Commit Graph

24 Commits

Author SHA1 Message Date
Anton Hvornum
28becbfc03 Ensured the correct CA key and CA certificate is used during signing process. It's been working based on default assumptions from the openssl configuration, but it's worth being explicit when doing these operations. Also removed a redundant -sha256 2023-12-07 12:00:47 +01:00
nl6720
60a38f0890
.gitlab/ci/build_archiso.sh: do not use "default" as the gpg Key-Type
GnuPG changed their default from RSA to ECC, so Key-Length not
a thing it supports. Instead it asks for the Key-Curve.

Avoid using the default and hardcode ed25519 (which is the current
GnuPG default).
2023-12-07 10:39:20 +02:00
nl6720
8ddd08f51d
.gitlab/ci/build_archiso.sh: create a valid code signing certificate
Make sure the certificate has a extendedKeyUsage section with
codeSigning per the iPXE requirements.

Fixes #195
2023-08-02 16:06:49 +03:00
nl6720
279d3c0971
.gitlab/ci/build_archiso.sh: improve CI codesigning certificate
Adjust subject name to more closely match what's used in create_ephemeral_pgp_key.

Reduce the certificate validity to two days. These are just temporary
certificates, they will not be used anywhere.

Fixes #196
2023-08-02 16:04:35 +03:00
nl6720
28a3a54c5f
Fix optional shellcheck warnings
Additionally fix a few code style issues found with shfmt.
2023-06-15 15:12:28 +03:00
Anton Hvornum
326cfed7cc
Add the ability to generate rootfs signatures using openssl CMS module if `-c` is given.
(gitlab ci)

Added a CA structure to the codesigning certificates.
This to test the functionality of optional CA being in the signing message.

(mkarchiso)
Removed the ``sign_netboot_artifacts`` variable and instead
we'll now rely on ``if [[ -v cert_list ]]; then``.

Added ``ARCHISO_TLS_FD`` and ``ARCHISO_TLSCA_FD`` environment variables
to override the certificates used. This is so that third party CA's can
be used during building in a meaningful way without distrupting the
CA trust that is shipped by default.

_cms_sign_artifact() was added which signs the rootfs using OpenSSL CMS.
The files will be saved as "${artifact}.cms.sig". That would be for instance
"${isofs_dir}/${install_dir}/${arch}/airootfs.sfs.cms.sig".
2022-09-25 19:54:41 +02:00
nl6720
3c6cdb1469
.gitlab/ci/build_archiso.sh: use mkarchiso's -G option
Set gpg's --sender.
2021-08-25 00:26:07 +03:00
David Runge
f48e9cda40
Remove build-host.sh
.gitlab/ci/build-host.sh:
Remove script, as it has been replaced by ci-scripts.
2021-07-01 15:08:25 +02:00
David Runge
e0514b1d2e
ci: Provide artifacts in top-level output dir
.gitlab/ci/build-inside-vm.sh:
Change the build script to provide the build artifacts and metrics in the top-level output directory.
This goes in line with the soon to be used ci-scripts, allowing code sharing amongst several projects.
2021-07-01 15:07:19 +02:00
David Runge
a44310b220
Rename build script
.gitlab/ci/build_archiso.sh:
Rename .gitlab/ci/build-inside-vm.sh to .gitlab/ci/build_archiso.sh.

.gitlab-ci.yml:
Rename BUILD_SCRIPT to build_archiso.sh.
2021-07-01 15:07:04 +02:00
David Runge
cde7296e6a
ci: Consolidate build-host script
.gitlab/ci/build-host.sh:
Change all script-local variables to lower-case and make some of them overridable using environment variables (by
providing defaults).
Break down overly long commands by splitting them into a list of strings.
Use local variables where possible.
Change `main()` to use rsync instead of cp to copy the project to the build location more generically.
Change `main()` to use rsync instead of cp to copy the build artifacts on the VM from the project's build directory to
the output.
Remove all unnecessary `function` keywords for function declarations.
Replace the dependency on libisoburn's `xorriso` with libarchive's `bsdtar` and util-linux's `blkid` in
`prepare_boot()`.
Add `print_section_start()` and `print_section_end()` to reduce code duplication and error potential when printing lines
for gitlab's collapsible sections (https://docs.gitlab.com/ee/ci/jobs/#custom-collapsible-sections).
Document the script's behavior and expectations.
Document the understood environment variables and add links to documentation on understood units (in case of size
units).
2021-05-13 18:32:10 +02:00
David Runge
8e44a8b72e
ci: consolidate build script
.gitlab/ci/build-inside-vm.sh:
Add `print_section_start()` and `print_section_end()` to remove code duplication when printing gitlab collapsible
sections (https://docs.gitlab.com/ee/ci/jobs/#custom-collapsible-sections).
Document further script dependencies.
Remove the temporary directory base (located in the project directory) instead of only the tempdir.
Simplify setting file and directory ownership when running with sudo, by only doing it once, recursively on the output
directory.
Make the script's output more verbose by using verbose flags for removal, ownership changes and zsyncmake actions and by
displaying e.g. created metrics and checksum files.
Change `create_metrics()` to output to a `metrics.txt` by default.
Change `create_checksums()` to create the checksums relative to the files.
2021-05-13 18:31:39 +02:00
David Runge
5630a23ba1
ci: build based on buildmodes
.gitlab/ci/build-inside-vm.sh:
Expand the script to allow building based on mkarchiso's buildmodes.
Accept two parameters now: profile and buildmode.

Add gitlab collapsable sections by adding specific printfs for it to all functions.
Add extglob to be able to more specifically target files.
Change `create_checksums()` to also generate the legacy md5 and sha1 checksums.
Change `create_checksums()` and `create_zsync_delta()` to accept and process an unspecified amount of files as
parameters.
Change `create_zsync_delta()` to lower the blocksize when creating a file for the bootstrap image.
Change `create_metrics()` to create metrics depending on build mode.
Rename `create_temp_pgp_key()` to `create_ephemeral_pgp_key()`.
Add `create_ephemeral_codesigning_key()` to create a codesigning key, that is used to sign the netboot artifacts.
Change `run_mkarchiso()` to also create an ephemeral codesigning key before running mkarchiso and to run
`create_checksums()` and `create_zsync_delta()` with files depending on build mode.

.gitlab/ci/build-host.sh:
Call `build-inside-vm.sh` using the PROFILE and BUILDMODE environment variables as parameters.
2021-05-11 16:44:23 +02:00
David Runge
2a07aa2f24
Increase timeout for initial prompt in build VM
.gitlab/ci/build-host.sh:
Increase the allowed timeout for reaching the initial prompt in the build VM from 30 to 60 seconds.

Fixes #129
2021-05-06 10:57:18 +02:00
David Runge
c58b44f016
Use QEMU 6.x options
.gitlab/ci/build-host.sh:
Change parameters to qemu's `-drive` option to make use of the explicit `read-only=on`, as the implicit `read-only` is
now obsolete.
2021-05-06 01:37:51 +02:00
David Runge
73e3ccdb59
Add ephemeral signing key to CI setup
.gitlab/ci/build-inside-vm.sh:
Create an ephemeral signing key for signing the rootfs image (e.g. squashfs or erofs) when building the profiles.

Implements #125
2021-05-01 16:22:02 +02:00
nl6720
0ed1c61f1f
Add package count, El Torito EFI image size and initramfs image sizes to GitLab metrics
Metrics are now collected in build-inside-vm.sh since the files in question are in the work directory.

Implements #101 and #111.
2021-04-30 19:44:37 +03:00
David Runge
bde3971991
Fix shellcheck complains in CI scripts
.gitlab/ci/build-host.sh:
Change the readonly TMPDIR variable to a global tmpdir variable and set it in the `init()` function.

.gitlab/ci/build-inside-vm.sh:
Change assigning the readonly tmpdir variable directly to assigning it after declaring it.
Change `cleanup()` and `create_zsync_delta()` to use bash-style statements and also check whether SUDO_GID is set before
using it.
2021-04-30 17:51:27 +02:00
nl6720
8050fa4797
.gitlab/ci/build-host.sh: install erofs-utils
Allow building ISOs with EROFS airootfs images in CI.
2021-03-26 00:45:30 +02:00
nl6720
e847c4ad75
.gitlab/ci/build-host.sh: Do not upgrade packages with files in /usr/lib/modules/
Packages with files in /usr/lib/modules/ depend on the current kernel, thus they should not be updated.
2021-03-21 16:04:39 +02:00
nl6720
c241285c5f
.gitlab/ci/build-host.sh: increase mksquashfs timeout to 40 minutes
Some mksquashfs runs take a very long time and 1000 seconds might not be enough.
2021-03-14 20:20:46 +02:00
Jonathon Fernyhough
f502b56ec2 Create zsync control file for delta downloads 2021-03-14 17:42:54 +00:00
David Runge
b588c52665
build-host.sh: Style and syntax fixes
.gitlab/ci/build-host.sh:
Set shebang to /usr/bin/env bash to be more portable/flexible.
Turn all posix statements ([]) to bash style statements ([[]]), as we are using bash.
Terminate the list of parameters to rm or cp with --.

Replace the implementation of finding a local ISO to use with one that relies on a sorted list of potential images.

Use virtio-net-pci for networking with qemu.
Set the cow_spacesize to 4G for the archiso environment.

Use --needed in the call to pacman to not re-install already up-to-date targets.
Attempt a full system upgrade (but ignore the kernel).
Increase the timeout for when installing packages to the archiso environment using pacman to 120s, as a system upgrade
is being done as well.

Use systemctl poweroff -i to shut down the virtual machine as it is more future proof and robust.
2021-01-31 23:46:51 +01:00
David Runge
07239499a6
Add scripts for continuous integration
.gitlab/ci/build-host.sh:
Add script to be run in a container with access to qemu.
It is a slight modification of arch-boxes' build-host.sh script to cater to the specific archiso requirements.

.gitlab/ci/build-inside-vm.sh:
Add script to be run in virtualized environment, established by build-host.sh.
This script builds the actual archiso profiles and creates checksum for the resulting image files.
2021-01-31 16:23:04 +01:00