen on a remote machine, not using
a local key.

Updates #755
Updates #8760

Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
This commit is contained in:
Andrew Lytvynov 2023-08-24 15:36:47 -06:00 committed by GitHub
parent dc8287ab3b
commit b42c4e2da1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 62 additions and 49 deletions

6
cmd/dist/dist.go vendored
View File

@ -19,10 +19,10 @@
var synologyPackageCenter bool
func getTargets(signers unixpkgs.Signers) ([]dist.Target, error) {
func getTargets() ([]dist.Target, error) {
var ret []dist.Target
ret = append(ret, unixpkgs.Targets(signers)...)
ret = append(ret, unixpkgs.Targets(unixpkgs.Signers{})...)
// Synology packages can be built either for sideloading, or for
// distribution by Synology in their package center. When
// distributed through the package center, apps can request
@ -33,7 +33,7 @@ func getTargets(signers unixpkgs.Signers) ([]dist.Target, error) {
// Since only we can provide packages to Synology for
// distribution, we default to building the "sideload" variant of
// packages that we distribute on pkgs.tailscale.com.
ret = append(ret, synology.Targets(synologyPackageCenter)...)
ret = append(ret, synology.Targets(synologyPackageCenter, nil)...)
return ret, nil
}

View File

@ -20,7 +20,6 @@
"github.com/peterbourgon/ff/v3/ffcli"
"tailscale.com/clientupdate/distsign"
"tailscale.com/release/dist"
"tailscale.com/release/dist/unixpkgs"
)
// CLI returns a CLI root command to build release packages.
@ -28,7 +27,7 @@
// getTargets is a function that gets run in the Exec function of commands that
// need to know the target list. Its execution is deferred in this way to allow
// customization of command FlagSets with flags that influence the target list.
func CLI(getTargets func(unixpkgs.Signers) ([]dist.Target, error)) *ffcli.Command {
func CLI(getTargets func() ([]dist.Target, error)) *ffcli.Command {
return &ffcli.Command{
Name: "dist",
ShortUsage: "dist [flags] <command> [command flags]",
@ -38,7 +37,7 @@ func CLI(getTargets func(unixpkgs.Signers) ([]dist.Target, error)) *ffcli.Comman
{
Name: "list",
Exec: func(ctx context.Context, args []string) error {
targets, err := getTargets(unixpkgs.Signers{})
targets, err := getTargets()
if err != nil {
return err
}
@ -54,11 +53,7 @@ func CLI(getTargets func(unixpkgs.Signers) ([]dist.Target, error)) *ffcli.Comman
{
Name: "build",
Exec: func(ctx context.Context, args []string) error {
tgzSigner, err := parseSigningKey(buildArgs.tgzSigningKey)
if err != nil {
return err
}
targets, err := getTargets(unixpkgs.Signers{Tarball: tgzSigner})
targets, err := getTargets()
if err != nil {
return err
}
@ -70,7 +65,6 @@ func CLI(getTargets func(unixpkgs.Signers) ([]dist.Target, error)) *ffcli.Comman
fs := flag.NewFlagSet("build", flag.ExitOnError)
fs.StringVar(&buildArgs.manifest, "manifest", "", "manifest file to write")
fs.BoolVar(&buildArgs.verbose, "verbose", false, "verbose logging")
fs.StringVar(&buildArgs.tgzSigningKey, "tgz-signing-key", "", "path to private signing key for release tarballs")
fs.StringVar(&buildArgs.webClientRoot, "web-client-root", "", "path to root of web client source to build")
return fs
})(),
@ -147,7 +141,6 @@ func runList(ctx context.Context, filters []string, targets []dist.Target) error
var buildArgs struct {
manifest string
verbose bool
tgzSigningKey string
webClientRoot string
}

22
release/dist/dist.go vendored
View File

@ -8,6 +8,7 @@
"bytes"
"errors"
"fmt"
"io"
"log"
"os"
"os/exec"
@ -29,6 +30,27 @@ type Target interface {
Build(build *Build) ([]string, error)
}
// Signer is pluggable signer for a Target.
type Signer func(io.Reader) ([]byte, error)
// SignFile signs the file at filePath with s and writes the signature to
// sigPath.
func (s Signer) SignFile(filePath, sigPath string) error {
f, err := os.Open(filePath)
if err != nil {
return err
}
defer f.Close()
sig, err := s(f)
if err != nil {
return err
}
if err := f.Close(); err != nil {
return err
}
return os.WriteFile(sigPath, sig, 0644)
}
// A Build is a build context for Targets.
type Build struct {
// Repo is a path to the root Go module for the build.

View File

@ -25,6 +25,7 @@ type target struct {
dsmMajorVersion int
goenv map[string]string
packageCenter bool
signer dist.Signer
}
func (t *target) String() string {
@ -37,15 +38,10 @@ func (t *target) Build(b *dist.Build) ([]string, error) {
return nil, err
}
out, err := t.buildSPK(b, inner)
if err != nil {
return nil, err
return t.buildSPK(b, inner)
}
return []string{out}, nil
}
func (t *target) buildSPK(b *dist.Build, inner *innerPkg) (string, error) {
func (t *target) buildSPK(b *dist.Build, inner *innerPkg) ([]string, error) {
filename := fmt.Sprintf("tailscale-%s-%s-%d-dsm%d.spk", t.filenameArch, b.Version.Short, b.Version.Synology[t.dsmMajorVersion], t.dsmMajorVersion)
out := filepath.Join(b.Out, filename)
log.Printf("Building %s", filename)
@ -57,7 +53,7 @@ func (t *target) buildSPK(b *dist.Build, inner *innerPkg) (string, error) {
f, err := os.Create(out)
if err != nil {
return "", err
return nil, err
}
defer f.Close()
tw := tar.NewWriter(f)
@ -78,17 +74,27 @@ func (t *target) buildSPK(b *dist.Build, inner *innerPkg) (string, error) {
static("scripts/preupgrade", "scripts/preupgrade", 0644),
)
if err != nil {
return "", err
return nil, err
}
if err := tw.Close(); err != nil {
return "", err
return nil, err
}
if err := f.Close(); err != nil {
return "", err
return nil, err
}
return out, nil
files := []string{out}
if t.signer != nil {
outSig := out + ".sig"
if err := t.signer.SignFile(out, outSig); err != nil {
return nil, err
}
files = append(files, outSig)
}
return files, nil
}
func (t *target) mkInfo(b *dist.Build, uncompressedSz int64) []byte {

View File

@ -26,7 +26,7 @@
"monaco",
}
func Targets(forPackageCenter bool) []dist.Target {
func Targets(forPackageCenter bool, signer dist.Signer) []dist.Target {
var ret []dist.Target
for _, dsmVersion := range []int{6, 7} {
ret = append(ret,
@ -38,6 +38,7 @@ func Targets(forPackageCenter bool) []dist.Target {
"GOARCH": "amd64",
},
packageCenter: forPackageCenter,
signer: signer,
},
&target{
filenameArch: "i686",
@ -47,6 +48,7 @@ func Targets(forPackageCenter bool) []dist.Target {
"GOARCH": "386",
},
packageCenter: forPackageCenter,
signer: signer,
},
&target{
filenameArch: "armv8",
@ -56,6 +58,7 @@ func Targets(forPackageCenter bool) []dist.Target {
"GOARCH": "arm64",
},
packageCenter: forPackageCenter,
signer: signer,
})
// On older ARMv5 and ARMv7 platforms, synology used a whole
@ -71,6 +74,7 @@ func Targets(forPackageCenter bool) []dist.Target {
"GOARM": "5",
},
packageCenter: forPackageCenter,
signer: signer,
})
}
for _, v7Arch := range v7Models {
@ -83,6 +87,7 @@ func Targets(forPackageCenter bool) []dist.Target {
"GOARM": "7",
},
packageCenter: forPackageCenter,
signer: signer,
})
}
}

View File

@ -7,9 +7,6 @@
import (
"archive/tar"
"compress/gzip"
"crypto"
"crypto/rand"
"crypto/sha512"
"errors"
"fmt"
"io"
@ -26,7 +23,7 @@
type tgzTarget struct {
filenameArch string // arch to use in filename instead of deriving from goEnv["GOARCH"]
goEnv map[string]string
signer crypto.Signer
signer dist.Signer
}
func (t *tgzTarget) arch() string {
@ -73,11 +70,7 @@ func (t *tgzTarget) Build(b *dist.Build) ([]string, error) {
return nil, err
}
defer f.Close()
// Hash the final output we're writing to the file, after tar and gzip
// writers did their thing.
h := sha512.New()
hw := io.MultiWriter(f, h)
gw := gzip.NewWriter(hw)
gw := gzip.NewWriter(f)
defer gw.Close()
tw := tar.NewWriter(gw)
defer tw.Close()
@ -161,15 +154,11 @@ func (t *tgzTarget) Build(b *dist.Build) ([]string, error) {
files := []string{filename}
if t.signer != nil {
sig, err := t.signer.Sign(rand.Reader, h.Sum(nil), crypto.SHA512)
if err != nil {
outSig := out + ".sig"
if err := t.signer.SignFile(out, outSig); err != nil {
return nil, err
}
sigFilename := out + ".sig"
if err := os.WriteFile(sigFilename, sig, 0644); err != nil {
return nil, err
}
files = append(files, filename+".sig")
files = append(files, filepath.Base(outSig))
}
return files, nil
@ -291,7 +280,7 @@ func (t *debTarget) Build(b *dist.Build) ([]string, error) {
type rpmTarget struct {
goEnv map[string]string
signFn func(io.Reader) ([]byte, error)
signer dist.Signer
}
func (t *rpmTarget) os() string {
@ -387,7 +376,7 @@ func (t *rpmTarget) Build(b *dist.Build) ([]string, error) {
Group: "Network",
Signature: nfpm.RPMSignature{
PackageSignature: nfpm.PackageSignature{
SignFn: t.signFn,
SignFn: t.signer,
},
},
},

View File

@ -4,9 +4,7 @@
package unixpkgs
import (
"crypto"
"fmt"
"io"
"sort"
"strings"
@ -17,8 +15,8 @@
)
type Signers struct {
Tarball crypto.Signer
RPM func(io.Reader) ([]byte, error)
Tarball dist.Signer
RPM dist.Signer
}
func Targets(signers Signers) []dist.Target {
@ -49,7 +47,7 @@ func Targets(signers Signers) []dist.Target {
"GOOS": goos,
"GOARCH": goarch,
},
signFn: signers.RPM,
signer: signers.RPM,
})
}