Polish up for working version 0.0.2
This commit is contained in:
parent
9b51edbed2
commit
502f81ffdc
|
@ -5,22 +5,15 @@ Architecture=x86-64
|
|||
[Config]
|
||||
Images=server
|
||||
|
||||
[Output]
|
||||
# For Reproducible Builds
|
||||
Seed=834dd70f55be43cc9934b20fc0b7f7be
|
||||
|
||||
[Validation]
|
||||
SecureBoot=true
|
||||
# Use RSA 2048 keys for wide UEFI compatibility
|
||||
SecureBootKey=signing-keys/rafeOS_secureboot.key
|
||||
SecureBootCertificate=signing-keys/rafeOS_secureboot.crt
|
||||
SignExpectedPcr=true
|
||||
# Use modern EC keys
|
||||
VerityKey=signing-keys/rafeOS_verity.key
|
||||
VerityCertificate=signing-keys/rafeOS_verity.crt
|
||||
Checksum=true
|
||||
|
||||
[Host]
|
||||
Incremental=true
|
||||
ToolsTree=default
|
||||
RuntimeSize=12G
|
||||
RuntimeSize=16G
|
|
@ -31,7 +31,7 @@ C /etc/systemd/journal-remote.conf
|
|||
C /etc/systemd/journal-upload.conf
|
||||
C /etc/systemd/journald.conf
|
||||
C /etc/systemd/logind.conf
|
||||
C /etc/systemd/network/networkd.conf
|
||||
C /etc/systemd/networkd.conf
|
||||
C /etc/systemd/oomd.conf
|
||||
C /etc/systemd/pstore.conf
|
||||
C /etc/systemd/resolved.conf
|
||||
|
|
|
@ -1 +1,2 @@
|
|||
# Use systemd-resolved as dns backend (auto-detected)
|
||||
L+ /etc/resolv.conf - - - /run/systemd/resolve/stub-resolv.conf
|
|
@ -1,4 +1,6 @@
|
|||
#!/bin/bash
|
||||
set -eu
|
||||
|
||||
ETC_FACTORY_DIR=/usr/share/factory/etc
|
||||
|
||||
# copy additional files provided by package filesystem to factory
|
||||
|
@ -36,17 +38,15 @@ cp -af /etc/systemd/journal-remote.conf $ETC_FACTORY_DIR/systemd/
|
|||
cp -af /etc/systemd/journal-upload.conf $ETC_FACTORY_DIR/systemd/
|
||||
cp -af /etc/systemd/journald.conf $ETC_FACTORY_DIR/systemd/
|
||||
cp -af /etc/systemd/logind.conf $ETC_FACTORY_DIR/systemd/
|
||||
cp -af /etc/systemd/networkd.conf $ETC_FACTORY_DIR/systemd/
|
||||
cp -af /etc/systemd/oomd.conf $ETC_FACTORY_DIR/systemd/
|
||||
cp -af /etc/systemd/pstore.conf $ETC_FACTORY_DIR/systemd/
|
||||
cp -af /etc/systemd/resovled.conf $ETC_FACTORY_DIR/systemd/
|
||||
cp -af /etc/systemd/resolved.conf $ETC_FACTORY_DIR/systemd/
|
||||
cp -af /etc/systemd/sleep.conf $ETC_FACTORY_DIR/systemd/
|
||||
cp -af /etc/systemd/system.conf $ETC_FACTORY_DIR/systemd/
|
||||
cp -af /etc/systemd/timesyncd.conf $ETC_FACTORY_DIR/systemd/
|
||||
cp -af /etc/systemd/user.conf $ETC_FACTORY_DIR/systemd/
|
||||
|
||||
install -d -m0755 $ETC_FACTORY_DIR/systemd/network/
|
||||
cp -af /etc/systemd/network/networkd.conf $ETC_FACTORY_DIR/systemd/network/
|
||||
|
||||
install -d -m0755 $ETC_FACTORY_DIR/udev/
|
||||
cp -af /etc/udev/iocost.conf $ETC_FACTORY_DIR/udev/
|
||||
cp -af /etc/udev/udev.conf $ETC_FACTORY_DIR/udev/
|
||||
|
@ -87,12 +87,12 @@ cp -af /etc/tpm2-tss/fapi-profiles/P_RSA2048SHA256.json $ETC_FACTORY_DIR/tpm2-ts
|
|||
|
||||
# copy files provided by package bash to factory
|
||||
cp -af /etc/bash.bash_logout $ETC_FACTORY_DIR/
|
||||
cp -af /etc/bash.rc $ETC_FACTORY_DIR/
|
||||
cp -af /etc/bash.bashrc $ETC_FACTORY_DIR/
|
||||
|
||||
install -d -m0755 $ETC_FACTORY_DIR/skel/
|
||||
cp -af /etc/.bash_logout $ETC_FACTORY_DIR/skel/
|
||||
cp -af /etc/.bash_profile $ETC_FACTORY_DIR/skel/
|
||||
cp -af /etc/.bashrc $ETC_FACTORY_DIR/skel/
|
||||
cp -af /etc/skel/.bash_logout $ETC_FACTORY_DIR/skel/
|
||||
cp -af /etc/skel/.bash_profile $ETC_FACTORY_DIR/skel/
|
||||
cp -af /etc/skel/.bashrc $ETC_FACTORY_DIR/skel/
|
||||
|
||||
# copy files provided by package kbd to factory
|
||||
install -d -m0755 $ETC_FACTORY_DIR/pam.d/
|
||||
|
@ -189,7 +189,7 @@ install -d -m0755 $ETC_FACTORY_DIR/fwupd/
|
|||
cp -af /etc/fwupd/fwupd.conf $ETC_FACTORY_DIR/fwupd/
|
||||
|
||||
install -d -m0755 $ETC_FACTORY_DIR/fwupd/bios-settings.d/
|
||||
cp -af /etc/fwupd/bios-settings.d/README $ETC_FACTORY_DIR/fwupd/bios-settings.d/
|
||||
cp -af /etc/fwupd/bios-settings.d/README.md $ETC_FACTORY_DIR/fwupd/bios-settings.d/
|
||||
|
||||
install -d -m0755 $ETC_FACTORY_DIR/fwupd/remotes.d/
|
||||
cp -af /etc/fwupd/remotes.d/fwupd-tests.conf $ETC_FACTORY_DIR/fwupd/remotes.d/
|
||||
|
@ -207,7 +207,7 @@ cp -af /etc/pki/fwupd-metadata/GPG-KEY-Linux-Vendor-Firmware-Service $ETC_FACTOR
|
|||
cp -af /etc/pki/fwupd-metadata/LVFS-CA.pem $ETC_FACTORY_DIR/pki/fwupd-metadata/
|
||||
|
||||
install -d -m0755 $ETC_FACTORY_DIR/pki/fwupd/
|
||||
cp -af /etc/pki/fwupd/GPG-KEY-Linux-Foundation-Metadata $ETC_FACTORY_DIR/pki/fwupd/
|
||||
cp -af /etc/pki/fwupd/GPG-KEY-Linux-Foundation-Firmware $ETC_FACTORY_DIR/pki/fwupd/
|
||||
cp -af /etc/pki/fwupd/GPG-KEY-Linux-Vendor-Firmware-Service $ETC_FACTORY_DIR/pki/fwupd/
|
||||
cp -af /etc/pki/fwupd/LVFS-CA.pem $ETC_FACTORY_DIR/pki/fwupd/
|
||||
|
||||
|
|
|
@ -81,9 +81,4 @@ RemoveFiles=
|
|||
/usr/share/man/*
|
||||
/usr/share/locale/*
|
||||
/usr/share/info/*
|
||||
/usr/share/gtk-doc/*
|
||||
|
||||
[Validation]
|
||||
SecureBoot=false
|
||||
SignExpectedPcr=false
|
||||
Checksum=false
|
||||
/usr/share/gtk-doc/*
|
|
@ -9,7 +9,12 @@ SplitArtifacts=yes
|
|||
ManifestFormat=json,changelog
|
||||
ImageId=rafeOS
|
||||
SectorSize=4096
|
||||
CompressOutput=xz
|
||||
# For Reproducible Builds
|
||||
Seed=834dd70f55be43cc9934b20fc0b7f7be
|
||||
|
||||
[Validation]
|
||||
SecureBoot=true
|
||||
SignExpectedPcr=true
|
||||
|
||||
[Content]
|
||||
Bootable=yes
|
||||
|
@ -28,10 +33,10 @@ KernelCommandLine=
|
|||
#quiet
|
||||
# prevent access to a shell if boot fails
|
||||
rd.shell=0
|
||||
# prevent access to a shell if the root is corrupt
|
||||
# prevent access to a shell if the /usr is corrupt
|
||||
rd.emergency=reboot
|
||||
# prevents untrusted code from running (the default behavior will just print an error to dmesg)
|
||||
systemd.verity_root_options=panic-on-corruption
|
||||
systemd.verity_usr_options=panic-on-corruption
|
||||
# reboot system 30 seconds after a kernel panic
|
||||
panic=30
|
||||
# enable apparmor (enables kernel lockdown mode, requires signed kernel modules)
|
||||
|
|
|
@ -0,0 +1,15 @@
|
|||
[Transfer]
|
||||
ProtectVersion=%A
|
||||
|
||||
[Source]
|
||||
Type=url-file
|
||||
Path=https://code.strobel.one/api/packages/rafeOS/generic/image/server/
|
||||
MatchPattern=rafeOS-server_@v_@u.usr-verity-sig.raw.xz
|
||||
|
||||
[Target]
|
||||
Type=partition
|
||||
Path=auto
|
||||
MatchPattern=rafeOS-server_@v
|
||||
MatchPartitionType=usr-verity-sig
|
||||
PartitionFlags=0
|
||||
ReadOnly=1
|
|
@ -0,0 +1,15 @@
|
|||
[Transfer]
|
||||
ProtectVersion=%A
|
||||
|
||||
[Source]
|
||||
Type=url-file
|
||||
Path=https://code.strobel.one/api/packages/rafeOS/generic/image/server/
|
||||
MatchPattern=rafeOS-server_@v_@u.usr-verity.raw.xz
|
||||
|
||||
[Target]
|
||||
Type=partition
|
||||
Path=auto
|
||||
MatchPattern=rafeOS-server_@v
|
||||
MatchPartitionType=usr-verity
|
||||
PartitionFlags=0
|
||||
ReadOnly=1
|
|
@ -0,0 +1,15 @@
|
|||
[Transfer]
|
||||
ProtectVersion=%A
|
||||
|
||||
[Source]
|
||||
Type=url-file
|
||||
Path=https://code.strobel.one/api/packages/rafeOS/generic/image/server/
|
||||
MatchPattern=rafeOS-server_@v_@u.usr.raw.xz
|
||||
|
||||
[Target]
|
||||
Type=partition
|
||||
Path=auto
|
||||
MatchPattern=rafeOS-server_@v
|
||||
MatchPartitionType=usr
|
||||
PartitionFlags=0
|
||||
ReadOnly=1
|
|
@ -0,0 +1,19 @@
|
|||
[Transfer]
|
||||
ProtectVersion=%A
|
||||
|
||||
[Source]
|
||||
Type=url-file
|
||||
Path=https://code.strobel.one/api/packages/rafeOS/generic/image/server/
|
||||
MatchPattern=rafeOS-server_@v.efi
|
||||
|
||||
[Target]
|
||||
Type=regular-file
|
||||
Path=/EFI/Linux
|
||||
PathRelativeTo=boot
|
||||
MatchPattern=rafeOS-server_@v+@l-@d.efi \
|
||||
rafeOS-server_@v+@l.efi \
|
||||
rafeOS-server_@v.efi
|
||||
Mode=0444
|
||||
TriesLeft=3
|
||||
TriesDone=0
|
||||
InstancesMax=2
|
|
@ -1,6 +1,4 @@
|
|||
#!/bin/bash
|
||||
set -eu
|
||||
|
||||
echo "VARIANT_ID=server" >> /etc/os-release
|
||||
|
||||
# Use systemd-resolved as dns backend for NetworkManager (auto-detected)
|
||||
ln -sf /run/systemd/resolve/stub-resolve.conf /etc/resolv.conf
|
||||
echo "VARIANT_ID=\"server\"" >> /etc/os-release
|
|
@ -1,5 +1,6 @@
|
|||
[Partition]
|
||||
Type=usr
|
||||
SplitName=usr
|
||||
Label=%M-%W_%A
|
||||
SizeMinBytes=3G
|
||||
SizeMaxBytes=3G
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
[Partition]
|
||||
Type=usr-verity
|
||||
SplitName=usr-verity
|
||||
Label=%M-%W_%A
|
||||
SizeMinBytes=256M
|
||||
SizeMaxBytes=256M
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
[Partition]
|
||||
Type=usr-verity-sig
|
||||
SplitName=usr-verity-sig
|
||||
Label=%M-%W_%A
|
||||
Verity=signature
|
||||
VerityMatchKey=usr
|
|
@ -1 +1 @@
|
|||
0.0.1
|
||||
0.0.2
|
116
prepare-release-upload.sh
Executable file
116
prepare-release-upload.sh
Executable file
|
@ -0,0 +1,116 @@
|
|||
#!/bin/bash
|
||||
set -eu
|
||||
|
||||
IMAGE_ID="rafeOS"
|
||||
IMAGE_VARIANT="server"
|
||||
# rafeOS release signing key <rafeos-release@rafe.li>
|
||||
GPG_SIGNING_KEY="497B1B17BEE53D5DF0AE833F60775900DDDFAA67"
|
||||
|
||||
# Check if script is run as root
|
||||
if [ "$(id -u)" -ne 0 ]; then
|
||||
echo "Error: This script must be run as root (use sudo)."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Check if a directory path is provided
|
||||
if [ $# -lt 1 ]; then
|
||||
echo "Error: Please provide the path to the directory containing raw disk image files as the first parameter."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Set the output directory and get its absolute path
|
||||
output_directory=$(realpath "$1")
|
||||
|
||||
# Check if the version string is provided as the second argument
|
||||
if [ $# -lt 2 ]; then
|
||||
# Determine the latest semver version from the files in the directory
|
||||
latest_raw_file=$(find "$output_directory" -maxdepth 1 -type f -name "${IMAGE_ID}-${IMAGE_VARIANT}_*.raw" | \
|
||||
grep -E "${IMAGE_ID}-${IMAGE_VARIANT}_([0-9]+\.[0-9]+\.[0-9]+)\.raw" | \
|
||||
sort -V | tail -n 1)
|
||||
|
||||
if [ -n "$latest_raw_file" ]; then
|
||||
version_string=$(basename "$latest_raw_file" | sed -n "s/${IMAGE_ID}-${IMAGE_VARIANT}_\([0-9]*\.[0-9]*\.[0-9]*\)\.raw/\1/p")
|
||||
else
|
||||
echo "Error: No raw disk image files found in the directory."
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
version_string="$2"
|
||||
fi
|
||||
|
||||
# Check if the version string is not empty
|
||||
if [ -z "$version_string" ]; then
|
||||
echo "Error: Unable to determine the version string."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Run systemd-dissect on the raw disk image file and save the json output
|
||||
json_output=$(systemd-dissect "$output_directory/${IMAGE_ID}-${IMAGE_VARIANT}_$version_string.raw" --json=short)
|
||||
|
||||
# Extract partition UUIDs for each partition type using jq
|
||||
declare -A partition_uuids
|
||||
|
||||
partition_types=("usr" "usr-verity" "usr-verity-sig")
|
||||
for partition_type in $(echo "${partition_types[@]}" | tr ' ' '\n' | sort); do
|
||||
partition_uuid=$(echo "$json_output" | jq -r '.mounts[] | select(.designator == "'"$partition_type"'") | .partition_uuid')
|
||||
partition_uuids["$partition_type"]=$partition_uuid
|
||||
done
|
||||
|
||||
## Output the content of the array as a table
|
||||
#echo -e "Partition Type\tUUID"
|
||||
#for partition_type in $(echo "${!partition_uuids[@]}" | tr ' ' '\n' | sort); do
|
||||
# uuid=${partition_uuids["$partition_type"]}
|
||||
# echo -e "$partition_type\t$uuid"
|
||||
#done
|
||||
|
||||
echo "Rename and source the files in the output directory..."
|
||||
for file in "$output_directory/${IMAGE_ID}-${IMAGE_VARIANT}_$version_string".*; do
|
||||
if [[ -f $file ]]; then
|
||||
# Extract the file extension
|
||||
extension="${file##*.}"
|
||||
|
||||
# Check if the file is one of the raw partitions that needs renaming
|
||||
if [[ $extension == "raw" && $file =~ $version_string\.([^.]+)\.raw$ ]]; then
|
||||
partition_type="${BASH_REMATCH[1]}"
|
||||
|
||||
# Check if the partition type is in the array
|
||||
if [[ -n "${partition_uuids[$partition_type]}" ]]; then
|
||||
new_filename="${IMAGE_ID}-${IMAGE_VARIANT}_${version_string}_${partition_uuids[$partition_type]}.$partition_type.raw"
|
||||
mv "$file" "$output_directory/$new_filename"
|
||||
echo "Renamed: $file -> $new_filename"
|
||||
else
|
||||
echo "Error: Partition type $partition_type not found in partition_uuids array."
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
# Create a new directory for the release
|
||||
release_directory="$output_directory/release-v$version_string"
|
||||
mkdir -p "$release_directory"
|
||||
|
||||
# Move all files of the release to the new directory
|
||||
mv "$output_directory/${IMAGE_ID}-${IMAGE_VARIANT}_$version_string"* "$release_directory/"
|
||||
|
||||
cd "$release_directory/"
|
||||
|
||||
echo "Compress files via xz..."
|
||||
for file in "${IMAGE_ID}-${IMAGE_VARIANT}_$version_string".raw \
|
||||
"${IMAGE_ID}-${IMAGE_VARIANT}_$version_string"_{*.usr.raw,*.usr-verity.raw,*.usr-verity-sig.raw} \
|
||||
"${IMAGE_ID}-${IMAGE_VARIANT}_$version_string".efi; do
|
||||
if [[ -f "$file" ]]; then
|
||||
xz --verbose --threads=0 "$file"
|
||||
echo "Compressed: $file -> $file.xz"
|
||||
fi
|
||||
done
|
||||
|
||||
# Delete unneeded files ending in <VERSION>.initrd and <VERSION>.vmlinuz
|
||||
rm -f "${IMAGE_ID}-server_$version_string".{initrd,vmlinuz}
|
||||
|
||||
echo "Calculate SHA256 checksums for all files in the release directory..."
|
||||
sha256sum * > "SHA256SUMS"
|
||||
|
||||
echo "Sign the SHA256SUMS file with a detached signature..."
|
||||
gpg --default-key "$GPG_SIGNING_KEY" --output "SHA256SUMS.gpg" --detach-sign "SHA256SUMS"
|
||||
|
||||
echo "Release for image version $version_string is ready in $release_directory!"
|
Loading…
Reference in a new issue