Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Build Security: airgapped caching and golden hash generation #790

Open
wants to merge 15 commits into
base: develop
Choose a base branch
from
Open

Build Security: airgapped caching and golden hash generation #790

wants to merge 15 commits into from

Conversation

artoonie
Copy link
Collaborator

@artoonie artoonie commented Jan 24, 2024
edited

Closes #756: airgapped cache
Closes #759: hash of trusted build

This pull request does four things:

  1. It caches all dependencies and zips them up, one cache zip per OS, so that RCTab can be built on airgapped machines with minimal other dependencies. (You still need Java and Gradle.)
  2. It creates a "golden hash" for the jlinkZip. This is a reproducible value per OS, meaning it contains no timestamps in the zip.
  3. The cache zip's version of a "golden hash" is in a file checksums.csv, which lists a checksum per dependency. That file has an MD5, a SHA-1, and a SHA-256, because we want to correspond our values to those on maven.org, and we don't know what sort of checksum is uploaded to maven.org (it varies by dependency).
  4. Use .gitattributes to enforce LF line endings for cross-platform, cross-machine consistency

After code review, I will:

  1. Increase the .zip retention to 90 days (it's set to 1 during testing)
  2. Revert the change in .github/workflows/release.yml that creates a package on every push to this branch
  3. Update the wiki to reflect the changes in generating the golden hash

@artoonie artoonie added the WIP label Jan 24, 2024
@artoonie artoonie force-pushed the feature/issue-756_airgap branch 19 times, most recently from d4f9d16 to 06851f5 Compare January 24, 2024 22:53
@artoonie artoonie force-pushed the feature/issue-756_airgap branch 4 times, most recently from c91ef1c to 76821a6 Compare January 26, 2024 20:51
don't split plugin v dependency cache -- not needed
37d13ff 
The plugin cache is necessary and sufficient.
The dependency cache could not include plugins, so it was insufficient.
@yezr
Copy link
Collaborator

yezr commented Feb 22, 2024

#759 has the hash.bat contents that previously anyone could use to verify the golden hash of their local copy. Has that local verification process changed? If so, can you detail that in #759

@artoonie artoonie force-pushed the feature/issue-756_airgap branch 5 times, most recently from 1c88b12 to de9deb0 Compare February 22, 2024 23:03
@artoonie artoonie added the WIP label Feb 23, 2024
@artoonie artoonie force-pushed the feature/issue-756_airgap branch 8 times, most recently from ea39b8b to 36733a8 Compare February 23, 2024 22:33
@artoonie artoonie removed the WIP label Mar 6, 2024
@artoonie
Copy link
Collaborator Author

artoonie commented Mar 6, 2024

Yes, the hash.bat process has changed. After this, it will be sufficient to run ./sha-of-zip.sh <zipFilepath> <OS: Windows, MacOS, or Linux> <sha version: 1, 256, or 512> or ./sha-of-zip.bat <ZIP_FILEPATH> <sha version: 1, 256, or 512> to get the golden hash. I can update the wiki to reflect that when this is merged.

tarheel
tarheel reviewed Mar 13, 2024
View reviewed changes
Copy link
Contributor

@tarheel tarheel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll let @HEdingfield tackle this one!

README.md
9. Run `gradle run --offline` to launch RCTab
10. Run `gradle jpackage --offline` to generate a jpackage package

Note: this is not currently available on Silicon-chip Apple Devices. Only Intel Mac is supported.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What a time to be alive.

@artoonie artoonie mentioned this pull request Mar 15, 2024
Closed
@yezr
Copy link
Collaborator

yezr commented Mar 15, 2024
edited

I've edited the wiki with steps on golden hash generation. Can those please also get a review

@artoonie
Copy link
Collaborator Author

Reviewed! Looks good. I made a couple cosmetic updates and added some details clarifying where instructions were Windows-only.

@yezr yezr requested a review from HEdingfield March 29, 2024 15:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tarheel tarheel tarheel left review comments

@HEdingfield HEdingfield Awaiting requested review from HEdingfield

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
v2.0 requirement
Projects
None yet
Milestone
No milestone
3 participants
@artoonie @yezr @tarheel