save checkpoint. addition features and their state. check some ofthem
This commit is contained in:
master
@@ -2,12 +2,34 @@
|
||||
set -euo pipefail
|
||||
|
||||
# DEVOPS-ATTEST-74-002: package attestation outputs into an offline bundle with checksums.
|
||||
# Determinism profile:
|
||||
# - fixed locale/timezone
|
||||
# - deterministic archive metadata/order
|
||||
# - digest pin checks for optional toolchain inputs
|
||||
|
||||
if [[ $# -lt 1 ]]; then
|
||||
echo "Usage: $0 <attest-dir> [bundle-out]" >&2
|
||||
exit 64
|
||||
fi
|
||||
|
||||
export LC_ALL=C
|
||||
export TZ=UTC
|
||||
|
||||
SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH:-0}
|
||||
if ! [[ "$SOURCE_DATE_EPOCH" =~ ^[0-9]+$ ]]; then
|
||||
echo "[attest-bundle] SOURCE_DATE_EPOCH must be an integer epoch value" >&2
|
||||
exit 64
|
||||
fi
|
||||
|
||||
# Enforce digest pinning when toolchain/build images are provided.
|
||||
for image_var in BUILDER_IMG TOOLCHAIN_IMAGE; do
|
||||
image_value=${!image_var:-}
|
||||
if [[ -n "$image_value" && "$image_value" != *@sha256:* ]]; then
|
||||
echo "[attest-bundle] ${image_var} must be digest-pinned (@sha256:...): ${image_value}" >&2
|
||||
exit 65
|
||||
fi
|
||||
done
|
||||
|
||||
ATTEST_DIR=$1
|
||||
BUNDLE_OUT=${2:-"out/attest-bundles"}
|
||||
|
||||
@@ -18,9 +40,9 @@ fi
|
||||
|
||||
mkdir -p "$BUNDLE_OUT"
|
||||
|
||||
TS=$(date -u +"%Y%m%dT%H%M%SZ")
|
||||
BUNDLE_NAME="attestation-bundle-${TS}"
|
||||
BUNDLE_NAME=${BUNDLE_NAME:-"attestation-bundle-${SOURCE_DATE_EPOCH}"}
|
||||
WORK_DIR="${BUNDLE_OUT}/${BUNDLE_NAME}"
|
||||
rm -rf "$WORK_DIR"
|
||||
mkdir -p "$WORK_DIR"
|
||||
|
||||
copy_if_exists() {
|
||||
@@ -44,20 +66,37 @@ copy_if_exists "*.crt"
|
||||
copy_if_exists "*.pem"
|
||||
copy_if_exists "*.json"
|
||||
|
||||
mapfile -t MANIFEST_FILES < <(find "$WORK_DIR" -maxdepth 1 -type f -printf "%f\n" | sort)
|
||||
FILES_JSON=$(printf '%s\n' "${MANIFEST_FILES[@]}" | jq -R . | jq -s .)
|
||||
|
||||
# Manifest
|
||||
cat > "${WORK_DIR}/manifest.json" <<EOF
|
||||
{
|
||||
"created_at": "$(date -u +"%Y-%m-%dT%H:%M:%SZ")",
|
||||
"source_dir": "${ATTEST_DIR}",
|
||||
"files": $(ls -1 "${WORK_DIR}" | jq -R . | jq -s .)
|
||||
"created_at": "$(date -u -d "@${SOURCE_DATE_EPOCH}" +"%Y-%m-%dT%H:%M:%SZ")",
|
||||
"source_dir": "$(basename "${ATTEST_DIR}")",
|
||||
"source_date_epoch": ${SOURCE_DATE_EPOCH},
|
||||
"files": ${FILES_JSON}
|
||||
}
|
||||
EOF
|
||||
|
||||
find "$WORK_DIR" -type d -exec chmod 0755 {} +
|
||||
find "$WORK_DIR" -type f -exec chmod 0644 {} +
|
||||
|
||||
# Checksums
|
||||
(
|
||||
cd "$WORK_DIR"
|
||||
sha256sum * > SHA256SUMS
|
||||
find . -maxdepth 1 -type f -printf "%f\n" | sort | xargs -r sha256sum > SHA256SUMS
|
||||
)
|
||||
|
||||
tar -C "$BUNDLE_OUT" -czf "${WORK_DIR}.tgz" "${BUNDLE_NAME}"
|
||||
GZIP=-n tar \
|
||||
--sort=name \
|
||||
--mtime="@${SOURCE_DATE_EPOCH}" \
|
||||
--owner=0 \
|
||||
--group=0 \
|
||||
--numeric-owner \
|
||||
--pax-option=delete=atime,delete=ctime \
|
||||
-C "$BUNDLE_OUT" \
|
||||
-czf "${WORK_DIR}.tgz" \
|
||||
"${BUNDLE_NAME}"
|
||||
|
||||
echo "[attest-bundle] bundle created at ${WORK_DIR}.tgz"
|
||||
|
||||
Reference in New Issue
Block a user