almet/dangerzone
1
0
Fork 0
mirror of https://github.com/freedomofpress/dangerzone.git synced 2025-05-04 12:41:50 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 7
1550 commits 51 branches 42 tags 54 MiB
Commit graph

1550 commits

This branch
This branch
All branches
Author SHA1 Message Date
Alexis Métaireau
35704b8a18 fixup! (WIP) some more tests 2025-02-25 15:44:08 +01:00
Alexis Métaireau
b4818ce854 fixup! (WIP) some more tests 2025-02-25 15:44:08 +01:00
Alexis Métaireau
0f2d81dbd6
(WIP) some more tests 2025-02-13 19:12:25 +01:00
Alexis Métaireau
a540fc5b08
(WIP) Add tests 2025-02-12 18:23:12 +01:00
Alexis Métaireau
835970b541 fixup! (WIP) Check for container updates rather than using image-id.txt 2025-02-12 12:05:20 +01:00
Alexis Métaireau
60674ea6b4 fixup! (WIP) Check for container updates rather than using image-id.txt 2025-02-12 11:53:36 +01:00
Alexis Métaireau
e078e9bb82 fixup! 1e9e468e37 2025-02-12 11:53:36 +01:00
Alexis Métaireau
5acb302acf fixup! Publish and attest multi-architecture container images 2025-02-12 11:40:36 +01:00
Alexis Métaireau
537d23e233 fixup! Publish and attest multi-architecture container images 2025-02-12 11:40:36 +01:00
Alexis Métaireau
0724f86b13 fixup! Publish and attest multi-architecture container images 2025-02-12 11:40:36 +01:00
Alexis Métaireau
668ee71895 fixup! Add a dangerzone-image CLI script 2025-02-12 11:40:36 +01:00
Alexis Métaireau
988971096c fixup! Add a dangerzone-image CLI script 2025-02-12 11:40:36 +01:00
Alexis Métaireau
5202d79270 fixup! Add a dangerzone-image CLI script 2025-02-12 11:40:36 +01:00
Alexis Métaireau
ccae6c5b16 fixup! Add a dangerzone-image CLI script 2025-02-12 11:40:36 +01:00
Alexis Métaireau
aac6c6334a fixup! Add a dangerzone-image CLI script 2025-02-12 11:40:36 +01:00
Alexis Métaireau
431f0cb803 fixup! Add a dangerzone-image CLI script 2025-02-12 11:40:36 +01:00
Alexis Métaireau
d667c284c7 fixup! Add a dangerzone-image CLI script 2025-02-12 11:40:36 +01:00
Alexis Métaireau
379c9f8f00 fixup! Add a dangerzone-image CLI script 2025-02-12 11:40:36 +01:00
Alexis Métaireau
1e9e468e37 fixup! Download and verify cosign signatures 2025-02-12 11:40:36 +01:00
Alexis Métaireau
5a4ddb17c9 fixup! Download and verify cosign signatures 2025-02-12 11:40:36 +01:00
Alexis Métaireau
22d235cabd fixup! Download and verify cosign signatures 2025-02-12 11:40:36 +01:00
Alexis Métaireau
5001328ae9 fixup! Download and verify cosign signatures 2025-02-12 11:40:36 +01:00
Alexis Métaireau
db33038c23 fixup! Download and verify cosign signatures 2025-02-12 11:40:36 +01:00
Alexis Métaireau
6aff845493 fixup! Download and verify cosign signatures 2025-02-12 11:40:36 +01:00
Alexis Métaireau
7002ab85a0 fixup! Download and verify cosign signatures 2025-02-12 11:40:36 +01:00
Alexis Métaireau
f6562ae59c fixup! Download and verify cosign signatures 2025-02-12 11:40:36 +01:00
Alexis Métaireau
27647cc309 fixup! Download and verify cosign signatures 2025-02-12 11:40:36 +01:00
Alexis Métaireau
5c9a38d370
(WIP) Check for container updates rather than using image-id.txt 2025-02-11 19:24:59 +01:00
Alexis Métaireau
af55d26c2e
Add documentation for independent container updates 2025-02-11 19:24:59 +01:00
Alex Pyrgiotis
f60c43f12b
Publish and attest multi-architecture container images 
A new `dangerzone-image attest-provenance` script is now available,
making it possible to verify the attestations of an image published on
the github container registry.

Container images are now build nightly and uploaded to the container
registry.
 2025-02-11 19:24:59 +01:00
Alexis Métaireau
197325b266
Add the ability to download diffoci for multiple platforms 
The hash list provided on the Github releases page is now bundled in the
`reproduce-image.py` script, and the proper hashes are checked after
download.
 2025-02-11 19:24:59 +01:00
Alexis Métaireau
3d28ae2eee
Download and verify cosign signatures 
Signatures are stored in the OCI Manifest v2 registry [0], and are
expected to follow the Cosign Signature Specification [0]

The following CLI utilities are provided with `dangerzone-image`:

For checking new container images, upgrading them and downloading them:

- `upgrade` allows to upgrade the current installed image to the
  last one available on the OCI registry, downloading and storing the
  signatures in the process.
- `verify-local` allows the verify the currently installed image against
  downloaded signatures and public key.

To prepare and install archives on air-gapped environments:

- `prepare-archive` helps to prepare an archive to install on another
  machine
- `load-archive` helps upgrade the local image to the archive given
  in argument.

Signatures are stored locally using the format provided by `cosign
download signature`, and the Rekor log index is used to ensure the
requested-to-install container image is fresher than the one already
present on the system.

[0] https://github.com/sigstore/cosign/blob/main/specs/SIGNATURE_SPEC.md
 2025-02-11 19:09:53 +01:00
Alexis Métaireau
81ee267591
Add a dangerzone-image CLI script 
It contains utilities to interact with OCI registries, like getting the list of
published tags and getting the content of a manifest. It does so
via the use of the Docker Registry API v2 [0].

The script has been added to the `dev_scripts`, and is also installed on
the system under `dangerzone-image`.

[0]  https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry
 2025-02-11 18:13:39 +01:00
Alex Pyrgiotis
856de3fd46
grype: Ignore CVE-2025-0665
Some checks failed
Tests / macOS (x86_64) (push) Has been cancelled
Details
Scan latest app and container / security-scan-container (push) Has been cancelled
Details
Scan latest app and container / security-scan-app (push) Has been cancelled
Details
Tests / windows (push) Has been cancelled
Details
Tests / macOS (arch64) (push) Has been cancelled
Details
Tests / build-deb (debian bookworm) (push) Has been cancelled
Details
Tests / build-deb (debian bullseye) (push) Has been cancelled
Details
Tests / build-deb (debian trixie) (push) Has been cancelled
Details
Tests / build-deb (ubuntu 20.04) (push) Has been cancelled
Details
Tests / build-deb (ubuntu 22.04) (push) Has been cancelled
Details
Tests / build-deb (ubuntu 24.04) (push) Has been cancelled
Details
Tests / build-deb (ubuntu 24.10) (push) Has been cancelled
Details
Tests / install-deb (debian bookworm) (push) Has been cancelled
Details
Tests / install-deb (debian bullseye) (push) Has been cancelled
Details
Tests / install-deb (debian trixie) (push) Has been cancelled
Details
Tests / install-deb (ubuntu 20.04) (push) Has been cancelled
Details
Tests / install-deb (ubuntu 22.04) (push) Has been cancelled
Details
Tests / install-deb (ubuntu 24.04) (push) Has been cancelled
Details
Tests / install-deb (ubuntu 24.10) (push) Has been cancelled
Details
Tests / build-install-rpm (fedora 40) (push) Has been cancelled
Details
Tests / build-install-rpm (fedora 41) (push) Has been cancelled
Details
Tests / run tests (debian bookworm) (push) Has been cancelled
Details
Tests / run tests (debian bullseye) (push) Has been cancelled
Details
Tests / run tests (debian trixie) (push) Has been cancelled
Details
Tests / run tests (fedora 40) (push) Has been cancelled
Details
Tests / run tests (fedora 41) (push) Has been cancelled
Details
Tests / run tests (ubuntu 20.04) (push) Has been cancelled
Details
Tests / run tests (ubuntu 22.04) (push) Has been cancelled
Details
Tests / run tests (ubuntu 24.04) (push) Has been cancelled
Details
Tests / run tests (ubuntu 24.10) (push) Has been cancelled
Details 
Ignore the CVE-2025-0665 vulnerability, since it's a libcurl one, and
the Dangerzone container does not make network calls. Also, it seems
that Debian Bookworm is not affected.
 2025-02-10 12:31:08 +02:00
Alex Pyrgiotis
88a6b37770
Add support for Python 3.13
Some checks failed
Scan latest app and container / security-scan-container (push) Has been cancelled
Details
Scan latest app and container / security-scan-app (push) Has been cancelled
Details
Tests / windows (push) Has been cancelled
Details
Tests / macOS (arch64) (push) Has been cancelled
Details
Tests / build-deb (ubuntu 22.04) (push) Has been cancelled
Details
Tests / macOS (x86_64) (push) Has been cancelled
Details
Tests / build-deb (debian bookworm) (push) Has been cancelled
Details
Tests / build-deb (debian bullseye) (push) Has been cancelled
Details
Tests / build-deb (debian trixie) (push) Has been cancelled
Details
Tests / build-deb (ubuntu 20.04) (push) Has been cancelled
Details
Tests / build-deb (ubuntu 24.04) (push) Has been cancelled
Details
Tests / build-deb (ubuntu 24.10) (push) Has been cancelled
Details
Tests / install-deb (debian bookworm) (push) Has been cancelled
Details
Tests / install-deb (debian bullseye) (push) Has been cancelled
Details
Tests / install-deb (debian trixie) (push) Has been cancelled
Details
Tests / install-deb (ubuntu 20.04) (push) Has been cancelled
Details
Tests / install-deb (ubuntu 22.04) (push) Has been cancelled
Details
Tests / install-deb (ubuntu 24.04) (push) Has been cancelled
Details
Tests / install-deb (ubuntu 24.10) (push) Has been cancelled
Details
Tests / build-install-rpm (fedora 40) (push) Has been cancelled
Details
Tests / build-install-rpm (fedora 41) (push) Has been cancelled
Details
Tests / run tests (debian bookworm) (push) Has been cancelled
Details
Tests / run tests (debian bullseye) (push) Has been cancelled
Details
Tests / run tests (debian trixie) (push) Has been cancelled
Details
Tests / run tests (fedora 40) (push) Has been cancelled
Details
Tests / run tests (fedora 41) (push) Has been cancelled
Details
Tests / run tests (ubuntu 20.04) (push) Has been cancelled
Details
Tests / run tests (ubuntu 22.04) (push) Has been cancelled
Details
Tests / run tests (ubuntu 24.04) (push) Has been cancelled
Details
Tests / run tests (ubuntu 24.10) (push) Has been cancelled
Details 
Bump our max supported Python version to 3.13, now that PySide6 supports
it.

Fixes #992
 2025-01-27 21:40:27 +02:00
Alex Pyrgiotis
fb90243668
Symlink /usr in Debian container image 
Update our Dockerfile and entrypoint script in order to reuse the /usr
dir in the inner and outer container image.

Refs #1048
 2025-01-27 21:40:27 +02:00
Alex Pyrgiotis
9724a16d81
Mask some extra paths in gVisor's OCI config 
Mask some paths of the outer container in the OCI config of the inner
container. This is done to avoid leaking any sensitive information from
Podman / Docker / gVisor, since we reuse the same rootfs

Refs #1048
 2025-01-27 21:40:27 +02:00
Alex Pyrgiotis
cf43a7a0c4
docs: Add design document for artifact reproducibility 
Refs #1047
 2025-01-27 21:40:27 +02:00
Alex Pyrgiotis
cae4187550
Update RELEASE.md 
Co-authored-by: Alexis Métaireau <alexis@freedom.press>
 2025-01-27 21:40:27 +02:00
Alex Pyrgiotis
cfa4478ace
ci: Add a CI job that enforces image reproducibility 
Add a CI job that uses the `reproduce.py` dev script to enforce image
reproducibility, for every PR that we send to the repo.

Fixes #1047
 2025-01-27 21:40:27 +02:00
Alex Pyrgiotis
2557be9bc0
dev_scripts: Add script for enforcing image reproducibility 
Add a dev script for Linux platforms that verifies that a source image
can be reproducibly built from the current Git commit. The
reproducibility check is enforced by the `diffoci` tool, which is
downloaded as part of running the script.
 2025-01-27 21:40:27 +02:00
Alex Pyrgiotis
235d71354a
Allow setting a tag for the container image 
Allow setting a tag for the container image, when building it with the
`build-image.py` script. This should be used for development purposes
only, since the proper image name should be dictated by the script.
 2025-01-27 21:40:27 +02:00
Alex Pyrgiotis
5d49f5abdb
ci: Scan the latest image for CVEs 
Update the Debian snapshot date to the current one, so that we always
scan the latest image for CVEs.

Refs #1057
 2025-01-27 21:40:27 +02:00
Alex Pyrgiotis
0ce7773ca1
Render the Dockerfile from a template and some params 
Allow updating the Dockerfile from a template and some envs, so that
it's easier to bump the dates in it.
 2025-01-27 21:40:27 +02:00
Alex Pyrgiotis
fa27f4b063
Add jinja2-cli package dependency 
Add jinja2-cli as a package dependency, since it will be used to create
the Dockerfile from some user parameters and a template.
 2025-01-23 23:26:56 +02:00
Alex Pyrgiotis
8e8a515b64
Allow using the container engine cache when building our image 
Remove our suggestions for not using the container cache, which stemmed
from the fact that our Dangerzone image was not reproducible. Now that
we have switched to Debian Stable and the Dockerfile is all we need to
reproducibly build the exact same container image, we can just use the
cache to speed up builds.
 2025-01-23 23:25:43 +02:00
Alex Pyrgiotis
270cae1bc0
Rename vendor-pymupdf.py to debian-vendor-pymupdf.py 
Rename the `vendor-pymupdf.py` script to `debian-vendor-pymupdf.py`,
since it's used only when building Debian packages.
 2025-01-23 23:25:43 +02:00
Alex Pyrgiotis
14bb6c0e39
Do not use poetry.lock when building the container image 
Remove all the scaffolding in our `build-image.py` script for using the
`poetry.lock` file, now that we install PyMuPDF from the Debian repos.
 2025-01-23 23:25:39 +02:00
Alex Pyrgiotis
033ce0986d
Switch base image to Debian Stable 
Switch base image from Alpine Linux to Debian Stable, in order to reduce
our image footprint, improve our security posture, and build our
container image reproducibly.

Fixes #1046
Refs #1047
 2025-01-23 23:24:48 +02:00
Alex Pyrgiotis
935396565c
Reuse the same rootfs for the inner and outer container 
Remove the need to copy the Dangerzone container image (used by the
inner container) within a wrapper gVisor image (used by the outer
container). Instead, use the root of the container filesystem for both
containers. We can do this safely because we don't mount any secrets to
the container, and because gVisor offers a read-only view of the
underlying filesystem

Fixes #1048
 2025-01-23 23:24:48 +02:00