save checkpoint. addition features and their state. check some ofthem

2026-02-10 07:54:44 +02:00
parent 4bdc298ec1
commit 5593212b41
211 changed files with 10248 additions and 1208 deletions
--- a/devops/tools/build-attestation-bundle.sh
+++ b/devops/tools/build-attestation-bundle.sh
@@ -2,12 +2,34 @@
 set -euo pipefail

 # DEVOPS-ATTEST-74-002: package attestation outputs into an offline bundle with checksums.
+# Determinism profile:
+# - fixed locale/timezone
+# - deterministic archive metadata/order
+# - digest pin checks for optional toolchain inputs

 if [[ $# -lt 1 ]]; then
  echo "Usage: $0 <attest-dir> [bundle-out]" >&2
  exit 64
 fi

+export LC_ALL=C
+export TZ=UTC
+
+SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH:-0}
+if ! [[ "$SOURCE_DATE_EPOCH" =~ ^[0-9]+$ ]]; then
+  echo "[attest-bundle] SOURCE_DATE_EPOCH must be an integer epoch value" >&2
+  exit 64
+fi
+
+# Enforce digest pinning when toolchain/build images are provided.
+for image_var in BUILDER_IMG TOOLCHAIN_IMAGE; do
+  image_value=${!image_var:-}
+  if [[ -n "$image_value" && "$image_value" != *@sha256:* ]]; then
+    echo "[attest-bundle] ${image_var} must be digest-pinned (@sha256:...): ${image_value}" >&2
+    exit 65
+  fi
+done
+
 ATTEST_DIR=$1
 BUNDLE_OUT=${2:-"out/attest-bundles"}

@@ -18,9 +40,9 @@ fi

 mkdir -p "$BUNDLE_OUT"

-TS=$(date -u +"%Y%m%dT%H%M%SZ")
-BUNDLE_NAME="attestation-bundle-${TS}"
+BUNDLE_NAME=${BUNDLE_NAME:-"attestation-bundle-${SOURCE_DATE_EPOCH}"}
 WORK_DIR="${BUNDLE_OUT}/${BUNDLE_NAME}"
+rm -rf "$WORK_DIR"
 mkdir -p "$WORK_DIR"

 copy_if_exists() {
@@ -44,20 +66,37 @@ copy_if_exists "*.crt"
 copy_if_exists "*.pem"
 copy_if_exists "*.json"

+mapfile -t MANIFEST_FILES < <(find "$WORK_DIR" -maxdepth 1 -type f -printf "%f\n" | sort)
+FILES_JSON=$(printf '%s\n' "${MANIFEST_FILES[@]}" | jq -R . | jq -s .)
+
 # Manifest
 cat > "${WORK_DIR}/manifest.json" <<EOF
 {
-  "created_at": "$(date -u +"%Y-%m-%dT%H:%M:%SZ")",
-  "source_dir": "${ATTEST_DIR}",
-  "files": $(ls -1 "${WORK_DIR}" | jq -R . | jq -s .)
+  "created_at": "$(date -u -d "@${SOURCE_DATE_EPOCH}" +"%Y-%m-%dT%H:%M:%SZ")",
+  "source_dir": "$(basename "${ATTEST_DIR}")",
+  "source_date_epoch": ${SOURCE_DATE_EPOCH},
+  "files": ${FILES_JSON}
 }
 EOF

+find "$WORK_DIR" -type d -exec chmod 0755 {} +
+find "$WORK_DIR" -type f -exec chmod 0644 {} +
+
 # Checksums
 (
  cd "$WORK_DIR"
-  sha256sum * > SHA256SUMS
+  find . -maxdepth 1 -type f -printf "%f\n" | sort | xargs -r sha256sum > SHA256SUMS
 )

-tar -C "$BUNDLE_OUT" -czf "${WORK_DIR}.tgz" "${BUNDLE_NAME}"
+GZIP=-n tar \
+  --sort=name \
+  --mtime="@${SOURCE_DATE_EPOCH}" \
+  --owner=0 \
+  --group=0 \
+  --numeric-owner \
+  --pax-option=delete=atime,delete=ctime \
+  -C "$BUNDLE_OUT" \
+  -czf "${WORK_DIR}.tgz" \
+  "${BUNDLE_NAME}"
+
 echo "[attest-bundle] bundle created at ${WORK_DIR}.tgz"
--- a/devops/tools/verify-repro-bundle-policy.sh
+++ b/devops/tools/verify-repro-bundle-policy.sh
@@ -0,0 +1,76 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Verifies repro-bundle fail-closed policy controls:
+# - build-attestation-bundle.sh enforces digest-pinned images
+# - deterministic env defaults are present
+# - release Dockerfiles fail without @sha256 pinning
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+REPO_ROOT="$(cd "${SCRIPT_DIR}/../.." && pwd)"
+
+BUNDLE_SCRIPT="${REPO_ROOT}/devops/tools/build-attestation-bundle.sh"
+DOTNET_DOCKERFILE="${REPO_ROOT}/devops/release/docker/Dockerfile.dotnet-service"
+ANGULAR_DOCKERFILE="${REPO_ROOT}/devops/release/docker/Dockerfile.angular-ui"
+
+fail() {
+  echo "[repro-policy] $*" >&2
+  exit 1
+}
+
+require_line() {
+  local file=$1
+  local pattern=$2
+  if ! grep -Fq "$pattern" "$file"; then
+    fail "Missing required pattern in ${file}: ${pattern}"
+  fi
+}
+
+[[ -f "${BUNDLE_SCRIPT}" ]] || fail "Missing script: ${BUNDLE_SCRIPT}"
+[[ -f "${DOTNET_DOCKERFILE}" ]] || fail "Missing Dockerfile: ${DOTNET_DOCKERFILE}"
+[[ -f "${ANGULAR_DOCKERFILE}" ]] || fail "Missing Dockerfile: ${ANGULAR_DOCKERFILE}"
+
+bash -n "${BUNDLE_SCRIPT}"
+
+require_line "${BUNDLE_SCRIPT}" "export LC_ALL=C"
+require_line "${BUNDLE_SCRIPT}" "export TZ=UTC"
+require_line "${BUNDLE_SCRIPT}" "SOURCE_DATE_EPOCH=\${SOURCE_DATE_EPOCH:-0}"
+require_line "${BUNDLE_SCRIPT}" "must be digest-pinned (@sha256:...)"
+
+require_line "${DOTNET_DOCKERFILE}" 'RUN case "${SDK_IMAGE}" in *@sha256:*)'
+require_line "${DOTNET_DOCKERFILE}" 'RUN case "${RUNTIME_IMAGE}" in *@sha256:*)'
+require_line "${ANGULAR_DOCKERFILE}" 'RUN case "${NODE_IMAGE}" in *@sha256:*)'
+require_line "${ANGULAR_DOCKERFILE}" 'RUN case "${NGINX_IMAGE}" in *@sha256:*)'
+
+tmp_dir="$(mktemp -d)"
+trap 'rm -rf "${tmp_dir}"' EXIT
+
+attest_dir="${tmp_dir}/attest"
+bundle_out="${tmp_dir}/out"
+mkdir -p "${attest_dir}"
+printf '{"fixture":"ok"}\n' > "${attest_dir}/fixture.json"
+
+# Positive path (pinned image)
+BUILDER_IMG='registry.example.org/build/my-builder@sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa' \
+SOURCE_DATE_EPOCH=0 \
+bash "${BUNDLE_SCRIPT}" "${attest_dir}" "${bundle_out}" > /dev/null
+
+[[ -f "${bundle_out}/attestation-bundle-0.tgz" ]] || fail "Expected deterministic bundle archive was not created"
+
+# Negative path (unpinned image must fail closed with exit 65)
+set +e
+BUILDER_IMG='registry.example.org/build/my-builder:latest' \
+SOURCE_DATE_EPOCH=0 \
+bash "${BUNDLE_SCRIPT}" "${attest_dir}" "${bundle_out}" > "${tmp_dir}/negative.out" 2> "${tmp_dir}/negative.err"
+status=$?
+set -e
+
+if [[ ${status} -ne 65 ]]; then
+  fail "Expected unpinned image run to fail with exit 65, got ${status}"
+fi
+
+if ! grep -Fq "must be digest-pinned" "${tmp_dir}/negative.err"; then
+  fail "Expected digest pinning failure message was not emitted"
+fi
+
+echo "[repro-policy] PASS"