Code signing is failing on Darwin builds, and the most likely candidate is a locked keychain at build time.
This patch adds an explicit keychain unlock immediately prior to signing in order make sure the signing keys are available.
This commit adds the Teleport operator. The operator reconciles
TeleportUsers and TeleportRoles Kubernetes resources with Users and
Roles Teleport resources.
Switch from `make release-amd64` to make release-windows in Drone builds, making
release builds similar to "regular" builds (that already use
`make release-windows-unsigned`).
Fixes current woes caused by FIDO2=yes in Windows release builds. (Note that
ARCH is implied by the build.)
* Use `make release-windows` on Drone, make it similar to `make release`
* Update .drone.yaml
`$WORKSPACE_DIR/go/.version.txt` is available only in tag pipelines, so
we can't read it in pipelines that run on pushes to master.
Instead, let's always use `make print-version`. It'll return the correct
value no matter what pipeline is used.
This commit updates drone to build Teleport Connect by:
* cloning `gravitational/webapps` as a sibling directory to
gravitational/teleport
* checkout out the right version of webapps by running a simple
Go program (this step is only necessary until we move webapps
into the teleport repo)
* Running the Teleport Connect build and copying artifacts
Code signing should run on tag builds automatically as part the
electron build, assuming the Apple Account credentials are
properly loaded into the keychain.
Notarization will also happen automatically if both
`$APPLE_USERNAME` and `$APPLE_PASSWORD` are set.
In order to make the above happen, this patch also includes:
* Installing and removing a per-build Node instance in the
toolchain directory on Darwin
* Moving the toolchain temporary directory out of ~/ and into /tmp.
Drone usually sets `$HOME` to a temporary directory for each build,
but unfortunately we need it to point to the actual build user's
home directory in order for the notarisation tooling to find the
right keychain. Having $HOME point to a long-lived directory risks
both pollution from build detritus and builds stomping on one another.
In an in an attempt to isolate the builds from each other and protect
`~build` as best we can, as much of the build state as possible
(including ephemeral toolchains) has been moved under `/tmp`.
Co-authored-by: Trent Clarke <trent@goteleport.com>
Add a script to build libfido2 (and its dependencies) on macOS and enable FIDO2
static builds.
I decided to build all dependencies instead of pulling from Homebrew for a few
reasons:
1. There is no libcbor.a in a brew package
2. This captures library versions within the Teleport source code, allowing us
to build binaries against different versions of libfido2 (and its
dependencies).
I've also bumped libfido2 to 1.11.0. I've been running it locally and we are
still pre-release, so it seems like a good time to do it.
(See https://developers.yubico.com/libfido2/Release_Notes.html.)
#9160
* Build libfido2 and dependencies for macOS
* Build tsh with static fido2 on Drone
* Bump libfido2 versions in all builds
* Attempt to appease linters
* Use temp dirs inside LIB_CACHE
* Move LIB_CACHE outside of HOME
HOME is reassigned in macOS builders, but we want a "stable" cache
directory. /tmp is used by build-package.sh and build-pkg-tsh.sh.
* Rename script to build-fido2-macos.sh
* Regenerate Drone files
Add the TOUCHID=yes Makefile toggle and enable it on Drone.
Complements #12751.
#9160
* Enable touchid builds on Drone
* Update Drone URL in error message
* Run `make dronegen`
Prior to this patch the teleport buildbox version has been tagged with the Go version for the current release. This bit us during the Teleport 9 development cycle, as both Teleport 8 and 9 use the same version of Go but require different versions of Rust, and we were unable to distinguish between the 2 buildbox versions.
At the time, Teleport 8 was individually patched to create a new `teleport8` buildbox tag, decoupling the buildbox version from the Go version. This was never ported into master and now we find the teleport 9 branch sharing the same buildbox tag as master.
This patch forward-ports all the changes made to `branch/v8` and updates them for master, creating a new `teleport10` buildbox tag. The idea is that we will create a new tag for teleport11 at the same time the release branch for Teleport 10 is mad at some point in the future.
Once this is merged, Drone will create and push new buildbox images, which will become available for CI. A subsequent patch will update the CI scripts to use the new `teleport10` buildbox images.
The shell version detection is fragile and relatively error prone,
hopefully this go version will be more robust. At the very least, it
will fix an issue where signed tags were creating incorrect download
urls.
Contributes to https://github.com/gravitational/teleport/issues/9494
Teleport source code is not checked out in /drone/src, it is checked out
in /go/src/github.com/gravitational/teleport by an earlier step. As
such, we need to use that as our base.
This patch makes a couple changes:
1. deb archives are not published to apt if they're not the latest
release ever
2. both rpm and deb archives are no longer published to yum / apt if
they contain any pre-release indicator or build metadata
3. nothing is published if the commit isn't tagged.
Contributes to https://github.com/gravitational/teleport/issues/8166
Do not prompt for any reason, especially not if a repomd.xml.asc already
exists when signing repomd.xml. Attempting to prompt (instead of
overwriting) results in publish failures like the following:
+ gpg --detach-sign --armor /rpmrepo/teleport/repodata/repomd.xml
gpg: cannot open '/dev/tty': No such device or address
Contributes to https://github.com/gravitational/teleport/issues/9726.
This helps support zypper on Suse, and improves our general RPM
distribution security posture. The threat model is someone compromises
AWS, but not our signing keys. In this case, they could update repo
metatdata to point to an unsigned package. With metadata signed, this
is no longer possible -- both the index and the package are verified.
For more info on this change, see this very helpful blog post:
https://blog.packagecloud.io/eng/2014/11/24/howto-gpg-sign-verify-rpm-packages-yum-repositories/
* Release service PoC
* Use release service credentials
* Remove credentials from FS on exit
* Fix trap invocation
* Add darwin compatibility
* Actually fail on unexpected status
* Re-add CREDENTIALS (forgotten)
* Try to skip irrelevant files
* Run "upload to S3" before "register artifacts"
Do not break existing flow in case the new step fails
* Switch to a new (staging) certificate for releases
Add new buildboxes for centos7 and centos7-fips.
For now, we will continue to support both CentOS 6 and 7.
Eventually we will drop support for CentOS 6, and the only
supported CentOS builds will be these new CentOS 7 builds.
Fixes#9028
Download Rust and Go per-build to ensure that the right version is used
and that builds do not step on each other.
Also rungs cbindgen in quiet mode to suppress the annoying output it
spews for non-public symbols.