New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
Initial support for Debian Bullseye templates #24
Conversation
So far, so good...
Error:
So, I switched over from my fedora-34 qube in 4.1 to my fedora-33 qube in 4.0, and tried again:
鉁旓笍 It worked! Tomorrow I can move on to the next step:
|
1b19cd2
to
4768762
Compare
I tested this before creating a signed tag and it worked:
As described in the test plan, I removed the temporary commits. As described in the commit message, I removed the temporary code changes added here: So this pr should be cleaned up at this point. I think we can tag the last commit, prod-sign it, and rebuild with signing verification turned on so that I can finish up the test plan:
If there is an issue during this part of the test plan, we can delete the tag, fix, and retry. @eloquence- since @conorsch is away, does this plan make sense to you? |
That sounds right, though I'll highlight Conor's comment from the PR:
Since this isn't actually a shipped artifact but just a tag used to verify the build, as I understand it, we could sign the prod tag with any maintainer key. |
I didn't see support for this yet, so I figured we could add that feature later rather than block on it. I might be mistaken though! I can try signing with my own key to test and delete the tag if it fails verification. |
Based on the README
I would guess that you would need to do the same with your developer public key. 馃 |
@eloquence- thanks for the pointers. I tried simply adding my fingerprint to this logic but still saw the following error:
Just as a sanity check, I signed the tag with the release signing key, see:
And ran into the same issue. Here's my output:
At this point, I'm realizing that I need to better understand the upstream tooling for building Qubes templates. This is something I can come back to tomorrow, and maybe get some help from @eaon on. I'll also reach out to the Qubes team in case they can offer help. |
Since the Time to test this hypothesis! (Update: that did the trick) |
4768762
to
a52fc18
Compare
As usual, the upstream qubes-builder repo has changed somewhat. We adjust our scripts to match accordingly. Mostly this was simplifying the keyring logic. Added some umount commands, as well, so that multiple repeated builds in the same environment worked cleanly. Touched up the docs somewhat, as well. Signed-off-by: Allie Crevier <allie@freedom.press>
Signed-off-by: Allie Crevier <allie@freedom.press>
a52fc18
to
6250a54
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Successfully build Bullseye template on Qubes 4.0 with signature validation turned on for the 0.3.0 tag
- Successfully build Bullseye template on Qubes 4.1 with signature validation turned on for the 0.3.0 tag
At this point, this is good to merge, but waiting in case @zenmonkeykstop updates the release key again with a different expiration date (sounds like this is still under discussion).
Next up is to build securedrop-keyring
with the new release key (see freedomofpress/securedrop-builder#319).
Overview
Towards freedomofpress/securedrop-workstation#733
The work here constitutes a spike for Bullseye (and 4.1) compatibility. As usual, there were some minor touchups required to the build script, to ensure compatibility with the upstream
qubes-builder
logic (https://github.com/QubesOS/qubes-builder). It's important to note this is just a "spike" because full support will require additional changes, noted below.Not implemented
Test plan
Confirm that you can build a Bullseye-based template RPM using the steps below. Since there are several changes in other repos, you'll need to build a few packages elsewhere, first.
make securedrop-workstation 5.15
, and go grab a coffee. When the build finishes, store the tarball for safe keeping. Copy thelinux-image
andlinux-headers
packages to yoursd-template-builder
VM.PKG_VERSION=5.15.<YOUR_VERSION> PKG_PLATFORM=bullseye make securedrop-workstation-grsec
. Copy that metapackage to thesd-template-builder
VM.sd-template-builder
.securedrop-workstation/04_install_qubes_post.sh
to match what you have locally.make template
, grab another coffee.After the build completes, you'll have a fresh RPM named something like:
qubes-template-securedrop-workstation-bullseye-4.0.6-202204132331.noarch.rpm
.qvm-run -p sd-kernel-builder path/to/qubes-template-securedrop-workstation-bullseye-4.0.6-202204132331.noarch.rpm
> qubes-template-securedrop-workstation-bullseye-4.0.6-202204132331.noarch.rpmsudo dnf install ./qubes-template-securedrop-workstation-bullseye-4.0.6-202204132331.noarch.rpm
qvm-prefs securedrop-template-bullseye virt_mode hvm && qvm-prefs securedrop-template-bullseye kernel ''
.uname -a
that it's using the expected custom kernel version. Runapt-get update and
apt-get upgrade`.Next steps
There aren't any SDW deb packages ready for Bullseye yet, so the virtualenvs for packages like
securedrop-client
won't work, even if you install them. More work required on that front.For the Template VM, once we're happy with the logic, we'll need to remove the temporary commits that disable signing verification on this PR, and push a new prod-signed tag. (N.B. great opportunity to use a keyring of SD maintainers, rather than the Release Key!) Then
make template
will work after verifying the integrity of all the resources it pulls in, including this repo.