almet/dangerzone
1
0
Fork 0
mirror of https://github.com/freedomofpress/dangerzone.git synced 2025-04-29 02:12:36 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 11
1543 commits 51 branches 42 tags 53 MiB
Commit graph

1543 commits

This branch
This branch
All branches
Author SHA1 Message Date
Alexis Métaireau
8041ae2fb6
feat(icu): Add verification support for multi-arch images 2025-02-11 16:13:27 +01:00
Alexis Métaireau
2d9c00d681
fixup: Fix docs 2025-02-11 16:13:27 +01:00
Alex Pyrgiotis
1b7cfe4c7f
WIP: Add CI job for multi-arch builds 2025-02-11 16:13:27 +01:00
Alex Pyrgiotis
5accaef357
WIP: Verify local image 2025-02-11 16:13:27 +01:00
Alex Pyrgiotis
b42833df47
WIP: Make verify-attestation work for SLSA 3 attestations 2025-02-11 16:13:26 +01:00
Alexis Métaireau
858d31458b
fix(icu): update documentation and fixes 2025-02-11 16:13:26 +01:00
Alexis Métaireau
3b858dac27
Get image name from signatures for air-gapped archives 
This allows to be sure that the image name is verified by a known public
key, rather than relying on an input by the user, which can lead to issues.
 2025-02-11 16:13:26 +01:00
Alexis Métaireau
c6f5e61e0b
Add a dangerzone-image prepare-archive command 2025-02-11 16:13:26 +01:00
Alexis Métaireau
4d27449351
Locally store the signatures for oci-images archives 
On air-gapped environements, it's now possible to load signatures
generated by `cosign save` commands. The signatures embedded in this
format will be converted to the one used by `cosign download signature`.
 2025-02-11 16:13:26 +01:00
Alexis Métaireau
f30ced7834
Allow installation on air-gapped systems 
- Verify the archive against the known public signature
- Prepare a new archive format (with signature removed)
- Load the new image and retag it with the expected tag

During this process, the signatures are lost and should instead be
converted to a known format. Additionally, the name fo the repository
should ideally come from the signatures rather than from the command
line.
 2025-02-11 16:13:26 +01:00
Alexis Métaireau
d4547b8964
Ensure cosign is installed before trying to use it 2025-02-11 16:13:26 +01:00
Alexis Métaireau
9b60a101a1
Add a dev_scripts/dangerzone-image 2025-02-11 16:13:26 +01:00
Alexis Métaireau
2e7af4aebf
Some more refactoring 2025-02-11 16:13:26 +01:00
Alexis Métaireau
5921289454
Refactoring of dangerzone/updater/* 2025-02-11 16:13:26 +01:00
Alexis Métaireau
ab15d25a18
Move regsitry and cosign utilities to dangerzone/updater/*. 
Placing these inside the `dangerzone` python package enables an
inclusion with the software itself, and also makes it possible for
end-users to attest the image.
 2025-02-11 16:13:25 +01:00
Alexis Métaireau
225839960c
Verify podman/docker images against locally stored signatures 2025-02-11 16:13:25 +01:00
Alexis Métaireau
83a38eab0d
Automate the verification of image signatures 2025-02-11 16:13:25 +01:00
Alexis Métaireau
1ea76ded9b
Add an utility to retrieve manifest info 2025-02-11 16:13:25 +01:00
Alexis Métaireau
66ac7e56f8
Add a script to verify Github attestations 2025-02-11 16:13:25 +01:00
Alexis Métaireau
3f428d4824
FIXUP: test 2025-02-11 16:13:25 +01:00
Alexis Métaireau
2839c3b1ff
Add logs 2025-02-11 16:13:25 +01:00
Alexis Métaireau
fa540e53fa
Remove the tag from the attestation, what we attest is the hash, so no need for it 2025-02-11 16:13:25 +01:00
Alexis Métaireau
56b464fe58
Add the tag to the subject 2025-02-11 16:13:25 +01:00
Alexis Métaireau
2235cb1b36
Get the tag from git before retagging it 2025-02-11 16:13:25 +01:00
Alexis Métaireau
4c78a0117c
Checkout with depth:0 otherwise git commands aren't functional 2025-02-11 16:13:24 +01:00
Alexis Métaireau
13d12de087
Build: Use Github runners to build and sign container images on new tags 2025-02-11 16:13:24 +01:00
Alex Pyrgiotis
856de3fd46
grype: Ignore CVE-2025-0665
Some checks failed
Tests / macOS (x86_64) (push) Has been cancelled
Details
Scan latest app and container / security-scan-container (push) Has been cancelled
Details
Scan latest app and container / security-scan-app (push) Has been cancelled
Details
Tests / windows (push) Has been cancelled
Details
Tests / macOS (arch64) (push) Has been cancelled
Details
Tests / build-deb (debian bookworm) (push) Has been cancelled
Details
Tests / build-deb (debian bullseye) (push) Has been cancelled
Details
Tests / build-deb (debian trixie) (push) Has been cancelled
Details
Tests / build-deb (ubuntu 20.04) (push) Has been cancelled
Details
Tests / build-deb (ubuntu 22.04) (push) Has been cancelled
Details
Tests / build-deb (ubuntu 24.04) (push) Has been cancelled
Details
Tests / build-deb (ubuntu 24.10) (push) Has been cancelled
Details
Tests / install-deb (debian bookworm) (push) Has been cancelled
Details
Tests / install-deb (debian bullseye) (push) Has been cancelled
Details
Tests / install-deb (debian trixie) (push) Has been cancelled
Details
Tests / install-deb (ubuntu 20.04) (push) Has been cancelled
Details
Tests / install-deb (ubuntu 22.04) (push) Has been cancelled
Details
Tests / install-deb (ubuntu 24.04) (push) Has been cancelled
Details
Tests / install-deb (ubuntu 24.10) (push) Has been cancelled
Details
Tests / build-install-rpm (fedora 40) (push) Has been cancelled
Details
Tests / build-install-rpm (fedora 41) (push) Has been cancelled
Details
Tests / run tests (debian bookworm) (push) Has been cancelled
Details
Tests / run tests (debian bullseye) (push) Has been cancelled
Details
Tests / run tests (debian trixie) (push) Has been cancelled
Details
Tests / run tests (fedora 40) (push) Has been cancelled
Details
Tests / run tests (fedora 41) (push) Has been cancelled
Details
Tests / run tests (ubuntu 20.04) (push) Has been cancelled
Details
Tests / run tests (ubuntu 22.04) (push) Has been cancelled
Details
Tests / run tests (ubuntu 24.04) (push) Has been cancelled
Details
Tests / run tests (ubuntu 24.10) (push) Has been cancelled
Details 
Ignore the CVE-2025-0665 vulnerability, since it's a libcurl one, and
the Dangerzone container does not make network calls. Also, it seems
that Debian Bookworm is not affected.
 2025-02-10 12:31:08 +02:00
Alex Pyrgiotis
88a6b37770
Add support for Python 3.13
Some checks failed
Scan latest app and container / security-scan-container (push) Has been cancelled
Details
Scan latest app and container / security-scan-app (push) Has been cancelled
Details
Tests / windows (push) Has been cancelled
Details
Tests / macOS (arch64) (push) Has been cancelled
Details
Tests / build-deb (ubuntu 22.04) (push) Has been cancelled
Details
Tests / macOS (x86_64) (push) Has been cancelled
Details
Tests / build-deb (debian bookworm) (push) Has been cancelled
Details
Tests / build-deb (debian bullseye) (push) Has been cancelled
Details
Tests / build-deb (debian trixie) (push) Has been cancelled
Details
Tests / build-deb (ubuntu 20.04) (push) Has been cancelled
Details
Tests / build-deb (ubuntu 24.04) (push) Has been cancelled
Details
Tests / build-deb (ubuntu 24.10) (push) Has been cancelled
Details
Tests / install-deb (debian bookworm) (push) Has been cancelled
Details
Tests / install-deb (debian bullseye) (push) Has been cancelled
Details
Tests / install-deb (debian trixie) (push) Has been cancelled
Details
Tests / install-deb (ubuntu 20.04) (push) Has been cancelled
Details
Tests / install-deb (ubuntu 22.04) (push) Has been cancelled
Details
Tests / install-deb (ubuntu 24.04) (push) Has been cancelled
Details
Tests / install-deb (ubuntu 24.10) (push) Has been cancelled
Details
Tests / build-install-rpm (fedora 40) (push) Has been cancelled
Details
Tests / build-install-rpm (fedora 41) (push) Has been cancelled
Details
Tests / run tests (debian bookworm) (push) Has been cancelled
Details
Tests / run tests (debian bullseye) (push) Has been cancelled
Details
Tests / run tests (debian trixie) (push) Has been cancelled
Details
Tests / run tests (fedora 40) (push) Has been cancelled
Details
Tests / run tests (fedora 41) (push) Has been cancelled
Details
Tests / run tests (ubuntu 20.04) (push) Has been cancelled
Details
Tests / run tests (ubuntu 22.04) (push) Has been cancelled
Details
Tests / run tests (ubuntu 24.04) (push) Has been cancelled
Details
Tests / run tests (ubuntu 24.10) (push) Has been cancelled
Details 
Bump our max supported Python version to 3.13, now that PySide6 supports
it.

Fixes #992
 2025-01-27 21:40:27 +02:00
Alex Pyrgiotis
fb90243668
Symlink /usr in Debian container image 
Update our Dockerfile and entrypoint script in order to reuse the /usr
dir in the inner and outer container image.

Refs #1048
 2025-01-27 21:40:27 +02:00
Alex Pyrgiotis
9724a16d81
Mask some extra paths in gVisor's OCI config 
Mask some paths of the outer container in the OCI config of the inner
container. This is done to avoid leaking any sensitive information from
Podman / Docker / gVisor, since we reuse the same rootfs

Refs #1048
 2025-01-27 21:40:27 +02:00
Alex Pyrgiotis
cf43a7a0c4
docs: Add design document for artifact reproducibility 
Refs #1047
 2025-01-27 21:40:27 +02:00
Alex Pyrgiotis
cae4187550
Update RELEASE.md 
Co-authored-by: Alexis Métaireau <alexis@freedom.press>
 2025-01-27 21:40:27 +02:00
Alex Pyrgiotis
cfa4478ace
ci: Add a CI job that enforces image reproducibility 
Add a CI job that uses the `reproduce.py` dev script to enforce image
reproducibility, for every PR that we send to the repo.

Fixes #1047
 2025-01-27 21:40:27 +02:00
Alex Pyrgiotis
2557be9bc0
dev_scripts: Add script for enforcing image reproducibility 
Add a dev script for Linux platforms that verifies that a source image
can be reproducibly built from the current Git commit. The
reproducibility check is enforced by the `diffoci` tool, which is
downloaded as part of running the script.
 2025-01-27 21:40:27 +02:00
Alex Pyrgiotis
235d71354a
Allow setting a tag for the container image 
Allow setting a tag for the container image, when building it with the
`build-image.py` script. This should be used for development purposes
only, since the proper image name should be dictated by the script.
 2025-01-27 21:40:27 +02:00
Alex Pyrgiotis
5d49f5abdb
ci: Scan the latest image for CVEs 
Update the Debian snapshot date to the current one, so that we always
scan the latest image for CVEs.

Refs #1057
 2025-01-27 21:40:27 +02:00
Alex Pyrgiotis
0ce7773ca1
Render the Dockerfile from a template and some params 
Allow updating the Dockerfile from a template and some envs, so that
it's easier to bump the dates in it.
 2025-01-27 21:40:27 +02:00
Alex Pyrgiotis
fa27f4b063
Add jinja2-cli package dependency 
Add jinja2-cli as a package dependency, since it will be used to create
the Dockerfile from some user parameters and a template.
 2025-01-23 23:26:56 +02:00
Alex Pyrgiotis
8e8a515b64
Allow using the container engine cache when building our image 
Remove our suggestions for not using the container cache, which stemmed
from the fact that our Dangerzone image was not reproducible. Now that
we have switched to Debian Stable and the Dockerfile is all we need to
reproducibly build the exact same container image, we can just use the
cache to speed up builds.
 2025-01-23 23:25:43 +02:00
Alex Pyrgiotis
270cae1bc0
Rename vendor-pymupdf.py to debian-vendor-pymupdf.py 
Rename the `vendor-pymupdf.py` script to `debian-vendor-pymupdf.py`,
since it's used only when building Debian packages.
 2025-01-23 23:25:43 +02:00
Alex Pyrgiotis
14bb6c0e39
Do not use poetry.lock when building the container image 
Remove all the scaffolding in our `build-image.py` script for using the
`poetry.lock` file, now that we install PyMuPDF from the Debian repos.
 2025-01-23 23:25:39 +02:00
Alex Pyrgiotis
033ce0986d
Switch base image to Debian Stable 
Switch base image from Alpine Linux to Debian Stable, in order to reduce
our image footprint, improve our security posture, and build our
container image reproducibly.

Fixes #1046
Refs #1047
 2025-01-23 23:24:48 +02:00
Alex Pyrgiotis
935396565c
Reuse the same rootfs for the inner and outer container 
Remove the need to copy the Dangerzone container image (used by the
inner container) within a wrapper gVisor image (used by the outer
container). Instead, use the root of the container filesystem for both
containers. We can do this safely because we don't mount any secrets to
the container, and because gVisor offers a read-only view of the
underlying filesystem

Fixes #1048
 2025-01-23 23:24:48 +02:00
Alex Pyrgiotis
e29837cb43
Copy gVisor public key and a helper script in container helpers 
Download and copy the following artifacts that will be used for building
a Debian-based Dangerzone container image in the subsequent commits:
* The APT key for the gVisor repo [1]
* A helper script for building reproducible Debian images [2]

[1] https://gvisor.dev/archive.key
[2] d15cf12b26/repro-sources-list.sh
 2025-01-23 23:24:48 +02:00
Alex Pyrgiotis
8568b4bb9d
Move container-only build context to dangerzone/container 
Move container-only build context (currently just the entrypoint script)
from `dangerzone/gvisor_wrapper` to `dangerzone/container_helpers`.
Update the rest of the scripts to use this location as well.
 2025-01-23 23:24:48 +02:00
Alex Pyrgiotis
be1fa7a395
Whitespace fixes 2025-01-23 23:24:47 +02:00
Alexis Métaireau
b2f4e2d523
Bump poetry.lock
Some checks are pending
Tests / windows (push) Blocked by required conditions
Details
Tests / macOS (arch64) (push) Blocked by required conditions
Details
Tests / macOS (x86_64) (push) Blocked by required conditions
Details
Tests / build-deb (debian bookworm) (push) Blocked by required conditions
Details
Tests / build-deb (debian bullseye) (push) Blocked by required conditions
Details
Tests / build-deb (debian trixie) (push) Blocked by required conditions
Details
Tests / build-deb (ubuntu 20.04) (push) Blocked by required conditions
Details
Tests / build-deb (ubuntu 22.04) (push) Blocked by required conditions
Details
Tests / build-deb (ubuntu 24.04) (push) Blocked by required conditions
Details
Tests / build-deb (ubuntu 24.10) (push) Blocked by required conditions
Details
Tests / install-deb (debian bookworm) (push) Blocked by required conditions
Details
Tests / install-deb (debian bullseye) (push) Blocked by required conditions
Details
Tests / install-deb (debian trixie) (push) Blocked by required conditions
Details
Tests / install-deb (ubuntu 20.04) (push) Blocked by required conditions
Details
Tests / install-deb (ubuntu 22.04) (push) Blocked by required conditions
Details
Tests / install-deb (ubuntu 24.04) (push) Blocked by required conditions
Details
Tests / install-deb (ubuntu 24.10) (push) Blocked by required conditions
Details
Tests / build-install-rpm (fedora 40) (push) Blocked by required conditions
Details
Tests / build-install-rpm (fedora 41) (push) Blocked by required conditions
Details
Tests / run tests (debian bookworm) (push) Blocked by required conditions
Details
Tests / run tests (debian bullseye) (push) Blocked by required conditions
Details
Tests / run tests (debian trixie) (push) Blocked by required conditions
Details
Tests / run tests (fedora 40) (push) Blocked by required conditions
Details
Tests / run tests (fedora 41) (push) Blocked by required conditions
Details
Tests / run tests (ubuntu 20.04) (push) Blocked by required conditions
Details
Tests / run tests (ubuntu 22.04) (push) Blocked by required conditions
Details
Tests / run tests (ubuntu 24.04) (push) Blocked by required conditions
Details
Tests / run tests (ubuntu 24.10) (push) Blocked by required conditions
Details
Scan latest app and container / security-scan-container (push) Waiting to run
Details
Scan latest app and container / security-scan-app (push) Waiting to run
Details
2025-01-23 16:26:07 +01:00
Alexis Métaireau
7409966253
Remove ${Python3:Depends} as it's not used at the moment. 2025-01-23 16:26:06 +01:00
Alexis Métaireau
40fb6579f6
Alternatives for debian/control 2025-01-23 16:26:06 +01:00
Alexis Métaireau
6ae91b024e
Use platformdirs to find user configuration files 
The previous library we were using for this (`appdirs`) is dead upstream
and not supported anymore in debian testing.

Fixes #1058
 2025-01-23 16:26:06 +01:00