mirror of
https://github.com/tailscale/tailscale.git
synced 2024-11-25 19:15:34 +00:00
cmd/dist,release/dist: add distsign signing hooks (#9070)
Add `dist.Signer` hook which can arbitrarily sign linux/synology artifacts. Plumb it through in `cmd/dist` and remove existing tarball signing key. Distsign signing will happen on a remote machine, not using a local key. Updates #755 Updates #8760 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
This commit is contained in:
parent
dc8287ab3b
commit
b42c4e2da1
6
cmd/dist/dist.go
vendored
6
cmd/dist/dist.go
vendored
@ -19,10 +19,10 @@
|
||||
|
||||
var synologyPackageCenter bool
|
||||
|
||||
func getTargets(signers unixpkgs.Signers) ([]dist.Target, error) {
|
||||
func getTargets() ([]dist.Target, error) {
|
||||
var ret []dist.Target
|
||||
|
||||
ret = append(ret, unixpkgs.Targets(signers)...)
|
||||
ret = append(ret, unixpkgs.Targets(unixpkgs.Signers{})...)
|
||||
// Synology packages can be built either for sideloading, or for
|
||||
// distribution by Synology in their package center. When
|
||||
// distributed through the package center, apps can request
|
||||
@ -33,7 +33,7 @@ func getTargets(signers unixpkgs.Signers) ([]dist.Target, error) {
|
||||
// Since only we can provide packages to Synology for
|
||||
// distribution, we default to building the "sideload" variant of
|
||||
// packages that we distribute on pkgs.tailscale.com.
|
||||
ret = append(ret, synology.Targets(synologyPackageCenter)...)
|
||||
ret = append(ret, synology.Targets(synologyPackageCenter, nil)...)
|
||||
return ret, nil
|
||||
}
|
||||
|
||||
|
13
release/dist/cli/cli.go
vendored
13
release/dist/cli/cli.go
vendored
@ -20,7 +20,6 @@
|
||||
"github.com/peterbourgon/ff/v3/ffcli"
|
||||
"tailscale.com/clientupdate/distsign"
|
||||
"tailscale.com/release/dist"
|
||||
"tailscale.com/release/dist/unixpkgs"
|
||||
)
|
||||
|
||||
// CLI returns a CLI root command to build release packages.
|
||||
@ -28,7 +27,7 @@
|
||||
// getTargets is a function that gets run in the Exec function of commands that
|
||||
// need to know the target list. Its execution is deferred in this way to allow
|
||||
// customization of command FlagSets with flags that influence the target list.
|
||||
func CLI(getTargets func(unixpkgs.Signers) ([]dist.Target, error)) *ffcli.Command {
|
||||
func CLI(getTargets func() ([]dist.Target, error)) *ffcli.Command {
|
||||
return &ffcli.Command{
|
||||
Name: "dist",
|
||||
ShortUsage: "dist [flags] <command> [command flags]",
|
||||
@ -38,7 +37,7 @@ func CLI(getTargets func(unixpkgs.Signers) ([]dist.Target, error)) *ffcli.Comman
|
||||
{
|
||||
Name: "list",
|
||||
Exec: func(ctx context.Context, args []string) error {
|
||||
targets, err := getTargets(unixpkgs.Signers{})
|
||||
targets, err := getTargets()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
@ -54,11 +53,7 @@ func CLI(getTargets func(unixpkgs.Signers) ([]dist.Target, error)) *ffcli.Comman
|
||||
{
|
||||
Name: "build",
|
||||
Exec: func(ctx context.Context, args []string) error {
|
||||
tgzSigner, err := parseSigningKey(buildArgs.tgzSigningKey)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
targets, err := getTargets(unixpkgs.Signers{Tarball: tgzSigner})
|
||||
targets, err := getTargets()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
@ -70,7 +65,6 @@ func CLI(getTargets func(unixpkgs.Signers) ([]dist.Target, error)) *ffcli.Comman
|
||||
fs := flag.NewFlagSet("build", flag.ExitOnError)
|
||||
fs.StringVar(&buildArgs.manifest, "manifest", "", "manifest file to write")
|
||||
fs.BoolVar(&buildArgs.verbose, "verbose", false, "verbose logging")
|
||||
fs.StringVar(&buildArgs.tgzSigningKey, "tgz-signing-key", "", "path to private signing key for release tarballs")
|
||||
fs.StringVar(&buildArgs.webClientRoot, "web-client-root", "", "path to root of web client source to build")
|
||||
return fs
|
||||
})(),
|
||||
@ -147,7 +141,6 @@ func runList(ctx context.Context, filters []string, targets []dist.Target) error
|
||||
var buildArgs struct {
|
||||
manifest string
|
||||
verbose bool
|
||||
tgzSigningKey string
|
||||
webClientRoot string
|
||||
}
|
||||
|
||||
|
22
release/dist/dist.go
vendored
22
release/dist/dist.go
vendored
@ -8,6 +8,7 @@
|
||||
"bytes"
|
||||
"errors"
|
||||
"fmt"
|
||||
"io"
|
||||
"log"
|
||||
"os"
|
||||
"os/exec"
|
||||
@ -29,6 +30,27 @@ type Target interface {
|
||||
Build(build *Build) ([]string, error)
|
||||
}
|
||||
|
||||
// Signer is pluggable signer for a Target.
|
||||
type Signer func(io.Reader) ([]byte, error)
|
||||
|
||||
// SignFile signs the file at filePath with s and writes the signature to
|
||||
// sigPath.
|
||||
func (s Signer) SignFile(filePath, sigPath string) error {
|
||||
f, err := os.Open(filePath)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
defer f.Close()
|
||||
sig, err := s(f)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if err := f.Close(); err != nil {
|
||||
return err
|
||||
}
|
||||
return os.WriteFile(sigPath, sig, 0644)
|
||||
}
|
||||
|
||||
// A Build is a build context for Targets.
|
||||
type Build struct {
|
||||
// Repo is a path to the root Go module for the build.
|
||||
|
30
release/dist/synology/pkgs.go
vendored
30
release/dist/synology/pkgs.go
vendored
@ -25,6 +25,7 @@ type target struct {
|
||||
dsmMajorVersion int
|
||||
goenv map[string]string
|
||||
packageCenter bool
|
||||
signer dist.Signer
|
||||
}
|
||||
|
||||
func (t *target) String() string {
|
||||
@ -37,15 +38,10 @@ func (t *target) Build(b *dist.Build) ([]string, error) {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
out, err := t.buildSPK(b, inner)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
return t.buildSPK(b, inner)
|
||||
}
|
||||
|
||||
return []string{out}, nil
|
||||
}
|
||||
|
||||
func (t *target) buildSPK(b *dist.Build, inner *innerPkg) (string, error) {
|
||||
func (t *target) buildSPK(b *dist.Build, inner *innerPkg) ([]string, error) {
|
||||
filename := fmt.Sprintf("tailscale-%s-%s-%d-dsm%d.spk", t.filenameArch, b.Version.Short, b.Version.Synology[t.dsmMajorVersion], t.dsmMajorVersion)
|
||||
out := filepath.Join(b.Out, filename)
|
||||
log.Printf("Building %s", filename)
|
||||
@ -57,7 +53,7 @@ func (t *target) buildSPK(b *dist.Build, inner *innerPkg) (string, error) {
|
||||
|
||||
f, err := os.Create(out)
|
||||
if err != nil {
|
||||
return "", err
|
||||
return nil, err
|
||||
}
|
||||
defer f.Close()
|
||||
tw := tar.NewWriter(f)
|
||||
@ -78,17 +74,27 @@ func (t *target) buildSPK(b *dist.Build, inner *innerPkg) (string, error) {
|
||||
static("scripts/preupgrade", "scripts/preupgrade", 0644),
|
||||
)
|
||||
if err != nil {
|
||||
return "", err
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if err := tw.Close(); err != nil {
|
||||
return "", err
|
||||
return nil, err
|
||||
}
|
||||
if err := f.Close(); err != nil {
|
||||
return "", err
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return out, nil
|
||||
files := []string{out}
|
||||
|
||||
if t.signer != nil {
|
||||
outSig := out + ".sig"
|
||||
if err := t.signer.SignFile(out, outSig); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
files = append(files, outSig)
|
||||
}
|
||||
|
||||
return files, nil
|
||||
}
|
||||
|
||||
func (t *target) mkInfo(b *dist.Build, uncompressedSz int64) []byte {
|
||||
|
7
release/dist/synology/targets.go
vendored
7
release/dist/synology/targets.go
vendored
@ -26,7 +26,7 @@
|
||||
"monaco",
|
||||
}
|
||||
|
||||
func Targets(forPackageCenter bool) []dist.Target {
|
||||
func Targets(forPackageCenter bool, signer dist.Signer) []dist.Target {
|
||||
var ret []dist.Target
|
||||
for _, dsmVersion := range []int{6, 7} {
|
||||
ret = append(ret,
|
||||
@ -38,6 +38,7 @@ func Targets(forPackageCenter bool) []dist.Target {
|
||||
"GOARCH": "amd64",
|
||||
},
|
||||
packageCenter: forPackageCenter,
|
||||
signer: signer,
|
||||
},
|
||||
&target{
|
||||
filenameArch: "i686",
|
||||
@ -47,6 +48,7 @@ func Targets(forPackageCenter bool) []dist.Target {
|
||||
"GOARCH": "386",
|
||||
},
|
||||
packageCenter: forPackageCenter,
|
||||
signer: signer,
|
||||
},
|
||||
&target{
|
||||
filenameArch: "armv8",
|
||||
@ -56,6 +58,7 @@ func Targets(forPackageCenter bool) []dist.Target {
|
||||
"GOARCH": "arm64",
|
||||
},
|
||||
packageCenter: forPackageCenter,
|
||||
signer: signer,
|
||||
})
|
||||
|
||||
// On older ARMv5 and ARMv7 platforms, synology used a whole
|
||||
@ -71,6 +74,7 @@ func Targets(forPackageCenter bool) []dist.Target {
|
||||
"GOARM": "5",
|
||||
},
|
||||
packageCenter: forPackageCenter,
|
||||
signer: signer,
|
||||
})
|
||||
}
|
||||
for _, v7Arch := range v7Models {
|
||||
@ -83,6 +87,7 @@ func Targets(forPackageCenter bool) []dist.Target {
|
||||
"GOARM": "7",
|
||||
},
|
||||
packageCenter: forPackageCenter,
|
||||
signer: signer,
|
||||
})
|
||||
}
|
||||
}
|
||||
|
25
release/dist/unixpkgs/pkgs.go
vendored
25
release/dist/unixpkgs/pkgs.go
vendored
@ -7,9 +7,6 @@
|
||||
import (
|
||||
"archive/tar"
|
||||
"compress/gzip"
|
||||
"crypto"
|
||||
"crypto/rand"
|
||||
"crypto/sha512"
|
||||
"errors"
|
||||
"fmt"
|
||||
"io"
|
||||
@ -26,7 +23,7 @@
|
||||
type tgzTarget struct {
|
||||
filenameArch string // arch to use in filename instead of deriving from goEnv["GOARCH"]
|
||||
goEnv map[string]string
|
||||
signer crypto.Signer
|
||||
signer dist.Signer
|
||||
}
|
||||
|
||||
func (t *tgzTarget) arch() string {
|
||||
@ -73,11 +70,7 @@ func (t *tgzTarget) Build(b *dist.Build) ([]string, error) {
|
||||
return nil, err
|
||||
}
|
||||
defer f.Close()
|
||||
// Hash the final output we're writing to the file, after tar and gzip
|
||||
// writers did their thing.
|
||||
h := sha512.New()
|
||||
hw := io.MultiWriter(f, h)
|
||||
gw := gzip.NewWriter(hw)
|
||||
gw := gzip.NewWriter(f)
|
||||
defer gw.Close()
|
||||
tw := tar.NewWriter(gw)
|
||||
defer tw.Close()
|
||||
@ -161,15 +154,11 @@ func (t *tgzTarget) Build(b *dist.Build) ([]string, error) {
|
||||
files := []string{filename}
|
||||
|
||||
if t.signer != nil {
|
||||
sig, err := t.signer.Sign(rand.Reader, h.Sum(nil), crypto.SHA512)
|
||||
if err != nil {
|
||||
outSig := out + ".sig"
|
||||
if err := t.signer.SignFile(out, outSig); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
sigFilename := out + ".sig"
|
||||
if err := os.WriteFile(sigFilename, sig, 0644); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
files = append(files, filename+".sig")
|
||||
files = append(files, filepath.Base(outSig))
|
||||
}
|
||||
|
||||
return files, nil
|
||||
@ -291,7 +280,7 @@ func (t *debTarget) Build(b *dist.Build) ([]string, error) {
|
||||
|
||||
type rpmTarget struct {
|
||||
goEnv map[string]string
|
||||
signFn func(io.Reader) ([]byte, error)
|
||||
signer dist.Signer
|
||||
}
|
||||
|
||||
func (t *rpmTarget) os() string {
|
||||
@ -387,7 +376,7 @@ func (t *rpmTarget) Build(b *dist.Build) ([]string, error) {
|
||||
Group: "Network",
|
||||
Signature: nfpm.RPMSignature{
|
||||
PackageSignature: nfpm.PackageSignature{
|
||||
SignFn: t.signFn,
|
||||
SignFn: t.signer,
|
||||
},
|
||||
},
|
||||
},
|
||||
|
8
release/dist/unixpkgs/targets.go
vendored
8
release/dist/unixpkgs/targets.go
vendored
@ -4,9 +4,7 @@
|
||||
package unixpkgs
|
||||
|
||||
import (
|
||||
"crypto"
|
||||
"fmt"
|
||||
"io"
|
||||
"sort"
|
||||
"strings"
|
||||
|
||||
@ -17,8 +15,8 @@
|
||||
)
|
||||
|
||||
type Signers struct {
|
||||
Tarball crypto.Signer
|
||||
RPM func(io.Reader) ([]byte, error)
|
||||
Tarball dist.Signer
|
||||
RPM dist.Signer
|
||||
}
|
||||
|
||||
func Targets(signers Signers) []dist.Target {
|
||||
@ -49,7 +47,7 @@ func Targets(signers Signers) []dist.Target {
|
||||
"GOOS": goos,
|
||||
"GOARCH": goarch,
|
||||
},
|
||||
signFn: signers.RPM,
|
||||
signer: signers.RPM,
|
||||
})
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user