From d627e788f8036ed6f68150a45ec8a0ee77baca54 Mon Sep 17 00:00:00 2001 From: "Lance R. Vick" Date: Mon, 7 Oct 2024 18:48:16 -0700 Subject: [PATCH 01/20] feat: add repros support --- .repros/config.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 .repros/config.yml diff --git a/.repros/config.yml b/.repros/config.yml new file mode 100644 index 00000000..e89fdd1a --- /dev/null +++ b/.repros/config.yml @@ -0,0 +1,11 @@ +build: + command: make +sign: + file: out/manifest.txt + format: raw + method: ssh + backing: tpm +storage: + method: git + location: self + path: .repros/sigs/ From 9526c8a3916f3cb1c45c313a51d133a138c59f5c Mon Sep 17 00:00:00 2001 From: "Lance R. Vick" Date: Wed, 16 Oct 2024 20:16:53 -0700 Subject: [PATCH 02/20] test From ca1aafa45c9ccac977cfc0b22054fe4540869886 Mon Sep 17 00:00:00 2001 From: "Lance R. Vick" Date: Wed, 16 Oct 2024 20:25:59 -0700 Subject: [PATCH 03/20] test From 276b96b9cce46e7aa50394a84b098fe76ae16e72 Mon Sep 17 00:00:00 2001 From: "Lance R. Vick" Date: Fri, 18 Oct 2024 02:26:36 -0700 Subject: [PATCH 04/20] feat: add digests target --- .repros/config.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.repros/config.yml b/.repros/config.yml index e89fdd1a..c7ca3668 100644 --- a/.repros/config.yml +++ b/.repros/config.yml @@ -7,5 +7,5 @@ sign: backing: tpm storage: method: git - location: self - path: .repros/sigs/ + location: git@github.com:tkhq/repros-sigs.git + path: /qos From 038accb721be79786671715719cc9014e1f93699 Mon Sep 17 00:00:00 2001 From: "Lance R. Vick" Date: Thu, 24 Oct 2024 03:21:38 -0700 Subject: [PATCH 05/20] feat: initial repros support --- .repros/config.yml | 2 +- Makefile | 8 +++++++- src/macros.mk | 12 ++++++++++++ 3 files changed, 20 insertions(+), 2 deletions(-) diff --git a/.repros/config.yml b/.repros/config.yml index c7ca3668..75051edf 100644 --- a/.repros/config.yml +++ b/.repros/config.yml @@ -1,7 +1,7 @@ build: command: make sign: - file: out/manifest.txt + file: out/digests.txt format: raw method: ssh backing: tpm diff --git a/Makefile b/Makefile index 91e4dac9..0d11badd 100644 --- a/Makefile +++ b/Makefile @@ -3,7 +3,10 @@ include src/macros.mk REGISTRY := local .DEFAULT_GOAL := .PHONY: default -default: \ +default: out/digests.txt + +.PHONY: all +all: \ out/qos_client/index.json \ out/qos_host/index.json \ out/qos_enclave/index.json @@ -39,6 +42,9 @@ shell: out/.common-loaded qos-local/common:latest \ /bin/bash +out/digests.txt: all + @$(call digests) > $@ + out/nitro.pcrs: out/qos_enclave.tar @$(call run,/src/scripts/extract_oci_file.sh qos_enclave.tar nitro.pcrs) diff --git a/src/macros.mk b/src/macros.mk index 5bd31ce1..1566866c 100644 --- a/src/macros.mk +++ b/src/macros.mk @@ -13,6 +13,18 @@ define run /bin/sh -c "set -eu; $(1)" endef +define digests + find out -iname "index.json" \ + | awk -F/ '{print $$2}' \ + | sort \ + | while IFS= read -r package; do \ + jq \ + -jr '.manifests[].digest | sub ("sha256:";"")' \ + out/$${package}/index.json; \ + printf " %s\n" "$${package}"; \ + done +endef + define build_context $$( \ self=$(1); \ From 7e192487652a0085f50085a8f7e7febec6620846 Mon Sep 17 00:00:00 2001 From: "Lance R. Vick" Date: Mon, 28 Oct 2024 16:48:02 -0700 Subject: [PATCH 06/20] github actions runner --- .github/workflows/artifacts.yml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/.github/workflows/artifacts.yml b/.github/workflows/artifacts.yml index 3d848e6c..343f5d6b 100644 --- a/.github/workflows/artifacts.yml +++ b/.github/workflows/artifacts.yml @@ -25,3 +25,29 @@ jobs: shell: 'script -q -e -c "bash {0}"' run: | make -j$(nproc) + reproduce: + name: reproduce artifacts + runs-on: + group: ubuntu-runners + strategy: + matrix: + host: [144.76.154.76] + steps: + - name: Checkout sources + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Run `make` + shell: 'script -q -e -c "bash {0}"' + run: | + mkdir -p ~/.ssh/ + echo "$REPROS_KEY" > ~/.ssh/repros.key + cat >>~/.ssh/config <<-END + Host lance-repros + HostName ${{matrix.host}} + User git + IdentityFile ~/.ssh/repros.key + StrictHostKeyChecking no + END + git remote add repros-lance git@${{matrix.host}}:qos + git push repros-lance HEAD + env: + REPROS_KEY: $${{ secrets.REPROS_KEY }} From 82127f4cee23ca8b9c5b046a68c3884954be2723 Mon Sep 17 00:00:00 2001 From: "Lance R. Vick" Date: Mon, 28 Oct 2024 17:31:05 -0700 Subject: [PATCH 07/20] test From 8b2049dc563d46edcce9fba3f4739771e9564c5e Mon Sep 17 00:00:00 2001 From: "Lance R. Vick" Date: Tue, 29 Oct 2024 01:36:39 -0700 Subject: [PATCH 08/20] use keyscan for repros host in github actions --- .github/workflows/artifacts.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/artifacts.yml b/.github/workflows/artifacts.yml index 343f5d6b..23baf3b9 100644 --- a/.github/workflows/artifacts.yml +++ b/.github/workflows/artifacts.yml @@ -47,6 +47,7 @@ jobs: IdentityFile ~/.ssh/repros.key StrictHostKeyChecking no END + ssh-keyscan -H ${{matrix.host}} >> ~/.ssh/known_hosts git remote add repros-lance git@${{matrix.host}}:qos git push repros-lance HEAD env: From 4165851cf5513c7f9868b23d70e7b29ee2735ed5 Mon Sep 17 00:00:00 2001 From: "Lance R. Vick" Date: Tue, 29 Oct 2024 01:39:22 -0700 Subject: [PATCH 09/20] sanity check ssh keyfile --- .github/workflows/artifacts.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/artifacts.yml b/.github/workflows/artifacts.yml index 23baf3b9..b22585a3 100644 --- a/.github/workflows/artifacts.yml +++ b/.github/workflows/artifacts.yml @@ -40,6 +40,7 @@ jobs: run: | mkdir -p ~/.ssh/ echo "$REPROS_KEY" > ~/.ssh/repros.key + sha256sum ~/.ssh/repros.key cat >>~/.ssh/config <<-END Host lance-repros HostName ${{matrix.host}} From 1e140baa2eb489b42f7d5eb06f2e33aca060d8a4 Mon Sep 17 00:00:00 2001 From: "Lance R. Vick" Date: Tue, 29 Oct 2024 01:42:44 -0700 Subject: [PATCH 10/20] sanity check ssh keyfile --- .github/workflows/artifacts.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/artifacts.yml b/.github/workflows/artifacts.yml index b22585a3..f4f21acc 100644 --- a/.github/workflows/artifacts.yml +++ b/.github/workflows/artifacts.yml @@ -40,7 +40,8 @@ jobs: run: | mkdir -p ~/.ssh/ echo "$REPROS_KEY" > ~/.ssh/repros.key - sha256sum ~/.ssh/repros.key + echo "Using key: ~/.ssh/repros.key" + ssh-keygen -l -f "~/.ssh/repros.key" cat >>~/.ssh/config <<-END Host lance-repros HostName ${{matrix.host}} From 8b41e1f27b356222a9b3d2553b1aa56d5fc08789 Mon Sep 17 00:00:00 2001 From: "Lance R. Vick" Date: Tue, 29 Oct 2024 01:44:21 -0700 Subject: [PATCH 11/20] sanity check ssh keyfile --- .github/workflows/artifacts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/artifacts.yml b/.github/workflows/artifacts.yml index f4f21acc..74c64e99 100644 --- a/.github/workflows/artifacts.yml +++ b/.github/workflows/artifacts.yml @@ -53,4 +53,4 @@ jobs: git remote add repros-lance git@${{matrix.host}}:qos git push repros-lance HEAD env: - REPROS_KEY: $${{ secrets.REPROS_KEY }} + REPROS_KEY: ${{ secrets.REPROS_KEY }} From 7826dd78d13f3c503e8a6fd7199266aae3f91c71 Mon Sep 17 00:00:00 2001 From: "Lance R. Vick" Date: Tue, 29 Oct 2024 01:49:56 -0700 Subject: [PATCH 12/20] sanity check ssh keyfile --- .github/workflows/artifacts.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/artifacts.yml b/.github/workflows/artifacts.yml index 74c64e99..641f0a61 100644 --- a/.github/workflows/artifacts.yml +++ b/.github/workflows/artifacts.yml @@ -36,7 +36,6 @@ jobs: - name: Checkout sources uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Run `make` - shell: 'script -q -e -c "bash {0}"' run: | mkdir -p ~/.ssh/ echo "$REPROS_KEY" > ~/.ssh/repros.key From 11664faf55027afb2bfb70152f0aa8d850256781 Mon Sep 17 00:00:00 2001 From: "Lance R. Vick" Date: Tue, 29 Oct 2024 01:53:28 -0700 Subject: [PATCH 13/20] sanity check ssh keyfile --- .github/workflows/artifacts.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/artifacts.yml b/.github/workflows/artifacts.yml index 641f0a61..964ac78f 100644 --- a/.github/workflows/artifacts.yml +++ b/.github/workflows/artifacts.yml @@ -38,7 +38,7 @@ jobs: - name: Run `make` run: | mkdir -p ~/.ssh/ - echo "$REPROS_KEY" > ~/.ssh/repros.key + echo "${{ secrets.REPROS_KEY }}" > ~/.ssh/repros.key echo "Using key: ~/.ssh/repros.key" ssh-keygen -l -f "~/.ssh/repros.key" cat >>~/.ssh/config <<-END @@ -51,5 +51,3 @@ jobs: ssh-keyscan -H ${{matrix.host}} >> ~/.ssh/known_hosts git remote add repros-lance git@${{matrix.host}}:qos git push repros-lance HEAD - env: - REPROS_KEY: ${{ secrets.REPROS_KEY }} From 0d466772ecfdb21822867003b982698a8aa33883 Mon Sep 17 00:00:00 2001 From: "Lance R. Vick" Date: Tue, 29 Oct 2024 01:58:57 -0700 Subject: [PATCH 14/20] sanity check ssh keyfile --- .github/workflows/artifacts.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/artifacts.yml b/.github/workflows/artifacts.yml index 964ac78f..d7c4f6a0 100644 --- a/.github/workflows/artifacts.yml +++ b/.github/workflows/artifacts.yml @@ -39,8 +39,6 @@ jobs: run: | mkdir -p ~/.ssh/ echo "${{ secrets.REPROS_KEY }}" > ~/.ssh/repros.key - echo "Using key: ~/.ssh/repros.key" - ssh-keygen -l -f "~/.ssh/repros.key" cat >>~/.ssh/config <<-END Host lance-repros HostName ${{matrix.host}} @@ -48,6 +46,9 @@ jobs: IdentityFile ~/.ssh/repros.key StrictHostKeyChecking no END + echo "Using key: ~/.ssh/repros.key" + ls -Rlah ~/.ssh/ + ssh-keygen -l -f "~/.ssh/repros.key" ssh-keyscan -H ${{matrix.host}} >> ~/.ssh/known_hosts git remote add repros-lance git@${{matrix.host}}:qos git push repros-lance HEAD From 9d3a4a150cdb88a271ef4621269de512fa35f8cb Mon Sep 17 00:00:00 2001 From: "Lance R. Vick" Date: Tue, 29 Oct 2024 02:01:27 -0700 Subject: [PATCH 15/20] sanity check ssh keyfile --- .github/workflows/artifacts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/artifacts.yml b/.github/workflows/artifacts.yml index d7c4f6a0..ef72ac3a 100644 --- a/.github/workflows/artifacts.yml +++ b/.github/workflows/artifacts.yml @@ -48,7 +48,7 @@ jobs: END echo "Using key: ~/.ssh/repros.key" ls -Rlah ~/.ssh/ - ssh-keygen -l -f "~/.ssh/repros.key" + ssh-keygen -l -f /home/runner/.ssh/repros.key ssh-keyscan -H ${{matrix.host}} >> ~/.ssh/known_hosts git remote add repros-lance git@${{matrix.host}}:qos git push repros-lance HEAD From 7e900e2b09a2ab30cdd5e81cd15a3c286607a7be Mon Sep 17 00:00:00 2001 From: "Lance R. Vick" Date: Tue, 29 Oct 2024 02:05:50 -0700 Subject: [PATCH 16/20] sanity check ssh keyfile --- .github/workflows/artifacts.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/artifacts.yml b/.github/workflows/artifacts.yml index ef72ac3a..c1de1a35 100644 --- a/.github/workflows/artifacts.yml +++ b/.github/workflows/artifacts.yml @@ -38,7 +38,9 @@ jobs: - name: Run `make` run: | mkdir -p ~/.ssh/ + chmod 700 ~/.ssh echo "${{ secrets.REPROS_KEY }}" > ~/.ssh/repros.key + chmod 600 ~/.ssh/repros.key cat >>~/.ssh/config <<-END Host lance-repros HostName ${{matrix.host}} From 1f5cc501007e42bed66dc21ebc9736121dc1c85a Mon Sep 17 00:00:00 2001 From: "Lance R. Vick" Date: Tue, 29 Oct 2024 02:41:36 -0700 Subject: [PATCH 17/20] sanity check ssh keyfile --- .github/workflows/artifacts.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/artifacts.yml b/.github/workflows/artifacts.yml index c1de1a35..7eba90ad 100644 --- a/.github/workflows/artifacts.yml +++ b/.github/workflows/artifacts.yml @@ -42,15 +42,14 @@ jobs: echo "${{ secrets.REPROS_KEY }}" > ~/.ssh/repros.key chmod 600 ~/.ssh/repros.key cat >>~/.ssh/config <<-END - Host lance-repros + Host $${{matrix.host}} HostName ${{matrix.host}} User git IdentityFile ~/.ssh/repros.key StrictHostKeyChecking no END echo "Using key: ~/.ssh/repros.key" - ls -Rlah ~/.ssh/ ssh-keygen -l -f /home/runner/.ssh/repros.key ssh-keyscan -H ${{matrix.host}} >> ~/.ssh/known_hosts git remote add repros-lance git@${{matrix.host}}:qos - git push repros-lance HEAD + ssh-agent sh -c "ssh-add ~/.ssh/repros.key && git push repros-lance HEAD From 81783d6327cfd441c3bf6ba74100547465664821 Mon Sep 17 00:00:00 2001 From: "Lance R. Vick" Date: Tue, 29 Oct 2024 02:42:44 -0700 Subject: [PATCH 18/20] sanity check ssh keyfile --- .github/workflows/artifacts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/artifacts.yml b/.github/workflows/artifacts.yml index 7eba90ad..f71312b0 100644 --- a/.github/workflows/artifacts.yml +++ b/.github/workflows/artifacts.yml @@ -52,4 +52,4 @@ jobs: ssh-keygen -l -f /home/runner/.ssh/repros.key ssh-keyscan -H ${{matrix.host}} >> ~/.ssh/known_hosts git remote add repros-lance git@${{matrix.host}}:qos - ssh-agent sh -c "ssh-add ~/.ssh/repros.key && git push repros-lance HEAD + git push repros-lance HEAD From 0632c555f213c923e9f74c4310fbcc30baaf35c7 Mon Sep 17 00:00:00 2001 From: "Lance R. Vick" Date: Tue, 29 Oct 2024 02:45:54 -0700 Subject: [PATCH 19/20] sanity check ssh keyfile --- .github/workflows/artifacts.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/artifacts.yml b/.github/workflows/artifacts.yml index f71312b0..f4e4f293 100644 --- a/.github/workflows/artifacts.yml +++ b/.github/workflows/artifacts.yml @@ -52,4 +52,7 @@ jobs: ssh-keygen -l -f /home/runner/.ssh/repros.key ssh-keyscan -H ${{matrix.host}} >> ~/.ssh/known_hosts git remote add repros-lance git@${{matrix.host}}:qos - git push repros-lance HEAD + ssh-agent sh -c " \ + ssh-add ~/.ssh/repros.key \ + && git push repros-lance HEAD \ + " From 0a5ed2ef859bac4c6381f91747752f3b0c2d61d8 Mon Sep 17 00:00:00 2001 From: "Lance R. Vick" Date: Thu, 14 Nov 2024 00:30:33 -0800 Subject: [PATCH 20/20] feat: repros sign multiple files --- .repros/config.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.repros/config.yml b/.repros/config.yml index 75051edf..8551fad9 100644 --- a/.repros/config.yml +++ b/.repros/config.yml @@ -1,10 +1,14 @@ build: command: make sign: - file: out/digests.txt + files: + - out/qos_client/index.json + - out/qos_enclave/index.json + - out/qos_host/index.json + - out/digests.txt format: raw method: ssh - backing: tpm + backing: disk storage: method: git location: git@github.com:tkhq/repros-sigs.git