parent
c02cd20b4c
commit
2691c39fa2
GPG Key ID:
A7B62D657EF764F8
|
|
@ -36,7 +36,6 @@ jobs:
|
|||
topic: ${{ secrets.NTFY_TOPIC }}
|
||||
user: ${{ secrets.NTFY_USER }}
|
||||
password: ${{ secrets.NTFY_PASSWORD }}
|
||||
- run: echo "Build status is ${{ job.status }}."
|
||||
sign:
|
||||
runs-on: ubuntu-latest
|
||||
needs: build
|
||||
|
|
@ -54,22 +53,13 @@ jobs:
|
|||
pin: ${{ secrets.HSM_USER_PIN }}
|
||||
files: flexilib
|
||||
public_key: 'https://emil.lerch.org/serverpublic.pem'
|
||||
- run: echo "Signature URL is ${{ steps.sign.outputs.URL_0 }}"
|
||||
- name: Output signature URL
|
||||
run: echo "Signature URL is ${{ steps.sign.outputs.URL_0 }}"
|
||||
- name: Upload Artifact
|
||||
uses: actions/upload-artifact@v3
|
||||
with:
|
||||
name: signature
|
||||
path: ${{ steps.sign.outputs.SIG_0 }}
|
||||
# - run: |
|
||||
# echo "Source 0 should be ./bar: ${{ steps.sign.outputs.SOURCE_0 }}"
|
||||
# - run: |
|
||||
# echo "Signature 0 should be ./bar.sig: ${{ steps.sign.outputs.SIG_0 }}"
|
||||
# - run: echo "URL of bar (0) is ${{ steps.sign.outputs.URL_0 }}"
|
||||
# - run: |
|
||||
# echo "Source 1 should be ./foo: ${{ steps.sign.outputs.SOURCE_1 }}"
|
||||
# - run: |
|
||||
# echo "Signature 1 should be ./foo.sig: ${{ steps.sign.outputs.SIG_1 }}"
|
||||
# - run: echo "URL of foo (1) is ${{ steps.sign.outputs.URL_1 }}"
|
||||
- name: Notify
|
||||
uses: https://git.lerch.org/lobo/action-notify-ntfy@v2
|
||||
if: always()
|
||||
|
|
@ -78,7 +68,6 @@ jobs:
|
|||
topic: ${{ secrets.NTFY_TOPIC }}
|
||||
user: ${{ secrets.NTFY_USER }}
|
||||
password: ${{ secrets.NTFY_PASSWORD }}
|
||||
- run: echo "Sign status is ${{ job.status }}."
|
||||
deploy:
|
||||
runs-on: ubuntu-latest
|
||||
container:
|
||||
|
|
@ -96,7 +85,6 @@ jobs:
|
|||
- name: Get short ref
|
||||
id: vars
|
||||
run: echo "shortsha=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
|
||||
- run: "echo ${{ steps.vars.outputs.shortsha }}"
|
||||
-
|
||||
name: Login to Gitea
|
||||
uses: docker/login-action@v2
|
||||
|
|
@ -121,4 +109,3 @@ jobs:
|
|||
topic: ${{ secrets.NTFY_TOPIC }}
|
||||
user: ${{ secrets.NTFY_USER }}
|
||||
password: ${{ secrets.NTFY_PASSWORD }}
|
||||
- run: echo "Deploy status is ${{ job.status }}."
|
||||
|
|
|
|||
49
README.md
49
README.md
|
|
@ -23,6 +23,55 @@ This project provides slightly better development and performance characteristic
|
|||
if the library used is written in [zig](https://ziglang.org). An example zig-based
|
||||
library can be found in src/main-lib.zig.
|
||||
|
||||
Deployment
|
||||
----------
|
||||
|
||||
Gitea actions are configured to build, sign, and deploy the source code. Each
|
||||
successful build will generate an artifact, which can be found at
|
||||
[https://git.lerch.org/lobo/FlexiLib/actions](https://git.lerch.org/lobo/FlexiLib/actions).
|
||||
|
||||
Two artifacts will be available:
|
||||
|
||||
* The flexilib binary, compiled for linux x86_64 with GNU libc. GNU libc is
|
||||
necessary due to the dynamic loading involved, but otherwise it should be
|
||||
possible to use the binary as is on any glibc-based Linux distribution.
|
||||
* A signature file generated from the HSM-based signing process. This can be
|
||||
verified for authenticity against [sigstore](https://sigstore.dev/) public
|
||||
transparency log with [rekor](ihttps://github.com/sigstore/rekor).
|
||||
|
||||
Additionally, a docker container image will be build and uploaded using the
|
||||
tag `git.lerch.org/lobo/flexilib:<shortsha>`. For example, `docker pull git.lerch.org/lobo/flexilib:c02cd20`
|
||||
will get the docker container with flexilib from git commit `c02cd20`.
|
||||
|
||||
Signature Validation
|
||||
--------------------
|
||||
|
||||
To verify the build artifacts, you will need the rekor CLI and four additional
|
||||
things:
|
||||
|
||||
* The signature file stored as a build artifact
|
||||
* The flexilib executable, also from the build
|
||||
* A downloaded version of the [server public key](https://emil.lerch.org/serverpublic.pem).
|
||||
Theoretically rekor can take the URL at the command line, but this doesn't seem
|
||||
to work for me
|
||||
* The sigstore entry URL from the Sign job in the Gitea action
|
||||
|
||||
Once those four things are assembled, the following command will verify the
|
||||
executable matches the output from the build run at the time of the run:
|
||||
|
||||
`rekor verify --artifact flexilib --entry <entry url> --signature signature --pki-format x509 --public-key serverpublic.pem`
|
||||
|
||||
As an example, using output from [run 8](https://git.lerch.org/lobo/FlexiLib/actions/runs/8/jobs/1):
|
||||
|
||||
```sh
|
||||
rekor verify \
|
||||
--artifact flexilib \
|
||||
--entry https://rekor.sigstore.dev/api/v1/log/entries/73a64ca9cc712f9645bfe79ae104b101e3ef7022172f0bfc3aa34d4f45ca2af8 \
|
||||
--signature signature \
|
||||
--pki-format x509 \
|
||||
--public-key serverpublic.pem
|
||||
```
|
||||
|
||||
Architecture
|
||||
------------
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user