Remove port auto-detect on macos, getting rid of CGO

With CGO out of the way the make-release-builds.sh script can build
binaries for all OSs & architectures reproducibly in a container. Also
create a Macos univeral binary.

Commit checksums of all tkey-verification binaries (of the next version
that is expected to be released), which the script checks after
building.

Signed-off-by: Daniel Lublin <[email protected]>

Author: quite

.gitignore

@@ -1,4 +1,5 @@
 /gotools/golangci-lint
 /gotools/certstrap
+/gotools/lipo
 /show-pubkey
 /tkey-verification

Makefile

@@ -33,7 +33,9 @@ clean:
 .PHONY: lint
 lint:
 	$(MAKE) -C gotools golangci-lint
-	./gotools/golangci-lint run
+	GOOS=linux   ./gotools/golangci-lint run
+	GOOS=windows ./gotools/golangci-lint run
+	GOOS=darwin  ./gotools/golangci-lint run
 
 .PHONY: certs
 certs:

README.md

@@ -6,10 +6,18 @@ produced by [Tillitis](https://tillitis.se/) (the vendor).
 
 If you own a TKey and want make sure it's genuine you can follow
 [these
-instructions](https://tillitis.se/app/tkey-device-verification/) (On
+instructions](https://tillitis.se/app/tkey-device-verification/) (on
 Tillitis' web). Or just download a release of the tool right away:
 https://github.com/tillitis/tkey-verification/releases
 
+The published binaries can be reproduced by running
+`./make-release-builds.sh` with the wanted version (for example
+"0.0.2"). The [release-builds](release-builds) directory contains
+checksums of released versions (since we got reproducibility in
+place), which the script verifies after building. Running the script
+requires a rootless podman setup. On Ubuntu 22.10, running `apt
+install podman rootlesskit slirp4netns` should be enough.
+
 ## Terminology
 
 - "device under verification": The device the vendor is provisioning
@@ -276,3 +284,25 @@ Example file content:
   "signature": "db4e7a72b720b33f6d4887df0f9dcdd6988ca8adb6b0042d8e8c92b5be3e4e39d908f166d093f3ab20880102d43a2b0c8e31178ab7cdb59977dcf7204116cc0c"
 }
 ```
+
+## Making releases of tkey-verification
+
+Make the new release binaries for the expected version:
+
+    ./make-release-builds 0.0.42
+
+Generate and commit the new checksums:
+
+    ./gen-release-checksums 0.0.42
+    git add release-builds/*_0.0.42_*.sha512
+    git commit -m "Release 0.0.42"
+
+Then tag a new version and push it all:
+
+    git tag -a v0.0.42 -m v0.0.42
+    git push origin main v0.0.42
+
+Publish the new release at
+https://github.com/tillitis/tkey-verification/releases and upload the
+binaries and checksum files. For MacOS we'll provide only the
+universal binary.

build-appbin-in-container.sh

@@ -55,7 +55,7 @@ cname="tkey-build"
 
 podman run -it --name "$cname" \
        --mount type=bind,source="$(pwd)",target=/contrib \
-       ghcr.io/tillitis/tkey-builder:1 \
+       ghcr.io/tillitis/tkey-builder:2 \
        /bin/bash /contrib/containerbuild "$tag" "$appsrepotag"
 
 podman cp "$cname":/tkey-verification/apps/verisigner/app.bin "$destd/$destf"

cmd/tkey-verification/main.go

@@ -87,9 +87,9 @@ Known firmwares:
 		desc := fmt.Sprintf(`Usage: %s command [flags...]
 
 Commands:
-  serve-signer  TODO write...
+  serve-signer  Run the server that offers an API for creating vendor signatures.
 
-  remote-sign   TODO write...
+  remote-sign   Call the remote signing server to sign for a local TKey.
 
   verify        Verify that a TKey is genuine by extracting the TKey UDI and using it
                 to fetch the verification data, including tag and signature from the

cmd/tkey-verification/verify.go

@@ -128,7 +128,7 @@ func verify(devPath string, verbose bool, showURLOnly bool, baseDir string, veri
 func verificationFromURL(verifyURL string) (Verification, error) {
 	var verification Verification
 
-	le.Printf("Fetching %s ...\n", verifyURL)
+	le.Printf("Fetching verification data from %s ...\n", verifyURL)
 	client := http.Client{Timeout: 10 * time.Second}
 	resp, err := client.Get(verifyURL) // #nosec G107
 	if err != nil {
@@ -155,7 +155,7 @@ func verificationFromURL(verifyURL string) (Verification, error) {
 func verificationFromFile(fn string) (Verification, error) {
 	var verification Verification
 
-	le.Printf("Reading %s ...\n", fn)
+	le.Printf("Reading verification data from file %s ...\n", fn)
 	verificationJSON, err := os.ReadFile(fn)
 	if err != nil {
 		return verification, fmt.Errorf("ReadFile failed: %w", err)

gen-release-checksums

@@ -0,0 +1,34 @@
+#!/bin/sh -e
+
+if ! hash 2>/dev/null sha512sum; then
+  sha512sum() {
+    shasum -a 512 "$@"
+  }
+fi
+
+version="$1"
+if [ -z "$version" ]; then
+  printf "give me a version number\n"
+  exit 1
+fi
+shift
+
+cd release-builds
+
+any=
+for file in *_"$version"_*; do
+  [ -e "$file" ] || continue
+  [ "${file##*.}" != "sha512" ] || continue
+  hashf="$file.sha512"
+  if [ -e "$hashf" ]; then
+    printf "%s already exists, bailing out\n" "$hashf"
+    exit 1
+  fi
+  sha512sum >"$hashf" "$file"
+  printf "wrote %s\n" "$hashf"
+  any=any
+done
+
+if [ -z "$any" ]; then
+  printf "no binaries in release-builds/ with that version?\n"
+fi

gotools/Makefile

@@ -15,3 +15,10 @@ certstrap:
 	go mod download github.com/square/certstrap
 	go mod tidy
 	go build github.com/square/certstrap
+
+# .PHONY to let go-build handle deps and rebuilds
+.PHONY: lipo
+lipo:
+	go mod download github.com/konoui/lipo
+	go mod tidy
+	go build github.com/konoui/lipo

gotools/go.mod

@@ -4,6 +4,7 @@ go 1.19
 
 require (
 	github.com/golangci/golangci-lint v1.51.0
+	github.com/konoui/lipo v0.4.1
 	github.com/square/certstrap v1.3.0
 )
 
@@ -87,6 +88,7 @@ require (
 	github.com/kisielk/errcheck v1.6.3 // indirect
 	github.com/kisielk/gotool v1.0.0 // indirect
 	github.com/kkHAIKE/contextcheck v1.1.3 // indirect
+	github.com/konoui/go-qsort v0.0.1 // indirect
 	github.com/kulti/thelper v0.6.3 // indirect
 	github.com/kunwardeep/paralleltest v1.0.6 // indirect
 	github.com/kyoh86/exportloopref v0.1.11 // indirect

gotools/go.sum

@@ -330,6 +330,10 @@ github.com/kisielk/gotool v1.0.0 h1:AV2c/EiW3KqPNT9ZKl07ehoAGi4C5/01Cfbblndcapg=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/kkHAIKE/contextcheck v1.1.3 h1:l4pNvrb8JSwRd51ojtcOxOeHJzHek+MtOyXbaR0uvmw=
 github.com/kkHAIKE/contextcheck v1.1.3/go.mod h1:PG/cwd6c0705/LM0KTr1acO2gORUxkSVWyLJOFW5qoo=
+github.com/konoui/go-qsort v0.0.1 h1:7scLI7DAKynqS6enK0vnpwoiw7L38pBI49ofIahb9rc=
+github.com/konoui/go-qsort v0.0.1/go.mod h1:UOsvdDPBzyQDk9Tb21hETK6KYXGYQTnoZB5qeKA1ARs=
+github.com/konoui/lipo v0.4.1 h1:DbaBYvafcdXx2DMlmMtwVugO8GywlFgywR7qZGMxP1E=
+github.com/konoui/lipo v0.4.1/go.mod h1:PpyG5pH3dW3h7QSsAu69JZIBZ4V5e9fg/H67azfQ1f8=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=