From 14edeb3d3aa41a47d701313c36e234bec91440f3 Mon Sep 17 00:00:00 2001 From: dehanj Date: Wed, 27 Mar 2024 16:12:29 +0100 Subject: [PATCH 1/3] Add Goreleaser support to build releases Since we now build .deb packages with goreleaser we remove the debian directory. --- .gitignore | 1 + .goreleaser.yaml | 226 +++++++++++++++++++++++++++++++ debian/build-pkg.sh | 64 --------- debian/deb/control.tmpl | 11 -- debian/deb/lintian--overrides | 2 - gon.hcl | 13 ++ {debian/deb => system}/copyright | 2 +- {debian/deb => system}/postinst | 0 system/tkey-ssh-agent.service | 26 ++++ tools/spdx-ensure | 6 +- 10 files changed, 272 insertions(+), 79 deletions(-) create mode 100644 .goreleaser.yaml delete mode 100755 debian/build-pkg.sh delete mode 100644 debian/deb/control.tmpl delete mode 100644 debian/deb/lintian--overrides create mode 100644 gon.hcl rename {debian/deb => system}/copyright (78%) rename {debian/deb => system}/postinst (100%) create mode 100644 system/tkey-ssh-agent.service diff --git a/.gitignore b/.gitignore index f39e0b6a..3c422840 100644 --- a/.gitignore +++ b/.gitignore @@ -15,3 +15,4 @@ /gotools/golangci-lint /gotools/go-winres test/venv +/dist diff --git a/.goreleaser.yaml b/.goreleaser.yaml new file mode 100644 index 00000000..c6e923a0 --- /dev/null +++ b/.goreleaser.yaml @@ -0,0 +1,226 @@ +# Make sure to check the documentation at https://goreleaser.com +release: + draft: true + replace_existing_draft: true + +before: + hooks: + # You may remove this if you don't use go modules. + - go mod tidy + # you may remove this if you don't need go generate + - go generate ./... +builds: + - id: linux + main: ./cmd/tkey-ssh-agent + binary: tkey-ssh-agent + env: + - GOPROXY=https://proxy.golang.org,direct + - GOSUMDB=sum.golang.org + - CGO_ENABLED=0 + + goos: + - linux + goarch: + - amd64 + - arm64 + flags: + - -trimpath + + # Custom ldflags mostly to avoid setting main.date which for some + # reason is default + ldflags: + -w -X main.version={{ .Version }} -X main.signerAppNoTouch= -buildid= + + - id: darwin + main: ./cmd/tkey-ssh-agent + binary: tkey-ssh-agent + env: + - GOPROXY=https://proxy.golang.org,direct + - GOSUMDB=sum.golang.org + - CGO_ENABLED=1 + + goos: + - darwin + goarch: + - amd64 + - arm64 + flags: + - -trimpath + + # Custom ldflags mostly to avoid setting main.date which for some + # reason is default + ldflags: + -w -X main.version={{ .Version }} -X main.signerAppNoTouch= -buildid= + + - id: windows + main: ./cmd/tkey-ssh-agent + binary: tkey-ssh-agent + env: + - GOPROXY=https://proxy.golang.org,direct + - GOSUMDB=sum.golang.org + - CGO_ENABLED=0 + + goos: + - windows + goarch: + - amd64 + - arm64 + flags: + - -trimpath + + # Custom ldflags mostly to avoid setting main.date which for some + # reason is default + ldflags: + -w -X main.version={{ .Version }} -X main.signerAppNoTouch= -buildid= + + hooks: + pre: sh -c "cd ./cmd/tkey-ssh-agent && go-winres make --arch amd64" + + - id: windows-tray + main: ./cmd/tkey-ssh-agent-tray + binary: tkey-ssh-agent-tray + env: + - GOPROXY=https://proxy.golang.org,direct + - GOSUMDB=sum.golang.org + - CGO_ENABLED=0 + + goos: + - windows + goarch: + - amd64 + - arm64 + flags: + - -trimpath + + # Custom ldflags mostly to avoid setting main.date which for some + # reason is default + ldflags: + -w -H windowsgui -buildid= + + hooks: + pre: sh -c "cd ./cmd/tkey-ssh-agent-tray && go-winres make --arch amd64" + +universal_binaries: + - ids: + - darwin + replace: true + name_template: "tkey-ssh-agent" + hooks: + post: gon gon.hcl + +archives: + - format: tar.gz + allow_different_binary_count: true + # this name template makes the OS and Arch compatible with the results of uname. + name_template: >- + {{ "tkey-ssh-agent" }}_ + {{- .Version }}_ + {{- title .Os }}_ + {{- if eq .Arch "all" }}universal + {{- else }}{{ .Arch }}{{ end }} + {{- if .Arm }}v{{ .Arm }}{{ end }} + # use zip for windows archives + format_overrides: + - goos: windows + format: zip + files: + - src: system/tkey-ssh-agent.1 + dst: man + strip_parent: true + +nfpms: + # note that this is an array of nfpm configs + - # + # ID of the nfpm config, must be unique. + + # Name of the package. + package_name: tkey-ssh-agent + + # Your app's vendor. + vendor: Tillitis AB + + # Your app's homepage. + homepage: https://tillitis.se/ + + # Your app's maintainer (probably you). + maintainer: Tillitis + + # Your app's description. + description: |- + SSH agent backed by Tillitis TKey + tkey-ssh-agent is an alternative SSH agent backed by a private ed25519 key + residing in the hardware TKey, a USB stick. + + # Your app's license. + license: GPL 2.0 + + # Formats to be generated. + formats: + - apk + - deb + - rpm + - archlinux # Since: v1.13 + + dependencies: + - pinentry-gnome3 + + bindir: /usr/bin + + release: 1 + + section: misc + + # Contents to add to the package. + # GoReleaser will automatically add the binaries. + contents: + - src: system/tkey-ssh-agent.1 + dst: /usr/share/man/man1/tkey-ssh-agent.1 + file_info: + mode: 0644 + + - src: system/tkey-ssh-agent.service + dst: /usr/lib/systemd/user/tkey-ssh-agent.service + file_info: + mode: 0644 + + - src: system/60-tkey.rules + dst: /usr/lib/udev/rules.d/60-tkey.rules + file_info: + mode: 0644 + + - src: system/copyright + dst: /usr/share/docs/tkey-ssh-agent/ + file_info: + mode: 0644 + + overrides: + apk: + dependencies: + - pinentry-gnome + archlinux: + dependencies: + - pinentry + + # Scripts to execute during the installation of the package. (overridable) + scripts: + postinstall: "system/postinst" + + # Custom configuration applied only to the Deb packager. + deb: + # Lintian overrides + lintian_overrides: + - statically-linked-binary + - changelog-file-missing-in-native-package + + +checksum: + name_template: 'checksums.txt' +snapshot: + name_template: "{{ incpatch .Version }}-next" +changelog: + sort: + filters: + exclude: + - '^docs:' + - '^test:' + diff --git a/debian/build-pkg.sh b/debian/build-pkg.sh deleted file mode 100755 index bac73029..00000000 --- a/debian/build-pkg.sh +++ /dev/null @@ -1,64 +0,0 @@ -#!/bin/bash -set -eu - -# # TODO -# -# - We currently dig out the version from a git tag, so we can't build from -# tarball. Not great. -# -# - lintian ./tkey-ssh-agent_0.1-1_amd64.deb -# E: tkey-ssh-agent: no-changelog usr/share/doc/tkey-ssh-agent/changelog.Debian.gz (non-native package) - -pkgname="tkey-ssh-agent" -debian_revision="1" -pkgmaintainer="Tillitis " - -if [[ "$(uname -m)" != "x86_64" ]]; then - printf "expecting to build on x86_64, bailing out\n" - exit 1 -fi - -cd "${0%/*}" || exit 1 -destdir="$PWD/build" -rm -rf "$destdir" -mkdir "$destdir" - -pushd >/dev/null .. - -# upstream_version is the version of the program we're packaging -upstream_version="$(git describe --dirty --always | sed -n "s/^v\(.*\)/\1/p")" -if [[ -z "$upstream_version" ]]; then - printf "found no tag (with v-prefix) to use for upstream_version\n" - exit 1 -fi -if [[ ! "$upstream_version" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then - printf "%s: repo has commit after last tag, or git tree is dirty\n" "$upstream_version" - exit 1 -fi -pkgversion="$upstream_version-$debian_revision" - -make clean -make -j TKEY_SSH_AGENT_VERSION="$upstream_version" tkey-ssh-agent -make -C apps check-signer-hash -make DESTDIR="$destdir" \ - PREFIX=/usr \ - SYSTEMDDIR=/usr/lib/systemd \ - UDEVDIR=/usr/lib/udev \ - install - -popd >/dev/null - -install -Dm644 deb/copyright "$destdir"/usr/share/doc/tkey-ssh-agent/copyright -install -Dm644 deb/lintian--overrides "$destdir"/usr/share/lintian/overrides/tkey-ssh-agent -mkdir "$destdir/DEBIAN" -cp -af deb/postinst "$destdir/DEBIAN/" -sed -e "s/##VERSION##/$pkgversion/" \ - -e "s/##PACKAGE##/$pkgname/" \ - -e "s/##MAINTAINER##/$pkgmaintainer/" \ - deb/control.tmpl >"$destdir/DEBIAN/control" - -dpkg-deb --root-owner-group -Zgzip --build "$destdir" . - -for f in *.deb; do - sha512sum "$f" >"$f".sha512 -done diff --git a/debian/deb/control.tmpl b/debian/deb/control.tmpl deleted file mode 100644 index 3d3f8ea9..00000000 --- a/debian/deb/control.tmpl +++ /dev/null @@ -1,11 +0,0 @@ -Section: misc -Priority: optional -Maintainer: ##MAINTAINER## -Package: ##PACKAGE## -Version: ##VERSION## -Architecture: amd64 -Depends: pinentry-gnome3 | pinentry -Homepage: https://github.com/tillitis/tillitis-key1-apps -Description: SSH agent backed by Tillitis TKey - tkey-ssh-agent is an alternative SSH agent backed by a private ed25519 key - residing in the hardware TKey, a USB stick. diff --git a/debian/deb/lintian--overrides b/debian/deb/lintian--overrides deleted file mode 100644 index e1f387e4..00000000 --- a/debian/deb/lintian--overrides +++ /dev/null @@ -1,2 +0,0 @@ -# Go program linked statically. -tkey-ssh-agent: statically-linked-binary diff --git a/gon.hcl b/gon.hcl new file mode 100644 index 00000000..cf8ff012 --- /dev/null +++ b/gon.hcl @@ -0,0 +1,13 @@ + +source = ["dist/tkey-ssh-agent_darwin_all/tkey-ssh-agent"] +bundle_id = "com.tillitis.tkey-ssh-agent" + +apple_id { + username = "[email protected]" + password = "@keychain:[email protected]" + provider = "34722S433A" +} + +sign { + application_identity = "Developer ID Application: Tillitis AB" +} diff --git a/debian/deb/copyright b/system/copyright similarity index 78% rename from debian/deb/copyright rename to system/copyright index b783db37..fafd6e5d 100644 --- a/debian/deb/copyright +++ b/system/copyright @@ -1,5 +1,5 @@ Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Files: * -Copyright: 2022 Tillitis AB +Copyright: 2024 Tillitis AB License: GPL-2 diff --git a/debian/deb/postinst b/system/postinst similarity index 100% rename from debian/deb/postinst rename to system/postinst diff --git a/system/tkey-ssh-agent.service b/system/tkey-ssh-agent.service new file mode 100644 index 00000000..88e97c52 --- /dev/null +++ b/system/tkey-ssh-agent.service @@ -0,0 +1,26 @@ +[Unit] +Description=An SSH agent backed by Tillitis TKey +Documentation=https://github.com/tillitis/tkey-ssh-agent + +[Service] +ExecStart=/usr/bin/tkey-ssh-agent --uss --agent-path /%t/tkey-ssh-agent/sock +ExecReload=/usr/bin/kill -HUP $MAINPID +NoNewPrivileges=yes +KeyringMode=private +UMask=0177 +ProtectSystem=strict +RuntimeDirectory=tkey-ssh-agent +RuntimeDirectoryMode=0700 +ReadWritePaths=/dev /run +RestrictAddressFamilies=AF_UNIX +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +LockPersonality=yes +SystemCallFilter=@system-service +SystemCallFilter=~@privileged @resources +SystemCallErrorNumber=EPERM +SystemCallArchitectures=native + +[Install] +WantedBy=default.target diff --git a/tools/spdx-ensure b/tools/spdx-ensure index c2010a26..e229549c 100755 --- a/tools/spdx-ensure +++ b/tools/spdx-ensure @@ -14,7 +14,6 @@ missingok_dirs=( .github/workflows/ cmd/tkey-ssh-agent-tray/winres/ cmd/tkey-ssh-agent/winres/ -debian/ docs/ system/windows/ ) @@ -23,6 +22,7 @@ missingok_files=( .editorconfig .gitignore .golangci.yml +.goreleaser.yaml LICENSE Makefile README.md @@ -33,11 +33,15 @@ cmd/tkey-ssh-agent-tray/trayicon.ico dco.md go.mod go.sum +gon.hcl gotools/Makefile gotools/go.mod gotools/go.sum system/60-tkey.rules +system/copyright +system/postinst system/tkey-ssh-agent.1 +system/tkey-ssh-agent.service system/tkey-ssh-agent.service.tmpl test/attic/test-loop.sh test/requirements.txt From c3612c77dc9aab7be9db9087f3d99bc81ea54c3b Mon Sep 17 00:00:00 2001 From: Michael Cardell Widerkrantz Date: Thu, 11 Apr 2024 19:36:08 +0200 Subject: [PATCH 2/3] Make it easier to do reproducible builds Let's use -buildvcs=false If the Git directory even has some untracked files the binary will be different with buildvcs tracking. This will probably shoot us in the foot again and again. --- .goreleaser.yaml | 4 ++++ Makefile | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.goreleaser.yaml b/.goreleaser.yaml index c6e923a0..b4f233bb 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -25,6 +25,7 @@ builds: - arm64 flags: - -trimpath + - -buildvcs=false # Custom ldflags mostly to avoid setting main.date which for some # reason is default @@ -46,6 +47,7 @@ builds: - arm64 flags: - -trimpath + - -buildvcs=false # Custom ldflags mostly to avoid setting main.date which for some # reason is default @@ -67,6 +69,7 @@ builds: - arm64 flags: - -trimpath + - -buildvcs=false # Custom ldflags mostly to avoid setting main.date which for some # reason is default @@ -91,6 +94,7 @@ builds: - arm64 flags: - -trimpath + - -buildvcs=false # Custom ldflags mostly to avoid setting main.date which for some # reason is default diff --git a/Makefile b/Makefile index 71d5c604..4c8a9a5d 100644 --- a/Makefile +++ b/Makefile @@ -54,7 +54,7 @@ TKEY_SSH_AGENT_VERSION ?= # .PHONY to let go-build handle deps and rebuilds .PHONY: tkey-ssh-agent tkey-ssh-agent: check-signer-hash - CGO_ENABLED=$(BUILD_CGO_ENABLED) go build -ldflags "-X main.version=$(TKEY_SSH_AGENT_VERSION) -X main.signerAppNoTouch=$(TKEY_SIGNER_APP_NO_TOUCH)" -trimpath ./cmd/tkey-ssh-agent + CGO_ENABLED=$(BUILD_CGO_ENABLED) go build -ldflags "-X main.version=$(TKEY_SSH_AGENT_VERSION) -X main.signerAppNoTouch=$(TKEY_SIGNER_APP_NO_TOUCH)" -trimpath -buildvcs=false ./cmd/tkey-ssh-agent .PHONY: tkey-ssh-agent.exe tkey-ssh-agent.exe: @@ -67,7 +67,7 @@ tkey-ssh-agent.exe: tkey-ssh-agent-tray.exe: $(MAKE) -C gotools go-winres cd ./cmd/tkey-ssh-agent-tray && ../../gotools/go-winres make --arch amd64 - GOOS=windows GOARCH=amd64 CGO_ENABLED=0 go build -ldflags "-H windowsgui" -trimpath ./cmd/tkey-ssh-agent-tray + GOOS=windows GOARCH=amd64 CGO_ENABLED=0 go build -ldflags "-H windowsgui" -trimpath -buildvcs=false ./cmd/tkey-ssh-agent-tray .PHONY: clean clean: From ea8dc6e8afab629887e47e3ccecf43bf32795499 Mon Sep 17 00:00:00 2001 From: Michael Cardell Widerkrantz Date: Fri, 12 Apr 2024 09:26:24 +0200 Subject: [PATCH 3/3] Update CI MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Use checkout@v4 - Check för SPDX tags early --- .github/workflows/ci.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 79bc7880..3abde074 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -16,7 +16,7 @@ jobs: image: ghcr.io/tillitis/tkey-builder:4 steps: - name: checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: # fetch-depth: 0 persist-credentials: false @@ -26,11 +26,11 @@ jobs: run: | git config --global --add safe.directory "$GITHUB_WORKSPACE" + - name: check for SPDX tags + run: ./tools/spdx-ensure + - name: make run: make tkey-ssh-agent -j - name: make windows run: make windows - - - name: check for SPDX tags - run: ./tools/spdx-ensure