Partially reverts 1bd3edbb46 (but keeps part of it)
iptables is almost always required but not strictly needed. Even if
you can technically run Tailscale without it (by manually configuring
nftables or userspace mode), we still now mark this as "Depends"
because our previous experiment in
https://github.com/tailscale/tailscale/issues/9236 of making it only
Recommends caused too many problems. Until our nftables table is more
mature, we'd rather err on the side of wasting a little disk by
including iptables for people who might not need it rather than
handle reports of it being missing.
Updates #9236
Change-Id: I86cc8aa3f78dafa0b4b729f55fb82eef6066be1c
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
We're going to need to build a DLL containing custom actions for the installer.
This patch adds the foundations of that capability to dist and gocross.
Updates https://github.com/tailscale/corp/issues/13998
Signed-off-by: Aaron Klotz <aaron@tailscale.com>
We already had a path on the web client server struct, but hadn't
plumbed it through to the CLI. Add that now and use it for Synology and
QNAP instead of hard-coding the path. (Adding flag for QNAP is
tailscale/tailscale-qpkg#112) This will allow supporting other
environments (like unraid) without additional changes to the client/web
package.
Also fix a small bug in unraid handling to only include the csrf token
on POST requests.
Updates tailscale/corp#13775
Signed-off-by: Will Norris <will@tailscale.com>
This uses the new react-based web client for all builds, not just with
the --dev flag.
If the web client assets have not been built, the client will serve a
message that Tailscale was built without the web client, and link to
build instructions. Because we will include the web client in all of our
builds, this should only be seen by developers or users building from
source. (And eventually this will be replaced by attempting to download
needed assets as runtime.)
We do now checkin the build/index.html file, which serves the error
message when assets are unavailable. This will also eventually be used
to trigger in CI when new assets should be built and uploaded to a
well-known location.
Updates tailscale/corp#13775
Signed-off-by: Will Norris <will@tailscale.com>
Helper command to verify package signatures, mainly for debugging.
Also fix a copy-paste mistake in error message in distsign.
Updates #8760
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
We pass the file as an io.Reader to http.Post under the hood as request
body. Post, helpfully, detects that the body is an io.Closer and closes
it. So when we try to explicitly close it again, we get "file already
closed" error.
The Close there is not load-bearing, we have a defer for it anyway.
Remove the explicit close and error check.
Updates #cleanup
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
Add `dist.Signer` hook which can arbitrarily sign linux/synology
artifacts. Plumb it through in `cmd/dist` and remove existing tarball
signing key. Distsign signing will happen on a remote machine, not using
a local key.
Updates #755
Updates #8760
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
Now we have all the commands to generate the key hierarchy and verify
that signing keys were signed correctly:
```
$ ./tool/go run ./cmd/dist gen-key --priv-path root-priv.pem --pub-path root-pub.pem --root
wrote private key to root-priv.pem
wrote public key to root-pub.pem
$ ./tool/go run ./cmd/dist gen-key --priv-path signing-priv.pem --pub-path signing-pub.pem --signing
wrote private key to signing-priv.pem
wrote public key to signing-pub.pem
$ ./tool/go run ./cmd/dist sign-key --root-priv-path root-priv.pem --sign-pub-path signing-pub.pem
wrote signature to signature.bin
$ ./tool/go run ./cmd/dist verify-key-signature --root-pub-path root-pub.pem --sign-pub-path signing-pub.pem --sig-path signature.bin
signature ok
```
Updates #8760
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
To make key management less error-prone, use different PEM block types
for root and signing keys. As a result, separate out most of the Go code
between root/signing keys too.
Updates #8760
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
Add a new subcommand to generate a Ed25519 key pair for release signing.
The same command can be used to generate both root and signing keys.
Updates #8760
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
This builds the assets for the new web client as part of our release
process. The path to the web client source is specified by the
-web-client-root flag. This allows corp builds to first vendor the
tailscale.com module, and then build the web client assets in the vendor
directory.
The default value for the -web-client-root flag is empty, so no assets
are built by default.
This is an update of the previously reverted 0fb95ec
Updates tailscale/corp#13775
Signed-off-by: Will Norris <will@tailscale.com>
This caused breakages on the build server:
synology/dsm7/x86_64: chdir /home/ubuntu/builds/2023-08-21T21-47-38Z-unstable-main-tagged-devices/0/client/web: no such file or directory
synology/dsm7/i686: chdir /home/ubuntu/builds/2023-08-21T21-47-38Z-unstable-main-tagged-devices/0/client/web: no such file or directory
synology/dsm7/armv8: chdir /home/ubuntu/builds/2023-08-21T21-47-38Z-unstable-main-tagged-devices/0/client/web: no such file or directory
...
Reverting while I investigate.
This reverts commit 0fb95ec07d.
Signed-off-by: Will Norris <will@tailscale.com>
This builds the assets for the new web client as part of our release
process. These assets will soon be embedded into the cmd/tailscale
binary, but are not actually done so yet.
Updates tailscale/corp#13775
Signed-off-by: Will Norris <will@tailscale.com>
Plumb a signing callback function to `unixpkgs.rpmTarget` to allow
signing RPMs. This callback is optional and RPMs will build unsigned if
not set, just as before.
Updates https://github.com/tailscale/tailscale/issues/1882
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
Upgrade the nfpm package to the latest version to pick up
24a43c5ad7.
The upgrade is from v0 to v2, so there was some breakage to fix.
Generated packages should have the same contents as before.
Updates https://github.com/tailscale/tailscale/issues/1882
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
Pass an optional PEM-encoded ECDSA key to `cmd/dist` to sign all built
tarballs. The signature is stored next to the tarball with a `.sig`
extension.
Tested this with an `openssl`-generated key pair and verified the
resulting signature.
Updates #8760
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
As far as I can tell from the DSM documentation and known undocumented
fields, there is no 'version' field in this config file that DSM cares
about.
Updates #8232
Signed-off-by: David Anderson <danderson@tailscale.com>
This platform is technically an armv7, but has no hardware floating
point unit. armv5 is the only target Go understands to lack floating
point, so use that.
Updates #6860
Signed-off-by: David Anderson <danderson@tailscale.com>
Some builders return absolute paths to build products already. When that
happens, the manifest writing logic shouldn't tack on another absolute
prefix.
Signed-off-by: David Anderson <danderson@tailscale.com>
By default, cmd/dist only prints the output of failed commands.
With this, you can turn all the noisy output back on.
Updates tailscale/corp#9045
Signed-off-by: David Anderson <danderson@tailscale.com>
The helper suppresses output if the command runs successfully. If the
command fails, it dumps the buffered output to stdout before returning
the error. This means the happy path isn't swamped by debug noise or
xcode being intensely verbose about what kind of day it's having,
but you still get debug output when something goes wrong.
Updates tailscale/corp#9045
Signed-off-by: David Anderson <danderson@tailscale.com>