Clean up build/update readme
All checks were successful
Build / build (push) Successful in 1m16s
Build / sign (push) Successful in 34s
Build / deploy (push) Successful in 29s

Closes #1
This commit is contained in:
Emil Lerch 2023-07-29 19:49:33 -07:00
parent c02cd20b4c
commit 2691c39fa2
Signed by: lobo
GPG Key ID: A7B62D657EF764F8
2 changed files with 51 additions and 15 deletions

View File

@ -36,7 +36,6 @@ jobs:
topic: ${{ secrets.NTFY_TOPIC }} topic: ${{ secrets.NTFY_TOPIC }}
user: ${{ secrets.NTFY_USER }} user: ${{ secrets.NTFY_USER }}
password: ${{ secrets.NTFY_PASSWORD }} password: ${{ secrets.NTFY_PASSWORD }}
- run: echo "Build status is ${{ job.status }}."
sign: sign:
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: build needs: build
@ -54,22 +53,13 @@ jobs:
pin: ${{ secrets.HSM_USER_PIN }} pin: ${{ secrets.HSM_USER_PIN }}
files: flexilib files: flexilib
public_key: 'https://emil.lerch.org/serverpublic.pem' public_key: 'https://emil.lerch.org/serverpublic.pem'
- run: echo "Signature URL is ${{ steps.sign.outputs.URL_0 }}" - name: Output signature URL
run: echo "Signature URL is ${{ steps.sign.outputs.URL_0 }}"
- name: Upload Artifact - name: Upload Artifact
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@v3
with: with:
name: signature name: signature
path: ${{ steps.sign.outputs.SIG_0 }} path: ${{ steps.sign.outputs.SIG_0 }}
# - run: |
# echo "Source 0 should be ./bar: ${{ steps.sign.outputs.SOURCE_0 }}"
# - run: |
# echo "Signature 0 should be ./bar.sig: ${{ steps.sign.outputs.SIG_0 }}"
# - run: echo "URL of bar (0) is ${{ steps.sign.outputs.URL_0 }}"
# - run: |
# echo "Source 1 should be ./foo: ${{ steps.sign.outputs.SOURCE_1 }}"
# - run: |
# echo "Signature 1 should be ./foo.sig: ${{ steps.sign.outputs.SIG_1 }}"
# - run: echo "URL of foo (1) is ${{ steps.sign.outputs.URL_1 }}"
- name: Notify - name: Notify
uses: https://git.lerch.org/lobo/action-notify-ntfy@v2 uses: https://git.lerch.org/lobo/action-notify-ntfy@v2
if: always() if: always()
@ -78,7 +68,6 @@ jobs:
topic: ${{ secrets.NTFY_TOPIC }} topic: ${{ secrets.NTFY_TOPIC }}
user: ${{ secrets.NTFY_USER }} user: ${{ secrets.NTFY_USER }}
password: ${{ secrets.NTFY_PASSWORD }} password: ${{ secrets.NTFY_PASSWORD }}
- run: echo "Sign status is ${{ job.status }}."
deploy: deploy:
runs-on: ubuntu-latest runs-on: ubuntu-latest
container: container:
@ -96,7 +85,6 @@ jobs:
- name: Get short ref - name: Get short ref
id: vars id: vars
run: echo "shortsha=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT run: echo "shortsha=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
- run: "echo ${{ steps.vars.outputs.shortsha }}"
- -
name: Login to Gitea name: Login to Gitea
uses: docker/login-action@v2 uses: docker/login-action@v2
@ -121,4 +109,3 @@ jobs:
topic: ${{ secrets.NTFY_TOPIC }} topic: ${{ secrets.NTFY_TOPIC }}
user: ${{ secrets.NTFY_USER }} user: ${{ secrets.NTFY_USER }}
password: ${{ secrets.NTFY_PASSWORD }} password: ${{ secrets.NTFY_PASSWORD }}
- run: echo "Deploy status is ${{ job.status }}."

View File

@ -23,6 +23,55 @@ This project provides slightly better development and performance characteristic
if the library used is written in [zig](https://ziglang.org). An example zig-based if the library used is written in [zig](https://ziglang.org). An example zig-based
library can be found in src/main-lib.zig. library can be found in src/main-lib.zig.
Deployment
----------
Gitea actions are configured to build, sign, and deploy the source code. Each
successful build will generate an artifact, which can be found at
[https://git.lerch.org/lobo/FlexiLib/actions](https://git.lerch.org/lobo/FlexiLib/actions).
Two artifacts will be available:
* The flexilib binary, compiled for linux x86_64 with GNU libc. GNU libc is
necessary due to the dynamic loading involved, but otherwise it should be
possible to use the binary as is on any glibc-based Linux distribution.
* A signature file generated from the HSM-based signing process. This can be
verified for authenticity against [sigstore](https://sigstore.dev/) public
transparency log with [rekor](ihttps://github.com/sigstore/rekor).
Additionally, a docker container image will be build and uploaded using the
tag `git.lerch.org/lobo/flexilib:<shortsha>`. For example, `docker pull git.lerch.org/lobo/flexilib:c02cd20`
will get the docker container with flexilib from git commit `c02cd20`.
Signature Validation
--------------------
To verify the build artifacts, you will need the rekor CLI and four additional
things:
* The signature file stored as a build artifact
* The flexilib executable, also from the build
* A downloaded version of the [server public key](https://emil.lerch.org/serverpublic.pem).
Theoretically rekor can take the URL at the command line, but this doesn't seem
to work for me
* The sigstore entry URL from the Sign job in the Gitea action
Once those four things are assembled, the following command will verify the
executable matches the output from the build run at the time of the run:
`rekor verify --artifact flexilib --entry <entry url> --signature signature --pki-format x509 --public-key serverpublic.pem`
As an example, using output from [run 8](https://git.lerch.org/lobo/FlexiLib/actions/runs/8/jobs/1):
```sh
rekor verify \
--artifact flexilib \
--entry https://rekor.sigstore.dev/api/v1/log/entries/73a64ca9cc712f9645bfe79ae104b101e3ef7022172f0bfc3aa34d4f45ca2af8 \
--signature signature \
--pki-format x509 \
--public-key serverpublic.pem
```
Architecture Architecture
------------ ------------