Reorganize how wheels are stored, stop special-casing bootstrap #382
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Per <git-lfs/git-lfs#325>, `git lfs pull` does exactly what we want. Tested by running the following in a bullseye container: > $ git clone https://github.com/freedomofpress/securedrop-debian-packaging > $ file bootstrap/build-0.3.0-py2.py3-none-any.whl > bootstrap/build-0.3.0-py2.py3-none-any.whl: ASCII text > # apt install git-lfs -y > $ git lfs install > Updated git hooks. > Git LFS initialized. > $ git lfs pull > $ file bootstrap/build-0.3.0-py2.py3-none-any.whl > bootstrap/build-0.3.0-py2.py3-none-any.whl: Zip archive data, at least > v2.0 to extract
legoktm
force-pushed
the
reorg
branch
2 times, most recently
from
b57f343 to
cab9ddf
Compare
gonzalo-bulnes
suggested changes
Sep 27, 2022
README.md
Outdated
| of the SecureDrop release key to build the wheel and sign the updated sha256sums file | ||
| with the release key. If you're not sure who to ask, ping @redshiftzero for a pointer. | ||
| The next step is to build the wheels. To do this step, you will need a maintainer | ||
| to build the wheels and sign the updated sha256sums file with the release key. |
There was a problem hiding this comment.
🔴 Isn't it with "the release key" "their personal key"? (Or "their registered key"?)
There was a problem hiding this comment.
Done, switched to "individual key" (to avoid "personal" being conflated to "non-work")
| set -u | ||
| set -o pipefail | ||
| set -o nounset | ||
| set -euo pipefail |
There was a problem hiding this comment.
🔴 scripts/sync-sha256sums uses set -euxo pipefail. Is there a reason for this one to be different?
There was a problem hiding this comment.
The x is for verbose output that prints all the commands as they're executed. I felt it would be a bit too verbose for this script (which I think is probably already too verbose since it prints all the gpg output...) but if you disagree happy to add it in.
There was a problem hiding this comment.
Makes sense, if it's intentional I trust your judgment 👍
| @@ -36,7 +26,7 @@ function verify_sha256sum_signature() { | |||
| # Ensure temporary keyring is cleaned up afterward. | |||
| trap 'rm -f "${temp_keyring}"' EXIT | |||
|
|
|||
| # Import SecureDrop release key for verification. | |||
| # Import public keys for verification. | |||
There was a problem hiding this comment.
Since we're now using personal keys and no longer the SecureDrop release key: I think it could be helpful to add a hint or message in case the signature verification fails, to remind someone new to the process that they must "register" their personal key (by adding it to the pubkeys directory) if they want their signature to be valid.
There was a problem hiding this comment.
To keep it simple, I added a line like Checking that SHA256SUMs signed by a key in pubkeys/... at the beginning of the script, what do you think? Given that it also prints all the keys, I hope that should be sufficient?
$ ./scripts/verify-sha256sum-signature ./workstation-bootstrap
Checking that SHA256SUMs signed by a key in pubkeys/...
gpg: key 9232DAD3105B8D58: public key "Allie Crevier <[email protected]>" imported
gpg: key F08893B959CAB065: public key "Conor Schaefer <[email protected]>" imported
gpg: key 07AD35D378D10BA0: public key "Cory Francis Myers <[email protected]>" imported
gpg: key 99D3D09825B8D1DB: public key "Gonzalo Bulnes Guilpain <[email protected]>" imported
gpg: key ACFE4353173015EA: public key "Kevin O'Gorman <[email protected]>" imported
gpg: key 52FC8E7BEDB7FCA2: public key "Kunal Mehta <[email protected]>" imported
gpg: key D8219C8C43F6C5E1: public key "Kushal Das <[email protected]>" imported
gpg: key FB1BED6507701B45: public key "Michael Z <[email protected]>" imported
gpg: key 188EDD3B7B22E6A3: public key "SecureDrop Release Signing Key <[email protected]>" imported
gpg: key FC72AA838C444B47: public key "Rowen S <[email protected]>" imported
gpg: Total number processed: 10
gpg: imported: 10
gpg: Signature made Wed Aug 31 03:27:41 2022 EDT
gpg: using RSA key D8CB59F05DBB9E0538C4819DF105F8101B05269B
gpg: Good signature from "Kunal Mehta <[email protected]>" [unknown]
gpg: aka "Kunal Mehta <[email protected]>" [unknown]
gpg: aka "Kunal Mehta <[email protected]>" [unknown]
gpg: aka "Kunal Mehta <[email protected]>" [unknown]
gpg: aka "Kunal Mehta <[email protected]>" [unknown]
gpg: aka "Kunal Mehta <[email protected]>" [unknown]
gpg: aka "Kunal Mehta <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: FA1E 9F9A 41E7 F435 02CA 5D63 52FC 8E7B EDB7 FCA2
Subkey fingerprint: D8CB 59F0 5DBB 9E05 38C4 819D F105 F810 1B05 269B
Checking that SHA256SUMs from mirror match signed file... OK
There was a problem hiding this comment.
This is a good idea I think. If we observe anyone being confused in the future, we can always reconsider moving more explicit guidance closer to the error message. 👍
* Recommend people use `make install-deps` to configure the venv, it'll always do the right thing. * sha256sums are signed by individual keys, not the release key. * No need to run sdist after uploading wheels.
Each project, whether it's securedrop-client or the workstation-bootstrap, will now store wheels and associated metadata in the exact same way. Moving files around will happen in follow-up commits. securedrop-client/ debian/ sha256sums.txt sha256sums.txt.asc wheels/ The workstation-bootstrap is similar, except it also contains its requirements files. workstation-bootstrap/ build-requirements.txt requirements.in requirements.txt sha256sums.txt sha256sums.txt.asc wheels/ The main goal of this refactor is to make room for the new securedrop-app-code bootstrap and wheels. The main scripts now take a `--project` parameter, which is the path in this repository, and `--pkg-dir`, which is the path to the Git checkout of it (previously a PKG_DIR environment variable). In nearly all cases backwards-compat code has been added so it should do the right thing based on old documentation. Makefile: * Updates for how scripts are now invoked. * Drop misleading "clean" target, people can use git-clean(1) directly. scripts/build-debianpackage: * Validate $PKG_NAME before we use it. * Set $WHEELS_DIR to that package's wheel directory. * Only verify sha256sums.txt if it exists (securedrop-export and metapackages have no Python dependencies). scripts/build-sync-wheels: * Switch to --pkg-dir/--project args, with backwards-compat. * Allow specifying where requirements.txt lives. * Drop "cache" terminology since this is persistent storage. * Remove dead commented-out code. scripts/install-deps: * Debian 11 is our baseline now, fix typo. * Look for and install wheels from workstation-bootstrap now. scripts/sync-sha256sums: * Require a directory instead of looking for a BOOTSTRAP variable. scripts/update-requirements: * Switch to --pkg-dir/--project args, with backwards-compat. * Allow specifying where requirements.txt lives. * Use pathlib internally scripts/verify-sha256sum-signature: * Require a directory instead of looking for a BOOTSTRAP variable. Refs <freedomofpress/securedrop#5901>.
All wheels and tarballs are identical (they're reproducible!), just moved around. Also verified that `make requirements` matches what is already committed in each of the three component repositories.
Notably remove test_wheel_builds_are_reproducible, which is always skipped.
5 tasks
gonzalo-bulnes
approved these changes
Sep 30, 2022
This was referenced Oct 4, 2022
10 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
The main goal of this refactor is to make room for the new
securedrop-app-code bootstrap and wheels. The main scripts now take a
--projectparameter, which is the path in this repository, and--pkg-dir, which is the path to the Git checkout of it (previously aPKG_DIR environment variable). In nearly all cases backwards-compat code
has been added so it should do the right thing based on old
documentation.
Each commit message has a detailed rationale and explanation of the changes made.
Considered but deferred
I briefly considered merging all the assorted
./scripts/into one thing that just DTRT when you invoke it instead of having like 5 things you need to call in a specific order with mostly the same parameters but not exactly, but figured that would be a step too far for what this reorganization needs and deferred it for...later.Checklist
bullseyebuilds and jobs are passingbookwormtest failuresbookwormtest failures, an issue has been filed for them