dangerzone

mirror of https://github.com/freedomofpress/dangerzone.git synced 2025-04-29 02:12:36 +02:00

Author	SHA1	Message	Date
Alexis Métaireau	69f4d296ec	Build images every day, on main and test/ commits	2025-02-05 17:07:39 +01:00
Alexis Métaireau	c2d37dfb04	Check signatures before invoking the container. Also, check for new container images when starting the application. This replaces the usage of `share/image-id.txt` to ensure the image is trusted.	2025-02-05 16:54:13 +01:00
Alexis Métaireau	60c144aab0	Fixup: remove rntime.py	2025-02-05 16:51:51 +01:00
Alexis Métaireau	ad3d0e4182	Fixup: update docs	2025-02-05 15:40:36 +01:00
Alexis Métaireau	af6b4e0d73	Fixup: use digest instead of hash	2025-02-05 15:40:21 +01:00
Alexis Métaireau	4542f0b4c4	CI: Rename github workflow for multi-arch images publication	2025-02-05 15:03:16 +01:00
Alexis Métaireau	10957dfe02	Fixup: registry, split Accept lines	2025-02-05 14:31:36 +01:00
Alexis Métaireau	94e51840e7	feat(icu): Add verification support for multi-arch images	2025-02-05 14:27:44 +01:00
Alexis Métaireau	e67fbc1e72	fixup: Fix docs	2025-02-04 18:53:24 +01:00
Alex Pyrgiotis	2981ec4450	WIP: Add CI job for multi-arch builds Some checks failed Tests / build-container-image (push) Waiting to run Details Tests / Download and cache Tesseract data (push) Waiting to run Details Tests / windows (push) Blocked by required conditions Details Tests / macOS (arch64) (push) Blocked by required conditions Details Tests / macOS (x86_64) (push) Blocked by required conditions Details Tests / build-deb (debian bookworm) (push) Blocked by required conditions Details Tests / build-deb (debian bullseye) (push) Blocked by required conditions Details Tests / build-deb (debian trixie) (push) Blocked by required conditions Details Tests / build-deb (ubuntu 20.04) (push) Blocked by required conditions Details Tests / build-deb (ubuntu 22.04) (push) Blocked by required conditions Details Tests / build-deb (ubuntu 24.04) (push) Blocked by required conditions Details Tests / build-deb (ubuntu 24.10) (push) Blocked by required conditions Details Tests / install-deb (debian bookworm) (push) Blocked by required conditions Details Tests / install-deb (debian bullseye) (push) Blocked by required conditions Details Tests / install-deb (debian trixie) (push) Blocked by required conditions Details Tests / install-deb (ubuntu 20.04) (push) Blocked by required conditions Details Tests / install-deb (ubuntu 22.04) (push) Blocked by required conditions Details Tests / install-deb (ubuntu 24.04) (push) Blocked by required conditions Details Tests / install-deb (ubuntu 24.10) (push) Blocked by required conditions Details Tests / build-install-rpm (fedora 40) (push) Blocked by required conditions Details Tests / build-install-rpm (fedora 41) (push) Blocked by required conditions Details Tests / run tests (debian bookworm) (push) Blocked by required conditions Details Tests / run tests (debian bullseye) (push) Blocked by required conditions Details Tests / run tests (debian trixie) (push) Blocked by required conditions Details Tests / check-reproducibility (push) Waiting to run Details Release container image / build-container-image (push) Waiting to run Details Multi-arch build / build (linux/amd64) (push) Has been cancelled Details Multi-arch build / build (linux/arm64) (push) Has been cancelled Details Multi-arch build / merge (push) Has been cancelled Details Multi-arch build / provenance (push) Has been cancelled Details	2025-02-04 19:44:29 +02:00
Alex Pyrgiotis	22102f29e6	WIP: Verify local image	2025-02-04 19:42:42 +02:00
Alex Pyrgiotis	a77fc938fd	WIP: Make verify-attestation work for SLSA 3 attestations	2025-02-04 19:42:31 +02:00
Alexis Métaireau	aedfc3b9a2	fix(icu): update documentation and fixes Some checks are pending Tests / windows (push) Blocked by required conditions Details Tests / macOS (arch64) (push) Blocked by required conditions Details Tests / macOS (x86_64) (push) Blocked by required conditions Details Tests / build-deb (debian bookworm) (push) Blocked by required conditions Details Tests / build-deb (debian bullseye) (push) Blocked by required conditions Details Tests / build-deb (debian trixie) (push) Blocked by required conditions Details Tests / build-deb (ubuntu 20.04) (push) Blocked by required conditions Details Tests / build-deb (ubuntu 22.04) (push) Blocked by required conditions Details Tests / build-deb (ubuntu 24.04) (push) Blocked by required conditions Details Tests / build-deb (ubuntu 24.10) (push) Blocked by required conditions Details Tests / install-deb (debian bookworm) (push) Blocked by required conditions Details Tests / install-deb (debian bullseye) (push) Blocked by required conditions Details Tests / install-deb (debian trixie) (push) Blocked by required conditions Details Tests / install-deb (ubuntu 20.04) (push) Blocked by required conditions Details Tests / install-deb (ubuntu 22.04) (push) Blocked by required conditions Details Tests / install-deb (ubuntu 24.04) (push) Blocked by required conditions Details Tests / install-deb (ubuntu 24.10) (push) Blocked by required conditions Details Tests / build-install-rpm (fedora 40) (push) Blocked by required conditions Details Tests / build-install-rpm (fedora 41) (push) Blocked by required conditions Details Tests / run tests (debian bookworm) (push) Blocked by required conditions Details Tests / run tests (debian bullseye) (push) Blocked by required conditions Details Tests / run tests (debian trixie) (push) Blocked by required conditions Details Tests / run tests (fedora 40) (push) Blocked by required conditions Details Tests / run tests (fedora 41) (push) Blocked by required conditions Details Tests / run tests (ubuntu 20.04) (push) Blocked by required conditions Details Tests / run tests (ubuntu 22.04) (push) Blocked by required conditions Details Tests / run tests (ubuntu 24.04) (push) Blocked by required conditions Details Tests / run tests (ubuntu 24.10) (push) Blocked by required conditions Details Tests / check-reproducibility (push) Waiting to run Details Release container image / build-container-image (push) Waiting to run Details	2025-02-04 16:18:18 +01:00
Alexis Métaireau	97d7b52093	Get image name from signatures for air-gapped archives This allows to be sure that the image name is verified by a known public key, rather than relying on an input by the user, which can lead to issues.	2025-02-04 15:32:08 +01:00
Alexis Métaireau	9c2d7a7f7b	Add a `dangerzone-image prepare-archive` command	2025-02-04 12:38:26 +01:00
Alexis Métaireau	8ae4af8698	Locally store the signatures for oci-images archives On air-gapped environements, it's now possible to load signatures generated by `cosign save` commands. The signatures embedded in this format will be converted to the one used by `cosign download signature`.	2025-02-04 11:49:51 +01:00
Alexis Métaireau	087e5bd1ad	Allow installation on air-gapped systems - Verify the archive against the known public signature - Prepare a new archive format (with signature removed) - Load the new image and retag it with the expected tag During this process, the signatures are lost and should instead be converted to a known format. Additionally, the name fo the repository should ideally come from the signatures rather than from the command line.	2025-02-03 18:04:24 +01:00
Alexis Métaireau	f7069a9c16	Ensure cosign is installed before trying to use it Some checks failed Tests / check-reproducibility (push) Has been cancelled Details Release container image / build-container-image (push) Has been cancelled Details Tests / windows (push) Has been cancelled Details Tests / macOS (arch64) (push) Has been cancelled Details Tests / build-deb (ubuntu 22.04) (push) Has been cancelled Details Tests / macOS (x86_64) (push) Has been cancelled Details Tests / build-deb (debian bookworm) (push) Has been cancelled Details Tests / build-deb (debian bullseye) (push) Has been cancelled Details Tests / build-deb (debian trixie) (push) Has been cancelled Details Tests / build-deb (ubuntu 20.04) (push) Has been cancelled Details Tests / build-deb (ubuntu 24.04) (push) Has been cancelled Details Tests / build-deb (ubuntu 24.10) (push) Has been cancelled Details Tests / install-deb (debian bookworm) (push) Has been cancelled Details Tests / install-deb (debian bullseye) (push) Has been cancelled Details Tests / install-deb (debian trixie) (push) Has been cancelled Details Tests / install-deb (ubuntu 20.04) (push) Has been cancelled Details Tests / install-deb (ubuntu 22.04) (push) Has been cancelled Details Tests / install-deb (ubuntu 24.04) (push) Has been cancelled Details Tests / install-deb (ubuntu 24.10) (push) Has been cancelled Details Tests / build-install-rpm (fedora 40) (push) Has been cancelled Details Tests / build-install-rpm (fedora 41) (push) Has been cancelled Details Tests / run tests (debian bookworm) (push) Has been cancelled Details Tests / run tests (debian bullseye) (push) Has been cancelled Details Tests / run tests (debian trixie) (push) Has been cancelled Details Tests / run tests (fedora 40) (push) Has been cancelled Details Tests / run tests (fedora 41) (push) Has been cancelled Details Tests / run tests (ubuntu 20.04) (push) Has been cancelled Details Tests / run tests (ubuntu 22.04) (push) Has been cancelled Details Tests / run tests (ubuntu 24.04) (push) Has been cancelled Details Tests / run tests (ubuntu 24.10) (push) Has been cancelled Details	2025-01-29 19:31:54 +01:00
Alexis Métaireau	7bbd260c72	Add a dev_scripts/dangerzone-image	2025-01-29 19:31:30 +01:00
Alexis Métaireau	7991a5cb9c	Some more refactoring	2025-01-29 19:14:40 +01:00
Alexis Métaireau	fd1db717b7	Refactoring of dangerzone/updater/*	2025-01-29 17:01:48 +01:00
Alexis Métaireau	d0ab34b422	Move regsitry and cosign utilities to `dangerzone/updater/*`. Placing these inside the `dangerzone` python package enables an inclusion with the software itself, and also makes it possible for end-users to attest the image.	2025-01-29 15:08:50 +01:00
Alexis Métaireau	cbd4795bf6	Verify podman/docker images against locally stored signatures Some checks are pending Tests / run tests (ubuntu 22.04) (push) Blocked by required conditions Details Tests / run tests (ubuntu 24.04) (push) Blocked by required conditions Details Tests / run tests (ubuntu 24.10) (push) Blocked by required conditions Details Tests / run-lint (push) Waiting to run Details Tests / build-container-image (push) Waiting to run Details Tests / Download and cache Tesseract data (push) Waiting to run Details Tests / windows (push) Blocked by required conditions Details Tests / macOS (arch64) (push) Blocked by required conditions Details Tests / macOS (x86_64) (push) Blocked by required conditions Details Tests / build-deb (debian bookworm) (push) Blocked by required conditions Details Tests / build-deb (debian bullseye) (push) Blocked by required conditions Details Tests / build-deb (debian trixie) (push) Blocked by required conditions Details Tests / build-deb (ubuntu 20.04) (push) Blocked by required conditions Details Tests / build-deb (ubuntu 22.04) (push) Blocked by required conditions Details Tests / build-deb (ubuntu 24.04) (push) Blocked by required conditions Details Tests / build-deb (ubuntu 24.10) (push) Blocked by required conditions Details Tests / install-deb (debian bookworm) (push) Blocked by required conditions Details Tests / install-deb (debian bullseye) (push) Blocked by required conditions Details Tests / install-deb (debian trixie) (push) Blocked by required conditions Details Tests / install-deb (ubuntu 20.04) (push) Blocked by required conditions Details Tests / install-deb (ubuntu 22.04) (push) Blocked by required conditions Details Tests / install-deb (ubuntu 24.04) (push) Blocked by required conditions Details Tests / install-deb (ubuntu 24.10) (push) Blocked by required conditions Details Tests / build-install-rpm (fedora 40) (push) Blocked by required conditions Details Tests / build-install-rpm (fedora 41) (push) Blocked by required conditions Details Tests / run tests (debian bookworm) (push) Blocked by required conditions Details Tests / run tests (debian bullseye) (push) Blocked by required conditions Details Tests / run tests (debian trixie) (push) Blocked by required conditions Details Tests / check-reproducibility (push) Waiting to run Details Release container image / build-container-image (push) Waiting to run Details	2025-01-28 16:21:29 +01:00
Alexis Métaireau	47252cc31d	Automate the verification of image signatures	2025-01-28 16:21:29 +01:00
Alexis Métaireau	bcd1ec2173	Add an utility to retrieve manifest info	2025-01-28 16:21:29 +01:00
Alexis Métaireau	5817650633	Add a script to verify Github attestations	2025-01-28 16:21:29 +01:00
Alexis Métaireau	8f49cd99eb	FIXUP: test	2025-01-28 16:21:29 +01:00
Alexis Métaireau	f0ac1f885f	Add logs	2025-01-28 16:21:29 +01:00
Alexis Métaireau	554736cab3	Remove the tag from the attestation, what we attest is the hash, so no need for it	2025-01-28 16:21:29 +01:00
Alexis Métaireau	891ffe4fec	Add the tag to the subject	2025-01-28 16:21:29 +01:00
Alexis Métaireau	2a80bf0c26	Get the tag from git before retagging it	2025-01-28 16:21:29 +01:00
Alexis Métaireau	ac62a153dc	Checkout with depth:0 otherwise git commands aren't functional	2025-01-28 16:21:29 +01:00
Alexis Métaireau	13449641ca	Build: Use Github runners to build and sign container images on new tags	2025-01-28 16:21:28 +01:00
Alex Pyrgiotis	88a6b37770	Add support for Python 3.13 Some checks failed Scan latest app and container / security-scan-container (push) Has been cancelled Details Scan latest app and container / security-scan-app (push) Has been cancelled Details Tests / windows (push) Has been cancelled Details Tests / macOS (arch64) (push) Has been cancelled Details Tests / build-deb (ubuntu 22.04) (push) Has been cancelled Details Tests / macOS (x86_64) (push) Has been cancelled Details Tests / build-deb (debian bookworm) (push) Has been cancelled Details Tests / build-deb (debian bullseye) (push) Has been cancelled Details Tests / build-deb (debian trixie) (push) Has been cancelled Details Tests / build-deb (ubuntu 20.04) (push) Has been cancelled Details Tests / build-deb (ubuntu 24.04) (push) Has been cancelled Details Tests / build-deb (ubuntu 24.10) (push) Has been cancelled Details Tests / install-deb (debian bookworm) (push) Has been cancelled Details Tests / install-deb (debian bullseye) (push) Has been cancelled Details Tests / install-deb (debian trixie) (push) Has been cancelled Details Tests / install-deb (ubuntu 20.04) (push) Has been cancelled Details Tests / install-deb (ubuntu 22.04) (push) Has been cancelled Details Tests / install-deb (ubuntu 24.04) (push) Has been cancelled Details Tests / install-deb (ubuntu 24.10) (push) Has been cancelled Details Tests / build-install-rpm (fedora 40) (push) Has been cancelled Details Tests / build-install-rpm (fedora 41) (push) Has been cancelled Details Tests / run tests (debian bookworm) (push) Has been cancelled Details Tests / run tests (debian bullseye) (push) Has been cancelled Details Tests / run tests (debian trixie) (push) Has been cancelled Details Tests / run tests (fedora 40) (push) Has been cancelled Details Tests / run tests (fedora 41) (push) Has been cancelled Details Tests / run tests (ubuntu 20.04) (push) Has been cancelled Details Tests / run tests (ubuntu 22.04) (push) Has been cancelled Details Tests / run tests (ubuntu 24.04) (push) Has been cancelled Details Tests / run tests (ubuntu 24.10) (push) Has been cancelled Details Bump our max supported Python version to 3.13, now that PySide6 supports it. Fixes #992	2025-01-27 21:40:27 +02:00
Alex Pyrgiotis	fb90243668	Symlink /usr in Debian container image Update our Dockerfile and entrypoint script in order to reuse the /usr dir in the inner and outer container image. Refs #1048	2025-01-27 21:40:27 +02:00
Alex Pyrgiotis	9724a16d81	Mask some extra paths in gVisor's OCI config Mask some paths of the outer container in the OCI config of the inner container. This is done to avoid leaking any sensitive information from Podman / Docker / gVisor, since we reuse the same rootfs Refs #1048	2025-01-27 21:40:27 +02:00
Alex Pyrgiotis	cf43a7a0c4	docs: Add design document for artifact reproducibility Refs #1047	2025-01-27 21:40:27 +02:00
Alex Pyrgiotis	cae4187550	Update RELEASE.md Co-authored-by: Alexis Métaireau <alexis@freedom.press>	2025-01-27 21:40:27 +02:00
Alex Pyrgiotis	cfa4478ace	ci: Add a CI job that enforces image reproducibility Add a CI job that uses the `reproduce.py` dev script to enforce image reproducibility, for every PR that we send to the repo. Fixes #1047	2025-01-27 21:40:27 +02:00
Alex Pyrgiotis	2557be9bc0	dev_scripts: Add script for enforcing image reproducibility Add a dev script for Linux platforms that verifies that a source image can be reproducibly built from the current Git commit. The reproducibility check is enforced by the `diffoci` tool, which is downloaded as part of running the script.	2025-01-27 21:40:27 +02:00
Alex Pyrgiotis	235d71354a	Allow setting a tag for the container image Allow setting a tag for the container image, when building it with the `build-image.py` script. This should be used for development purposes only, since the proper image name should be dictated by the script.	2025-01-27 21:40:27 +02:00
Alex Pyrgiotis	5d49f5abdb	ci: Scan the latest image for CVEs Update the Debian snapshot date to the current one, so that we always scan the latest image for CVEs. Refs #1057	2025-01-27 21:40:27 +02:00
Alex Pyrgiotis	0ce7773ca1	Render the Dockerfile from a template and some params Allow updating the Dockerfile from a template and some envs, so that it's easier to bump the dates in it.	2025-01-27 21:40:27 +02:00
Alex Pyrgiotis	fa27f4b063	Add jinja2-cli package dependency Add jinja2-cli as a package dependency, since it will be used to create the Dockerfile from some user parameters and a template.	2025-01-23 23:26:56 +02:00
Alex Pyrgiotis	8e8a515b64	Allow using the container engine cache when building our image Remove our suggestions for not using the container cache, which stemmed from the fact that our Dangerzone image was not reproducible. Now that we have switched to Debian Stable and the Dockerfile is all we need to reproducibly build the exact same container image, we can just use the cache to speed up builds.	2025-01-23 23:25:43 +02:00
Alex Pyrgiotis	270cae1bc0	Rename vendor-pymupdf.py to debian-vendor-pymupdf.py Rename the `vendor-pymupdf.py` script to `debian-vendor-pymupdf.py`, since it's used only when building Debian packages.	2025-01-23 23:25:43 +02:00
Alex Pyrgiotis	14bb6c0e39	Do not use poetry.lock when building the container image Remove all the scaffolding in our `build-image.py` script for using the `poetry.lock` file, now that we install PyMuPDF from the Debian repos.	2025-01-23 23:25:39 +02:00
Alex Pyrgiotis	033ce0986d	Switch base image to Debian Stable Switch base image from Alpine Linux to Debian Stable, in order to reduce our image footprint, improve our security posture, and build our container image reproducibly. Fixes #1046 Refs #1047	2025-01-23 23:24:48 +02:00
Alex Pyrgiotis	935396565c	Reuse the same rootfs for the inner and outer container Remove the need to copy the Dangerzone container image (used by the inner container) within a wrapper gVisor image (used by the outer container). Instead, use the root of the container filesystem for both containers. We can do this safely because we don't mount any secrets to the container, and because gVisor offers a read-only view of the underlying filesystem Fixes #1048	2025-01-23 23:24:48 +02:00
Alex Pyrgiotis	e29837cb43	Copy gVisor public key and a helper script in container helpers Download and copy the following artifacts that will be used for building a Debian-based Dangerzone container image in the subsequent commits: * The APT key for the gVisor repo [1] * A helper script for building reproducible Debian images [2] [1] https://gvisor.dev/archive.key [2] `d15cf12b26/repro-sources-list.sh`	2025-01-23 23:24:48 +02:00

1 2 3 4 5 ...

1549 commits