diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..0aede88 --- /dev/null +++ b/.editorconfig @@ -0,0 +1,7 @@ +root = true +[*] +indent_style = space +end_of_line = lf +charset = utf-8 +[Makefile] +indent_style = tab diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..76f4628 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +build +output diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 0000000..1812aaa --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,368 @@ +default: + image: "archlinux/archlinux:latest" + +stages: + - cleanup + - lint + - rootfs + - image + - test + - pre-release + - release + - publish + +cleanup: + stage: cleanup + tags: + - secure + - docker + only: + refs: + - schedules@archlinux/archlinux-docker + variables: + - $CLEANUP_PACKAGE_REGISTRY == "TRUE" + before_script: + - pacman -Syu --noconfirm jq + script: + - | + for id in $(curl --silent --fail --show-error "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages?per_page=100&order_by=created_at&sort=asc" | jq '.[] | select(.created_at | split("T")[0] | . < (now-60*60*24*60|strflocaltime("%Y-%m-%d"))) | .id'); do + curl --silent --fail --show-error --request DELETE --header "PRIVATE-TOKEN: ${GITLAB_PROJECT_TOKEN}" "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/${id}" + done + +lint: + stage: lint + image: hadolint/hadolint:latest-alpine + # DL3018: We don't need apk version pins, we use the bleeding edge + script: hadolint --ignore DL3018 Dockerfile.template + except: + - releases + - tags + +# This is an implicit gitlab stage, with the build.env variables used by either +# other stages or auxiliarry scripts. +get_version: + stage: .pre + script: + - | + # If we're building a tagged release, use the tag (without the 'v' prefix) as the + # BUILD_VERSION. Otherwise, determine a new BUILD_VERSION. + if [[ -n "$CI_COMMIT_TAG" ]]; then + echo "BUILD_VERSION=${CI_COMMIT_TAG/v/}" > build.env + else + echo "BUILD_VERSION=$(date +%Y%m%d).0.$CI_JOB_ID" > build.env + fi + - export $(< build.env) + - echo "PACKAGE_REGISTRY_URL=${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/generic/rootfs/${BUILD_VERSION}" >> build.env + artifacts: + reports: + dotenv: build.env + +.rootfs: + stage: rootfs + parallel: + matrix: + - GROUP: [base, base-devel, multilib-devel] + before_script: + - pacman -Syu --noconfirm git make fakechroot fakeroot + - pacman -Sdd --noconfirm devtools + script: + - make $PWD/output/Dockerfile.$GROUP + artifacts: + paths: + - output/* + exclude: + - output/*.tar + expire_in: 2h + +rootfs: + extends: .rootfs + except: + - master@archlinux/archlinux-docker + - releases@archlinux/archlinux-docker + - schedules@archlinux/archlinux-docker + - tags@archlinux/archlinux-docker + +rootfs:secure: + extends: .rootfs + tags: + - secure + - docker + only: + - master@archlinux/archlinux-docker + - schedules@archlinux/archlinux-docker + except: + - tags + - releases + +.image: + stage: image + parallel: + matrix: + - GROUP: [base, base-devel, multilib-devel] + tags: + - vm + id_tokens: + SIGSTORE_ID_TOKEN: + aud: sigstore + script: + - podman build + -f "$CI_PROJECT_DIR/output/Dockerfile.$GROUP" + -t "$CI_REGISTRY_IMAGE:$GROUP-$CI_COMMIT_REF_SLUG" + "$CI_PROJECT_DIR/output" + - podman push --sign-by-sigstore=<(sed "s/TEMPLATE_OIDC_ID_TOKEN/${SIGSTORE_ID_TOKEN}/" sigstore-param-file.yaml) "$CI_REGISTRY_IMAGE:$GROUP-$CI_COMMIT_REF_SLUG" + +image:build: + extends: .image + except: + - master@archlinux/archlinux-docker + - releases + - schedules@archlinux/archlinux-docker + - tags + before_script: + - pacman -Syu --noconfirm podman + - podman login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY" + - 'echo -e "default-docker:\n use-sigstore-attachments: true" > /etc/containers/registries.d/sigstore.yaml' + +image:build:secure: + extends: .image + tags: + - secure + - vm + only: + - master@archlinux/archlinux-docker + - schedules@archlinux/archlinux-docker + except: + - tags + before_script: + - pacman -Syu --noconfirm podman + - podman login -u "$GITLAB_PROJECT_USER" -p "$GITLAB_PROJECT_TOKEN" "$CI_REGISTRY" + - 'echo -e "default-docker:\n use-sigstore-attachments: true" > /etc/containers/registries.d/sigstore.yaml' + +# Build and publish to the Arch Linux group namespaces: +# https://hub.docker.com/r/archlinux/archlinux +# https://quay.io/repository/archlinux/archlinux +image:publish:secure: + extends: .image + retry: 2 + tags: + - secure + - vm + only: + - tags@archlinux/archlinux-docker + before_script: + - pacman -Syu --noconfirm podman + - podman login -u "$DOCKERHUB_USERNAME" -p "$DOCKERHUB_ACCESS_TOKEN" "docker.io" + - podman login -u "$QUAY_USERNAME" -p "$QUAY_PASSWORD" "quay.io" + - podman login -u "$GHCR_USERNAME" -p "$GHCR_PASSWORD" "ghcr.io" + - 'echo -e "default-docker:\n use-sigstore-attachments: true" > /etc/containers/registries.d/sigstore.yaml' + script: + - podman build + -f "$CI_PROJECT_DIR/Dockerfile.$GROUP" + -t "archlinux:$GROUP-$BUILD_VERSION" + "$CI_PROJECT_DIR" + - | + for host in "docker.io" "quay.io" "ghcr.io"; do + podman tag "archlinux:$GROUP-$BUILD_VERSION" "$host/archlinux/archlinux:$GROUP" + podman tag "archlinux:$GROUP-$BUILD_VERSION" "$host/archlinux/archlinux:$GROUP-$BUILD_VERSION" + podman push "$host/archlinux/archlinux:$GROUP" + podman push --sign-by-sigstore=<(sed "s/TEMPLATE_OIDC_ID_TOKEN/${SIGSTORE_ID_TOKEN}/" sigstore-param-file.yaml) "$host/archlinux/archlinux:$GROUP-$BUILD_VERSION" + + if [[ "$GROUP" == "base" ]]; then + podman tag "archlinux:$GROUP-$BUILD_VERSION" "$host/archlinux/archlinux:latest" + podman push "$host/archlinux/archlinux:latest" + fi + done + + +.test: + stage: test + dependencies: [] + except: + refs: + - releases + - tags + +.test-script: &test-script + - test "$(cat /etc/group | wc -l)" -gt 10 + - test "$(cat /etc/passwd | wc -l)" -gt 10 + - pacman -Sy + - pacman -Qqk + - pacman -Syu --noconfirm podman grep + - podman -v + - id -u http + - locale | grep -q UTF-8 + +test:base: + extends: .test + image: $CI_REGISTRY_IMAGE:base-$CI_COMMIT_REF_SLUG + script: + - *test-script + +test:base-devel: + extends: .test + image: $CI_REGISTRY_IMAGE:base-devel-$CI_COMMIT_REF_SLUG + script: + - *test-script + - gcc -v + - g++ -v + - make -v + - test -u /usr/bin/sudo # issue 70 + - test -u /usr/bin/passwd + +pre-release: + stage: pre-release + image: registry.gitlab.com/gitlab-org/release-cli:latest + tags: + - secure + - docker + only: + refs: + - schedules@archlinux/archlinux-docker + variables: + - $PUBLISH_ARCHLINUX_REPOSITORY == "TRUE" + - $PUBLISH_OFFICIAL_LIBRARY == "TRUE" + before_script: + - apk update + - apk add jq curl httpie bash + script: + - | + echo "Update the description of our daily DockerHub repository at https://hub.docker.com/r/archlinux/archlinux" + TOKEN="$(http --ignore-stdin POST https://hub.docker.com/v2/users/login username="${DOCKERHUB_USERNAME}" password="${DOCKERHUB_PASSWORD}" | jq -er .token)" + http --ignore-stdin PATCH https://hub.docker.com/v2/repositories/archlinux/archlinux/ Authorization:"JWT ${TOKEN}" full_description="$(cat README.md)" + + # Upload rootfs to the Generic Packages Repository + for group in base base-devel multilib-devel; do + rootfs_file="${group}-${BUILD_VERSION}.tar.zst" + mv "output/${group}.tar.zst" "output/${rootfs_file}" + mv "output/${group}.tar.zst.SHA256" "output/${rootfs_file}.SHA256" + sed -i "s|${group}.tar.zst|${rootfs_file}|" "output/${rootfs_file}.SHA256" + echo "Uploading ${rootfs_file}" + curl -sSf --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --upload-file "output/${rootfs_file}" "${PACKAGE_REGISTRY_URL}/" + echo "Uploading ${rootfs_file}.SHA256" + curl -sSf --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --upload-file "output/${rootfs_file}.SHA256" "${PACKAGE_REGISTRY_URL}/" + done + + # Create the Dockerfiles, commit to the release branch + for group in base base-devel multilib-devel; do + rootfs_file="${group}-${BUILD_VERSION}.tar.zst" + ./scripts/make-dockerfile.sh "${rootfs_file}" "${group}" "output" "curl -sOJL \"${PACKAGE_REGISTRY_URL}/${rootfs_file}\"" "${group}" + sed -i "/^COPY ${rootfs_file} \/$/d" output/Dockerfile.${group} + done + - > + curl -sSf --request POST -o commit-response.json + --header "PRIVATE-TOKEN: ${GITLAB_PROJECT_TOKEN}" + --form "branch=releases" + --form "commit_message=Release ${BUILD_VERSION}" + --form "actions[][action]=update" + --form "actions[][file_path]=Dockerfile.base" + --form "actions[][content]=> build.env + artifacts: + reports: + dotenv: build.env + +release: + stage: release + dependencies: + - get_version + image: registry.gitlab.com/gitlab-org/release-cli:latest + tags: + - secure + - docker + only: + refs: + - schedules@archlinux/archlinux-docker + variables: + - $PUBLISH_ARCHLINUX_REPOSITORY == "TRUE" + - $PUBLISH_OFFICIAL_LIBRARY == "TRUE" + script: + - echo 'Creating release' + release: + name: 'Release ${BUILD_VERSION}' + description: 'Release ${BUILD_VERSION}' + tag_name: 'v${BUILD_VERSION}' + ref: 'releases' + assets: + links: + - name: 'base-${BUILD_VERSION}.tar.zst' + url: '${PACKAGE_REGISTRY_URL}/base-${BUILD_VERSION}.tar.zst' + - name: 'base-${BUILD_VERSION}.tar.zst.SHA256' + url: '${PACKAGE_REGISTRY_URL}/base-${BUILD_VERSION}.tar.zst.SHA256' + - name: 'base-devel-${BUILD_VERSION}.tar.zst' + url: '${PACKAGE_REGISTRY_URL}/base-devel-${BUILD_VERSION}.tar.zst' + - name: 'base-devel-${BUILD_VERSION}.tar.zst.SHA256' + url: '${PACKAGE_REGISTRY_URL}/base-devel-${BUILD_VERSION}.tar.zst.SHA256' + - name: 'multilib-devel-${BUILD_VERSION}.tar.zst' + url: '${PACKAGE_REGISTRY_URL}/multilib-devel-${BUILD_VERSION}.tar.zst' + - name: 'multilib-devel-${BUILD_VERSION}.tar.zst.SHA256' + url: '${PACKAGE_REGISTRY_URL}/multilib-devel-${BUILD_VERSION}.tar.zst.SHA256' + +# Publish to the official Docker namespace: https://hub.docker.com/_/archlinux +# Note: The description is maintained here: https://github.com/docker-library/docs/tree/master/archlinux +publish-dockerhub: + stage: publish + dependencies: + - get_version + - pre-release + only: + refs: + - schedules + variables: + - $PUBLISH_OFFICIAL_LIBRARY == "TRUE" + before_script: + - export | grep -q BUILD_VERSION= + - export | grep -q BUILD_COMMIT= + - test -n "$BUILD_VERSION" + - test -n "$BUILD_COMMIT" + - test -n "$GITHUB_TOKEN" + - pacman -Syu --noconfirm github-cli git gettext + - git config --global user.email "github@archlinux.org" + - git config --global user.name "Arch Linux Technical User" + script: + - echo "Update the Docker library Github repo" + - mkdir official-images + - cd official-images + - git init + - 'git remote add origin "https://x-access-token:${GITHUB_TOKEN}@github.com/archlinux/official-images.git"' + - git fetch https://github.com/docker-library/official-images.git + - git reset --hard FETCH_HEAD + - head="release/${BUILD_VERSION}" + - git checkout -b "$head" + - cp ../docker-library.template library/archlinux + - | + for group in base base-devel multilib-devel; do + test "${group}" = "base" && extra="latest, " || extra="" + echo "Tags: ${extra}${group}, ${group}-${BUILD_VERSION}" >> library/archlinux + echo "GitCommit: ${BUILD_COMMIT}" >> library/archlinux + echo "GitFetch: refs/tags/v${BUILD_VERSION}" >> library/archlinux + echo "File: Dockerfile.${group}" >> library/archlinux + echo >> library/archlinux + done + - git diff + - git add library/archlinux + - maintainers="$(grep \(@ ../docker-library.template | cut -d\( -f2 | cut -d\) -f1 | xargs)" + - test -n "$maintainers" + - 'git commit + -m "archlinux: Release ${BUILD_VERSION}" + -m "This is an automated release [1]." + -m "[1] ${CI_PROJECT_URL}/-/blob/master/.gitlab-ci.yml"' + - git push -u origin "$head" + - 'gh pr create + --repo docker-library/official-images + --title "$(git show --no-patch --format="%s")" + --body "$(printf "%s\n\n---\n\nMaintainers: ${maintainers}\n" "$(git show --no-patch --format="%b")")" + --base master + --head archlinux:"$head"' diff --git a/Dockerfile.template b/Dockerfile.template new file mode 100644 index 0000000..d1e7342 --- /dev/null +++ b/Dockerfile.template @@ -0,0 +1,43 @@ +# Docker image when built on the official Docker infrastructure. +# They require us to verify the source integrity in some way while making sure that this is a +# reproducible build. +# See https://github.com/docker-library/official-images#image-build +# In order to achieve this, we externally host the rootfs archives and their checksums and then +# just download and verify it in the first stage of this Dockerfile. +# The second stage is for actually configuring the system a little bit. +# Some templating is done in order to allow us to easily build different configurations and to +# allow us to automate the release process. + +# Note: Only official DockerHub images are allowed, see https://gitlab.archlinux.org/archlinux/archlinux-docker/-/commit/daa67d18579024947d69a45e6d028c5adb1c8c23 +# While we could use archlinux:base it could also break our build process, so we avoid dog fooding here +FROM alpine:3.19 AS verify +COPY TEMPLATE_ROOTFS_FILE / + +RUN apk add --no-cache curl tar zstd + +RUN TEMPLATE_ROOTFS_DOWNLOAD && \ + echo "TEMPLATE_ROOTFS_HASH" > /tmp/sha256sums.txt && \ + sha256sum -c /tmp/sha256sums.txt && \ + mkdir /rootfs && \ + tar -C /rootfs --extract --file TEMPLATE_ROOTFS_FILE + +FROM scratch AS root + +LABEL org.opencontainers.image.title="TEMPLATE_TITLE" +LABEL org.opencontainers.image.description="Official containerd image of Arch Linux, a simple, lightweight Linux distribution aimed for flexibility." +LABEL org.opencontainers.image.authors="Santiago Torres-Arias (@SantiagoTorres), Christian Rebischke (@shibumi), Justin Kromlinger (@hashworks)" +LABEL org.opencontainers.image.url="https://gitlab.archlinux.org/archlinux/archlinux-docker/-/blob/master/README.md" +LABEL org.opencontainers.image.documentation="https://wiki.archlinux.org/title/Docker#Arch_Linux" +LABEL org.opencontainers.image.source="https://gitlab.archlinux.org/archlinux/archlinux-docker" +LABEL org.opencontainers.image.licenses="GPL-3.0-or-later" +LABEL org.opencontainers.image.version="TEMPLATE_VERSION_ID" +LABEL org.opencontainers.image.revision="TEMPLATE_REVISION" +LABEL org.opencontainers.image.created="TEMPLATE_CREATED" + +COPY --from=verify /rootfs/ / + +RUN ldconfig && \ + sed -i '/BUILD_ID/a VERSION_ID=TEMPLATE_VERSION_ID' /etc/os-release + +ENV LANG=C.UTF-8 +CMD ["/usr/bin/bash"] diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..86d9c72 --- /dev/null +++ b/Makefile @@ -0,0 +1,21 @@ +OCITOOL=podman # or docker +BUILDDIR=$(shell pwd)/build +OUTPUTDIR=$(shell pwd)/output + +.PHONY: clean +clean: + rm -rf $(BUILDDIR) $(OUTPUTDIR) + +.PRECIOUS: $(OUTPUTDIR)/%.tar.zst +$(OUTPUTDIR)/%.tar.zst: + scripts/make-rootfs.sh $(*) $(BUILDDIR) $(OUTPUTDIR) + +.PRECIOUS: $(OUTPUTDIR)/Dockerfile.% +$(OUTPUTDIR)/Dockerfile.%: $(OUTPUTDIR)/%.tar.zst + scripts/make-dockerfile.sh "$(*).tar.zst" $(*) $(OUTPUTDIR) "true" "Dev" + +# The following is for local builds only, it is not used by the CI/CD pipeline + +all: image-base image-base-devel image-multilib-devel +image-%: $(OUTPUTDIR)/Dockerfile.% + ${OCITOOL} build -f $(OUTPUTDIR)/Dockerfile.$(*) -t archlinux/archlinux:$(*) $(OUTPUTDIR) diff --git a/README.md b/README.md index 0989daf..40358e7 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ ## ai `os` -- name : ai os + +- name : ai os - base : [archlinux](https://gitlab.archlinux.org/archlinux/archlinux-docker) - diff --git a/docker-library.template b/docker-library.template new file mode 100644 index 0000000..fa3a4f1 --- /dev/null +++ b/docker-library.template @@ -0,0 +1,7 @@ +# https://gitlab.archlinux.org/archlinux/archlinux-docker + +Maintainers: Santiago Torres-Arias (@SantiagoTorres), + Christian Rebischke (@shibumi), + Justin Kromlinger (@hashworks) +GitRepo: https://gitlab.archlinux.org/archlinux/archlinux-docker.git + diff --git a/exclude b/exclude new file mode 100644 index 0000000..e847b05 --- /dev/null +++ b/exclude @@ -0,0 +1,18 @@ +./.dockerenv +./.dockerinit +./sys +./proc +./dev +./etc/hostname +./etc/machine-id +./etc/resolv.conf +./etc/pacman.d/gnupg/openpgp-revocs.d/* +./etc/pacman.d/gnupg/private-keys-v1.d/* +./etc/pacman.d/gnupg/pubring.gpg~ +./etc/pacman.d/gnupg/S.* +./root/* +./tmp/* +./var/cache/pacman/pkg/* +./var/lib/pacman/sync/* +./var/tmp/* +./alpm-hooks diff --git a/icon/ai.png b/icon/ai.png new file mode 100644 index 0000000..d21dabe Binary files /dev/null and b/icon/ai.png differ diff --git a/icon/avatar.png b/icon/avatar.png new file mode 100644 index 0000000..f091ef1 Binary files /dev/null and b/icon/avatar.png differ diff --git a/pacman-conf.d-noextract.conf b/pacman-conf.d-noextract.conf new file mode 100644 index 0000000..6bcacb0 --- /dev/null +++ b/pacman-conf.d-noextract.conf @@ -0,0 +1,13 @@ +[options] +NoExtract = usr/share/help/* !usr/share/help/en* !usr/share/help/C/* +NoExtract = usr/share/gtk-doc/html/* usr/share/doc/* +NoExtract = usr/share/locale/* usr/share/X11/locale/* usr/share/i18n/* +NoExtract = !*locale*/en*/* !usr/share/i18n/charmaps/UTF-8.gz !usr/share/*locale*/locale.* +NoExtract = !usr/share/*locales/en_?? !usr/share/*locales/i18n* !usr/share/*locales/iso* +NoExtract = !usr/share/*locales/trans* +NoExtract = !usr/share/X11/locale/C/* +NoExtract = !usr/share/X11/locale/compose.dir !usr/share/X11/locale/iso8859-1/* +NoExtract = !usr/share/*locales/C !usr/share/*locales/POSIX !usr/share/i18n/charmaps/ANSI_X3.4-1968.gz +NoExtract = usr/share/man/* usr/share/info/* +NoExtract = usr/share/vim/vim*/lang/* +NoExtract = etc/pacman.conf etc/pacman.d/mirrorlist diff --git a/renovate.json b/renovate.json new file mode 100644 index 0000000..39a2b6e --- /dev/null +++ b/renovate.json @@ -0,0 +1,6 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:base" + ] +} diff --git a/rootfs/etc/locale.conf b/rootfs/etc/locale.conf new file mode 100644 index 0000000..f9c983c --- /dev/null +++ b/rootfs/etc/locale.conf @@ -0,0 +1 @@ +LANG=C.UTF-8 diff --git a/rootfs/etc/pacman.d/mirrorlist b/rootfs/etc/pacman.d/mirrorlist new file mode 100644 index 0000000..495d883 --- /dev/null +++ b/rootfs/etc/pacman.d/mirrorlist @@ -0,0 +1,3 @@ +Server = https://geo.mirror.pkgbuild.com/$repo/os/$arch +Server = https://mirror.rackspace.com/archlinux/$repo/os/$arch +Server = https://mirror.leaseweb.net/archlinux/$repo/os/$arch diff --git a/scripts/make-dockerfile.sh b/scripts/make-dockerfile.sh new file mode 100755 index 0000000..878d18d --- /dev/null +++ b/scripts/make-dockerfile.sh @@ -0,0 +1,22 @@ +#!/bin/bash + +set -euo pipefail + +declare -r ROOTFS_FILE="$1" +declare -r GROUP="$2" +declare -r OUTPUTDIR="$3" +declare -r DOWNLOAD="$4" +declare -r TITLE="$5" + +# Do not use these directly in the sed below - it will mask git failures +BUILD_VERSION="${BUILD_VERSION:-dev}" +CI_COMMIT_SHA="${CI_COMMIT_SHA:-$(git rev-parse HEAD)}" + +sed -e "s|TEMPLATE_ROOTFS_FILE|$ROOTFS_FILE|" \ + -e "s|TEMPLATE_ROOTFS_DOWNLOAD|$DOWNLOAD|" \ + -e "s|TEMPLATE_ROOTFS_HASH|$(cat $OUTPUTDIR/$ROOTFS_FILE.SHA256)|" \ + -e "s|TEMPLATE_TITLE|Arch Linux $TITLE Image|" \ + -e "s|TEMPLATE_VERSION_ID|$BUILD_VERSION|" \ + -e "s|TEMPLATE_REVISION|$CI_COMMIT_SHA|" \ + -e "s|TEMPLATE_CREATED|$(date -Is)|" \ + Dockerfile.template > "$OUTPUTDIR/Dockerfile.$GROUP" diff --git a/scripts/make-rootfs.sh b/scripts/make-rootfs.sh new file mode 100755 index 0000000..82f9e8c --- /dev/null +++ b/scripts/make-rootfs.sh @@ -0,0 +1,55 @@ +#!/bin/bash + +set -euo pipefail + +declare -r WRAPPER="fakechroot -- fakeroot" + +declare -r GROUP="$1" +declare -r BUILDDIR="$2" +declare -r OUTPUTDIR="$3" + +mkdir -vp "$BUILDDIR/alpm-hooks/usr/share/libalpm/hooks" +find /usr/share/libalpm/hooks -exec ln -sf /dev/null "$BUILDDIR/alpm-hooks"{} \; + +mkdir -vp "$BUILDDIR/var/lib/pacman/" "$OUTPUTDIR" +[[ "$GROUP" == "multilib-devel" ]] && pacman_conf=multilib.conf || pacman_conf=extra.conf +install -Dm644 "/usr/share/devtools/pacman.conf.d/$pacman_conf" "$BUILDDIR/etc/pacman.conf" +cat pacman-conf.d-noextract.conf >> "$BUILDDIR/etc/pacman.conf" + +sed 's/Include = /&rootfs/g' < "$BUILDDIR/etc/pacman.conf" > pacman.conf + +cp --recursive --preserve=timestamps rootfs/* "$BUILDDIR/" +ln -fs /usr/lib/os-release "$BUILDDIR/etc/os-release" + +$WRAPPER -- \ + pacman -Sy -r "$BUILDDIR" \ + --noconfirm --dbpath "$BUILDDIR/var/lib/pacman" \ + --config pacman.conf \ + --noscriptlet \ + --hookdir "$BUILDDIR/alpm-hooks/usr/share/libalpm/hooks/" base "$GROUP" + +$WRAPPER -- chroot "$BUILDDIR" update-ca-trust +$WRAPPER -- chroot "$BUILDDIR" pacman-key --init +$WRAPPER -- chroot "$BUILDDIR" pacman-key --populate + +# add system users +$WRAPPER -- chroot "$BUILDDIR" /usr/bin/systemd-sysusers --root "/" + +# remove passwordless login for root (see CVE-2019-5021 for reference) +sed -i -e 's/^root::/root:!:/' "$BUILDDIR/etc/shadow" + +# fakeroot to map the gid/uid of the builder process to root +# fixes #22 +fakeroot -- \ + tar \ + --numeric-owner \ + --xattrs \ + --acls \ + --exclude-from=exclude \ + -C "$BUILDDIR" \ + -c . \ + -f "$OUTPUTDIR/$GROUP.tar" + +cd "$OUTPUTDIR" +zstd --long -T0 -8 "$GROUP.tar" +sha256sum "$GROUP.tar.zst" > "$GROUP.tar.zst.SHA256" diff --git a/sigstore-param-file.yaml b/sigstore-param-file.yaml new file mode 100644 index 0000000..cf5b7c6 --- /dev/null +++ b/sigstore-param-file.yaml @@ -0,0 +1,6 @@ +fulcio: + fulcioURL: "https://fulcio.sigstore.dev" + oidcMode: "staticToken" + oidcIssuerURL: "https://gitlab.archlinux.org" + oidcIDToken: "TEMPLATE_OIDC_ID_TOKEN" +rekorURL: "https://rekor.sigstore.dev"