almet/dangerzone
1
0
Fork 0
mirror of https://github.com/freedomofpress/dangerzone.git synced 2025-05-04 20:51:49 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 7
1563 commits 51 branches 42 tags 54 MiB
Commit graph

1563 commits

This branch
This branch
All branches
Author SHA1 Message Date
Alexis Métaireau
4621902a2b fixup! (WIP) Add tests 2025-02-25 15:44:08 +01:00
Alexis Métaireau
ec4028b486 fixup! (WIP) Add tests 2025-02-25 15:44:08 +01:00
Alexis Métaireau
43cb02bcca fixup! (WIP) Add tests 2025-02-25 15:44:08 +01:00
Alexis Métaireau
ab51a71bdf fixup! (WIP) Add tests 2025-02-25 15:44:08 +01:00
Alexis Métaireau
b5bfbb5d6e fixup! (WIP) Add tests 2025-02-25 15:44:08 +01:00
Alexis Métaireau
3e861cc0cd fixup! (WIP) Add tests 2025-02-25 15:44:08 +01:00
Alexis Métaireau
83418f09f2 fixup! (WIP) Add tests 2025-02-25 15:44:08 +01:00
Alexis Métaireau
fb89f00c73 fixup! (WIP) Add tests 2025-02-25 15:44:08 +01:00
Alexis Métaireau
ecb3d87b1f fixup! (WIP) Add tests 2025-02-25 15:44:08 +01:00
Alexis Métaireau
a4fa6aaed8 fixup! (WIP) Add tests 2025-02-25 15:44:08 +01:00
Alexis Métaireau
df3efa8157 fixup! 6aff845493 2025-02-25 15:44:08 +01:00
Alexis Métaireau
c9c301d833 fixup! (WIP) some more tests 2025-02-25 15:44:08 +01:00
Alexis Métaireau
b37815a96c fixup! (WIP) some more tests 2025-02-25 15:44:08 +01:00
Alexis Métaireau
35704b8a18 fixup! (WIP) some more tests 2025-02-25 15:44:08 +01:00
Alexis Métaireau
b4818ce854 fixup! (WIP) some more tests 2025-02-25 15:44:08 +01:00
Alexis Métaireau
0f2d81dbd6
(WIP) some more tests 2025-02-13 19:12:25 +01:00
Alexis Métaireau
a540fc5b08
(WIP) Add tests 2025-02-12 18:23:12 +01:00
Alexis Métaireau
835970b541 fixup! (WIP) Check for container updates rather than using image-id.txt 2025-02-12 12:05:20 +01:00
Alexis Métaireau
60674ea6b4 fixup! (WIP) Check for container updates rather than using image-id.txt 2025-02-12 11:53:36 +01:00
Alexis Métaireau
e078e9bb82 fixup! 1e9e468e37 2025-02-12 11:53:36 +01:00
Alexis Métaireau
5acb302acf fixup! Publish and attest multi-architecture container images 2025-02-12 11:40:36 +01:00
Alexis Métaireau
537d23e233 fixup! Publish and attest multi-architecture container images 2025-02-12 11:40:36 +01:00
Alexis Métaireau
0724f86b13 fixup! Publish and attest multi-architecture container images 2025-02-12 11:40:36 +01:00
Alexis Métaireau
668ee71895 fixup! Add a dangerzone-image CLI script 2025-02-12 11:40:36 +01:00
Alexis Métaireau
988971096c fixup! Add a dangerzone-image CLI script 2025-02-12 11:40:36 +01:00
Alexis Métaireau
5202d79270 fixup! Add a dangerzone-image CLI script 2025-02-12 11:40:36 +01:00
Alexis Métaireau
ccae6c5b16 fixup! Add a dangerzone-image CLI script 2025-02-12 11:40:36 +01:00
Alexis Métaireau
aac6c6334a fixup! Add a dangerzone-image CLI script 2025-02-12 11:40:36 +01:00
Alexis Métaireau
431f0cb803 fixup! Add a dangerzone-image CLI script 2025-02-12 11:40:36 +01:00
Alexis Métaireau
d667c284c7 fixup! Add a dangerzone-image CLI script 2025-02-12 11:40:36 +01:00
Alexis Métaireau
379c9f8f00 fixup! Add a dangerzone-image CLI script 2025-02-12 11:40:36 +01:00
Alexis Métaireau
1e9e468e37 fixup! Download and verify cosign signatures 2025-02-12 11:40:36 +01:00
Alexis Métaireau
5a4ddb17c9 fixup! Download and verify cosign signatures 2025-02-12 11:40:36 +01:00
Alexis Métaireau
22d235cabd fixup! Download and verify cosign signatures 2025-02-12 11:40:36 +01:00
Alexis Métaireau
5001328ae9 fixup! Download and verify cosign signatures 2025-02-12 11:40:36 +01:00
Alexis Métaireau
db33038c23 fixup! Download and verify cosign signatures 2025-02-12 11:40:36 +01:00
Alexis Métaireau
6aff845493 fixup! Download and verify cosign signatures 2025-02-12 11:40:36 +01:00
Alexis Métaireau
7002ab85a0 fixup! Download and verify cosign signatures 2025-02-12 11:40:36 +01:00
Alexis Métaireau
f6562ae59c fixup! Download and verify cosign signatures 2025-02-12 11:40:36 +01:00
Alexis Métaireau
27647cc309 fixup! Download and verify cosign signatures 2025-02-12 11:40:36 +01:00
Alexis Métaireau
5c9a38d370
(WIP) Check for container updates rather than using image-id.txt 2025-02-11 19:24:59 +01:00
Alexis Métaireau
af55d26c2e
Add documentation for independent container updates 2025-02-11 19:24:59 +01:00
Alex Pyrgiotis
f60c43f12b
Publish and attest multi-architecture container images 
A new `dangerzone-image attest-provenance` script is now available,
making it possible to verify the attestations of an image published on
the github container registry.

Container images are now build nightly and uploaded to the container
registry.
 2025-02-11 19:24:59 +01:00
Alexis Métaireau
197325b266
Add the ability to download diffoci for multiple platforms 
The hash list provided on the Github releases page is now bundled in the
`reproduce-image.py` script, and the proper hashes are checked after
download.
 2025-02-11 19:24:59 +01:00
Alexis Métaireau
3d28ae2eee
Download and verify cosign signatures 
Signatures are stored in the OCI Manifest v2 registry [0], and are
expected to follow the Cosign Signature Specification [0]

The following CLI utilities are provided with `dangerzone-image`:

For checking new container images, upgrading them and downloading them:

- `upgrade` allows to upgrade the current installed image to the
  last one available on the OCI registry, downloading and storing the
  signatures in the process.
- `verify-local` allows the verify the currently installed image against
  downloaded signatures and public key.

To prepare and install archives on air-gapped environments:

- `prepare-archive` helps to prepare an archive to install on another
  machine
- `load-archive` helps upgrade the local image to the archive given
  in argument.

Signatures are stored locally using the format provided by `cosign
download signature`, and the Rekor log index is used to ensure the
requested-to-install container image is fresher than the one already
present on the system.

[0] https://github.com/sigstore/cosign/blob/main/specs/SIGNATURE_SPEC.md
 2025-02-11 19:09:53 +01:00
Alexis Métaireau
81ee267591
Add a dangerzone-image CLI script 
It contains utilities to interact with OCI registries, like getting the list of
published tags and getting the content of a manifest. It does so
via the use of the Docker Registry API v2 [0].

The script has been added to the `dev_scripts`, and is also installed on
the system under `dangerzone-image`.

[0]  https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry
 2025-02-11 18:13:39 +01:00
Alex Pyrgiotis
856de3fd46
grype: Ignore CVE-2025-0665
Some checks failed
Tests / macOS (x86_64) (push) Has been cancelled
Details
Scan latest app and container / security-scan-container (push) Has been cancelled
Details
Scan latest app and container / security-scan-app (push) Has been cancelled
Details
Tests / windows (push) Has been cancelled
Details
Tests / macOS (arch64) (push) Has been cancelled
Details
Tests / build-deb (debian bookworm) (push) Has been cancelled
Details
Tests / build-deb (debian bullseye) (push) Has been cancelled
Details
Tests / build-deb (debian trixie) (push) Has been cancelled
Details
Tests / build-deb (ubuntu 20.04) (push) Has been cancelled
Details
Tests / build-deb (ubuntu 22.04) (push) Has been cancelled
Details
Tests / build-deb (ubuntu 24.04) (push) Has been cancelled
Details
Tests / build-deb (ubuntu 24.10) (push) Has been cancelled
Details
Tests / install-deb (debian bookworm) (push) Has been cancelled
Details
Tests / install-deb (debian bullseye) (push) Has been cancelled
Details
Tests / install-deb (debian trixie) (push) Has been cancelled
Details
Tests / install-deb (ubuntu 20.04) (push) Has been cancelled
Details
Tests / install-deb (ubuntu 22.04) (push) Has been cancelled
Details
Tests / install-deb (ubuntu 24.04) (push) Has been cancelled
Details
Tests / install-deb (ubuntu 24.10) (push) Has been cancelled
Details
Tests / build-install-rpm (fedora 40) (push) Has been cancelled
Details
Tests / build-install-rpm (fedora 41) (push) Has been cancelled
Details
Tests / run tests (debian bookworm) (push) Has been cancelled
Details
Tests / run tests (debian bullseye) (push) Has been cancelled
Details
Tests / run tests (debian trixie) (push) Has been cancelled
Details
Tests / run tests (fedora 40) (push) Has been cancelled
Details
Tests / run tests (fedora 41) (push) Has been cancelled
Details
Tests / run tests (ubuntu 20.04) (push) Has been cancelled
Details
Tests / run tests (ubuntu 22.04) (push) Has been cancelled
Details
Tests / run tests (ubuntu 24.04) (push) Has been cancelled
Details
Tests / run tests (ubuntu 24.10) (push) Has been cancelled
Details 
Ignore the CVE-2025-0665 vulnerability, since it's a libcurl one, and
the Dangerzone container does not make network calls. Also, it seems
that Debian Bookworm is not affected.
 2025-02-10 12:31:08 +02:00
Alex Pyrgiotis
88a6b37770
Add support for Python 3.13
Some checks failed
Scan latest app and container / security-scan-container (push) Has been cancelled
Details
Scan latest app and container / security-scan-app (push) Has been cancelled
Details
Tests / windows (push) Has been cancelled
Details
Tests / macOS (arch64) (push) Has been cancelled
Details
Tests / build-deb (ubuntu 22.04) (push) Has been cancelled
Details
Tests / macOS (x86_64) (push) Has been cancelled
Details
Tests / build-deb (debian bookworm) (push) Has been cancelled
Details
Tests / build-deb (debian bullseye) (push) Has been cancelled
Details
Tests / build-deb (debian trixie) (push) Has been cancelled
Details
Tests / build-deb (ubuntu 20.04) (push) Has been cancelled
Details
Tests / build-deb (ubuntu 24.04) (push) Has been cancelled
Details
Tests / build-deb (ubuntu 24.10) (push) Has been cancelled
Details
Tests / install-deb (debian bookworm) (push) Has been cancelled
Details
Tests / install-deb (debian bullseye) (push) Has been cancelled
Details
Tests / install-deb (debian trixie) (push) Has been cancelled
Details
Tests / install-deb (ubuntu 20.04) (push) Has been cancelled
Details
Tests / install-deb (ubuntu 22.04) (push) Has been cancelled
Details
Tests / install-deb (ubuntu 24.04) (push) Has been cancelled
Details
Tests / install-deb (ubuntu 24.10) (push) Has been cancelled
Details
Tests / build-install-rpm (fedora 40) (push) Has been cancelled
Details
Tests / build-install-rpm (fedora 41) (push) Has been cancelled
Details
Tests / run tests (debian bookworm) (push) Has been cancelled
Details
Tests / run tests (debian bullseye) (push) Has been cancelled
Details
Tests / run tests (debian trixie) (push) Has been cancelled
Details
Tests / run tests (fedora 40) (push) Has been cancelled
Details
Tests / run tests (fedora 41) (push) Has been cancelled
Details
Tests / run tests (ubuntu 20.04) (push) Has been cancelled
Details
Tests / run tests (ubuntu 22.04) (push) Has been cancelled
Details
Tests / run tests (ubuntu 24.04) (push) Has been cancelled
Details
Tests / run tests (ubuntu 24.10) (push) Has been cancelled
Details 
Bump our max supported Python version to 3.13, now that PySide6 supports
it.

Fixes #992
 2025-01-27 21:40:27 +02:00
Alex Pyrgiotis
fb90243668
Symlink /usr in Debian container image 
Update our Dockerfile and entrypoint script in order to reuse the /usr
dir in the inner and outer container image.

Refs #1048
 2025-01-27 21:40:27 +02:00
Alex Pyrgiotis
9724a16d81
Mask some extra paths in gVisor's OCI config 
Mask some paths of the outer container in the OCI config of the inner
container. This is done to avoid leaking any sensitive information from
Podman / Docker / gVisor, since we reuse the same rootfs

Refs #1048
 2025-01-27 21:40:27 +02:00