mirror of
https://github.com/tailscale/tailscale.git
synced 2025-06-10 01:38:35 +00:00
26f31f73f4
QNAP now requires builds to be signed with an HSM. This removes support for signing with a local keypair. This adds support for signing with a Google Cloud hosted key. The key should be an RSA key with protection level `HSM` and that uses PSS padding and a SHA256 digest. The GCloud project, keyring and key name are passed in as command-line arguments. The GCloud credentials and the PEM signing certificate are passed in as Base64-encoded command-line arguments. Updates tailscale/corp#23528 Signed-off-by: Percy Wegmann <percy@tailscale.com>
22 lines
1.0 KiB
Docker
22 lines
1.0 KiB
Docker
FROM ubuntu:24.04
|
|
|
|
RUN apt-get update -y && \
|
|
apt-get install -y --no-install-recommends \
|
|
git-core \
|
|
ca-certificates \
|
|
apt-transport-https \
|
|
gnupg \
|
|
curl \
|
|
patch
|
|
|
|
# Install QNAP QDK (force a specific version to pick up updates)
|
|
RUN git clone https://github.com/tailscale/QDK.git && cd /QDK && git reset --hard 9a31a67387c583d19a81a378dcf7c25e2abe231d
|
|
RUN cd /QDK && ./InstallToUbuntu.sh install
|
|
ENV PATH="/usr/share/QDK/bin:${PATH}"
|
|
|
|
# Install Google Cloud PKCS11 module
|
|
RUN curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | gpg --dearmor -o /usr/share/keyrings/cloud.google.gpg
|
|
RUN echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" | tee -a /etc/apt/sources.list.d/google-cloud-sdk.list
|
|
RUN apt-get update -y && apt-get install -y --no-install-recommends google-cloud-cli libengine-pkcs11-openssl
|
|
RUN curl -L https://github.com/GoogleCloudPlatform/kms-integrations/releases/download/pkcs11-v1.6/libkmsp11-1.6-linux-amd64.tar.gz | tar xz
|