feat: sign released binaries

Fix panic when peer is not yet associated
Use GOMIPS=softfloat by default and do not use UPX on mips targeted binaries
2023-10-19 15:44:01 +02:00 · 2023-09-04 21:08:46 -06:00 · 2022-09-16 14:47:40 +02:00 · 2022-09-12 18:22:49 +02:00 · 2022-09-12 17:47:51 +02:00 · 2022-09-12 17:46:59 +02:00
16 changed files with 136 additions and 67 deletions
--- a/.env.dist
+++ b/.env.dist
@ -0,0 +1,2 @@
+GPG_SIGNING_KEY=
+ARCH_TARGETS='amd64 arm arm64 386'
--- a/.gitignore
+++ b/.gitignore
@ -3,4 +3,7 @@
 /bin
 /testdata
 /release
-/out
+/out
+/.mktools
+/tools
+/.env
--- a/37
+++ b/37
@ -0,0 +1,37 @@
+@Library('cadoles') _
+
+pipeline {
+    agent {
+        dockerfile {
+            filename 'Dockerfile'
+            dir 'misc/ci'
+        }
+    }
+
+    stages {
+        stage('Lint') {
+            steps {
+                script {
+                    catchError(buildResult: 'UNSTABLE', stageResult: 'FAILURE') {
+                        sh 'make lint'
+                    }
+                }
+            }
+        }
+        stage('Test') {
+            steps {
+                script {
+                    sh 'make test'
+                }
+            }
+        }
+    }
+
+    post {
+        always {
+            script {
+                cleanWs()
+            }
+        }
+    }
+}
--- a/52
+++ b/52
@ -1,35 +1,47 @@
+SHELL := /bin/bash
+
 test:
 	go clean -testcache
 	go test -cover -v ./...

 watch:
-	modd	
+	go run -mod=readonly github.com/cortesi/modd/cmd/modd@latest

-release:
-	script/release
+release: tidy .env
+	( set -o allexport && source .env && set +o allexport && script/release )

-deps:
-	GO111MODULE=off go get -u golang.org/x/tools/cmd/godoc
-	GO111MODULE=off go get -u github.com/cortesi/modd/cmd/modd
-	GO111MODULE=off go get -u github.com/golangci/golangci-lint/cmd/golangci-lint
-	GO111MODULE=off go get -u github.com/lmika/goseq
+.env:
+	cp .env.dist .env

 tidy:
 	go mod tidy

 lint:
-	golangci-lint run --tests=false --enable-all
-
-sequence-diagram: sd-advertise sd-update sd-ping
-
-sd-%:
-	goseq doc/sequence-diagram/$*.seq > doc/sequence-diagram/$*.svg
-
-doc:
-	@echo "open your browser to http://localhost:6060/pkg/forge.cadoles.com/Cadoles/go-http-peering to see the documentation"
-	godoc -http=:6060
+	go run github.com/golangci/golangci-lint/cmd/golangci-lint@v1.49.0 run --tests=false --enable-all

 bin/keygen:
-	go build -o bin/keygen ./cmd/keygen
+	CGO_ENABLED=0 go build -o bin/keygen ./cmd/keygen

-.PHONY: test lint doc sequence-diagram bin/keygen release
+.PHONY: test lint doc sequence-diagram bin/keygen release
+
+gitea-release: .mktools tools/gitea-release/bin/gitea-release.sh release
+	GITEA_RELEASE_PROJECT="go-http-peering" \
+		GITEA_RELEASE_ORG="Cadoles" \
+		GITEA_RELEASE_BASE_URL="https://forge.cadoles.com" \
+		GITEA_RELEASE_VERSION="$(MKT_PROJECT_VERSION)" \
+		GITEA_RELEASE_NAME="$(MKT_PROJECT_VERSION)" \
+		GITEA_RELEASE_COMMITISH_TARGET="$(GIT_VERSION)" \
+		GITEA_RELEASE_IS_DRAFT="false" \
+		GITEA_RELEASE_BODY="" \
+		GITEA_RELEASE_ATTACHMENTS="$$(find release -type f -name '*.tar.gz')" \
+		tools/gitea-release/bin/gitea-release.sh
+
+.PHONY: mktools
+mktools:
+	rm -rf .mktools
+	curl -k -q https://forge.cadoles.com/Cadoles/mktools/raw/branch/master/install.sh | $(SHELL)
+
+.mktools:
+	$(MAKE) mktools
+
+-include .mktools/*.mk
--- a/cmd/keygen/create_key.go
+++ b/cmd/keygen/create_key.go
@ -4,20 +4,21 @@ import (
 	"fmt"

 	"forge.cadoles.com/Cadoles/go-http-peering/crypto"
+	"github.com/pkg/errors"
 )

 func createKey() {
 	passphrase, err := getPassphrase()
 	if err != nil {
-		handleError(err)
+		handleError(errors.WithStack(err))
 	}
 	key, err := crypto.CreateRSAKey(keySize)
 	if err != nil {
-		handleError(err)
+		handleError(errors.WithStack(err))
 	}
 	privatePEM, err := crypto.EncodePrivateKeyToEncryptedPEM(key, passphrase)
 	if err != nil {
-		handleError(err)
+		handleError(errors.WithStack(err))
 	}
 	fmt.Print(string(privatePEM))
 }
--- a/cmd/keygen/create_token.go
+++ b/cmd/keygen/create_token.go
@ -4,6 +4,7 @@ import (
 	"fmt"

 	"forge.cadoles.com/Cadoles/go-http-peering/crypto"
+	"github.com/pkg/errors"

 	peering "forge.cadoles.com/Cadoles/go-http-peering"
 )
@ -11,11 +12,11 @@ import (
 func createToken() {
 	privateKey, err := loadPrivateKey()
 	if err != nil {
-		handleError(err)
+		handleError(errors.WithStack(err))
 	}
 	token, err := crypto.CreateServerToken(privateKey, tokenIssuer, peering.PeerID(tokenPeerID))
 	if err != nil {
-		handleError(err)
+		handleError(errors.WithStack(err))
 	}
 	fmt.Println(token)
 }
--- a/cmd/keygen/get_public_key.go
+++ b/cmd/keygen/get_public_key.go
@ -4,16 +4,17 @@ import (
 	"fmt"

 	"forge.cadoles.com/Cadoles/go-http-peering/crypto"
+	"github.com/pkg/errors"
 )

 func getPublicKey() {
 	privateKey, err := loadPrivateKey()
 	if err != nil {
-		handleError(err)
+		handleError(errors.WithStack(err))
 	}
 	publicPEM, err := crypto.EncodePublicKeyToPEM(privateKey.Public())
 	if err != nil {
-		handleError(err)
+		handleError(errors.WithStack(err))
 	}
 	fmt.Print(string(publicPEM))
 }
--- a/cmd/keygen/util.go
+++ b/cmd/keygen/util.go
@ -6,13 +6,13 @@ import (
 	"crypto/rsa"
 	"crypto/x509"
 	"encoding/pem"
-	"errors"
 	"fmt"
 	"io/ioutil"
 	"os"
 	"syscall"

 	"forge.cadoles.com/Cadoles/go-http-peering/crypto"
+	"github.com/pkg/errors"

 	"golang.org/x/crypto/ssh/terminal"
 )
@ -29,14 +29,14 @@ func askPassphrase() ([]byte, error) {
 	fmt.Print("Passphrase: ")
 	passphrase, err := terminal.ReadPassword(syscall.Stdin)
 	if err != nil {
-		return nil, err
+		return nil, errors.WithStack(err)
 	}
 	fmt.Println()

 	fmt.Print("Confirm passphrase: ")
 	passphraseConfirmation, err := terminal.ReadPassword(syscall.Stdin)
 	if err != nil {
-		return nil, err
+		return nil, errors.WithStack(err)
 	}
 	fmt.Println()

@ -48,7 +48,6 @@ func askPassphrase() ([]byte, error) {
 }

 func privateKeyToEncryptedPEM(key *rsa.PrivateKey, passphrase []byte) ([]byte, error) {
-
 	if passphrase == nil {
 		return nil, errors.New("passphrase cannot be empty")
 	}
@ -61,7 +60,7 @@ func privateKeyToEncryptedPEM(key *rsa.PrivateKey, passphrase []byte) ([]byte, e

 	block, err := x509.EncryptPEMBlock(rand.Reader, block.Type, block.Bytes, passphrase, x509.PEMCipherAES256)
 	if err != nil {
-		return nil, err
+		return nil, errors.WithStack(err)
 	}

 	return pem.EncodeToMemory(block), nil
@ -73,24 +72,24 @@ func loadPrivateKey() (*rsa.PrivateKey, error) {
 	}
 	pem, err := ioutil.ReadFile(keyFile)
 	if err != nil {
-		return nil, err
+		return nil, errors.WithStack(err)
 	}
 	passphrase, err := getPassphrase()
 	if err != nil {
-		return nil, err
+		return nil, errors.WithStack(err)
 	}
 	privateKey, err := crypto.DecodePEMEncryptedPrivateKey(pem, passphrase)
 	if err != nil {
-		return nil, err
+		return nil, errors.WithStack(err)
 	}
 	return privateKey, nil
 }

 func handleError(err error) {
 	if !debug {
-		fmt.Println(err)
+		fmt.Printf("%+v\n", errors.WithStack(err))
 	} else {
-		panic(err)
+		panic(fmt.Sprintf("%+v", errors.WithStack(err)))
 	}
 	os.Exit(1)
 }
--- a/crypto/pem.go
+++ b/crypto/pem.go
@ -6,15 +6,15 @@ import (
 	"crypto/rsa"
 	"crypto/x509"
 	"encoding/pem"
-	"errors"

 	jwt "github.com/dgrijalva/jwt-go"
+	"github.com/pkg/errors"
 )

 func EncodePublicKeyToPEM(key crypto.PublicKey) ([]byte, error) {
 	pub, err := x509.MarshalPKIXPublicKey(key)
 	if err != nil {
-		return nil, err
+		return nil, errors.WithStack(err)
 	}
 	data := pem.EncodeToMemory(&pem.Block{
 		Type:  "PUBLIC KEY",
@ -28,8 +28,6 @@ func DecodePEMToPublicKey(pem []byte) (crypto.PublicKey, error) {
 }

 func DecodePEMEncryptedPrivateKey(key []byte, passphrase []byte) (*rsa.PrivateKey, error) {
-	var err error
-
 	// Parse PEM block
 	var block *pem.Block
 	if block, _ = pem.Decode(key); block == nil {
@ -38,12 +36,12 @@ func DecodePEMEncryptedPrivateKey(key []byte, passphrase []byte) (*rsa.PrivateKe

 	decryptedBlock, err := x509.DecryptPEMBlock(block, passphrase)
 	if err != nil {
-		return nil, err
+		return nil, errors.WithStack(err)
 	}

 	var parsedKey interface{}
 	if parsedKey, err = x509.ParsePKCS1PrivateKey(decryptedBlock); err != nil {
-		return nil, err
+		return nil, errors.WithStack(err)
 	}

 	var privateKey *rsa.PrivateKey
@ -70,7 +68,7 @@ func EncodePrivateKeyToEncryptedPEM(key *rsa.PrivateKey, passphrase []byte) ([]b
 		block.Bytes, passphrase, x509.PEMCipherAES256,
 	)
 	if err != nil {
-		return nil, err
+		return nil, errors.WithStack(err)
 	}

 	return pem.EncodeToMemory(block), nil
--- a/crypto/rsa.go
+++ b/crypto/rsa.go
@ -8,12 +8,13 @@ import (
 	peering "forge.cadoles.com/Cadoles/go-http-peering"

 	jwt "github.com/dgrijalva/jwt-go"
+	"github.com/pkg/errors"
 )

 func CreateRSAKey(bits int) (*rsa.PrivateKey, error) {
 	key, err := rsa.GenerateKey(rand.Reader, bits)
 	if err != nil {
-		return nil, err
+		return nil, errors.WithStack(err)
 	}
 	return key, nil
 }
@ -28,7 +29,7 @@ func CreateServerToken(privateKey *rsa.PrivateKey, issuer string, peerID peering
 	})
 	tokenStr, err := token.SignedString(privateKey)
 	if err != nil {
-		return "", err
+		return "", errors.WithStack(err)
 	}
 	return tokenStr, nil
 }
--- a/go.mod
+++ b/go.mod
@ -1,12 +1,17 @@
 module forge.cadoles.com/Cadoles/go-http-peering

 require (
-	github.com/davecgh/go-spew v1.1.1
 	github.com/dgrijalva/jwt-go v3.2.0+incompatible
 	github.com/go-chi/chi v3.3.3+incompatible
 	github.com/pborman/uuid v1.2.0
-	golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2
-	golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223 // indirect
+	golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90
 )

-go 1.13
+require (
+	github.com/google/uuid v1.0.0 // indirect
+	github.com/pkg/errors v0.9.1
+	golang.org/x/sys v0.0.0-20220829200755-d48e67d00261 // indirect
+	golang.org/x/term v0.0.0-20220722155259-a9ba230a4035 // indirect
+)
+
+go 1.18
--- a/go.sum
+++ b/go.sum
@ -1,5 +1,3 @@
-github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
-github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM=
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
 github.com/go-chi/chi v3.3.3+incompatible h1:KHkmBEMNkwKuK4FdQL7N2wOeB9jnIx7jR5wsuSBEFI8=
@ -8,7 +6,11 @@ github.com/google/uuid v1.0.0 h1:b4Gk+7WdP/d3HZH8EJsZpvV7EtDOgaZLtnaNGIu1adA=
 github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/pborman/uuid v1.2.0 h1:J7Q5mO4ysT1dv8hyrUGHb9+ooztCXu1D8MY8DZYsu3g=
 github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k=
-golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2 h1:NwxKRvbkH5MsNkvOtPZi3/3kmI8CAzs3mtv+GLQMkNo=
-golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223 h1:DH4skfRX4EBpamg7iV4ZlCpblAHI6s6TDM39bFZumv8=
-golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90 h1:Y/gsMcFOcR+6S6f3YeMKl5g+dZMEWqcz5Czj/GWYbkM=
+golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/sys v0.0.0-20220829200755-d48e67d00261 h1:v6hYoSR9T5oet+pMXwUWkbiVqx/63mlHjefrHmxwfeY=
+golang.org/x/sys v0.0.0-20220829200755-d48e67d00261/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.0.0-20220722155259-a9ba230a4035 h1:Q5284mrmYTpACcm+eAKjKJH48BBwSyfJqmmGDTtT8Vc=
+golang.org/x/term v0.0.0-20220722155259-a9ba230a4035/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
--- a/misc/ci/Dockerfile
+++ b/misc/ci/Dockerfile
@ -0,0 +1,5 @@
+FROM golang:1.19
+
+RUN apt-get update && apt-get install -y make upx-ucl curl ca-certificates bash jq
+
+RUN curl -k https://forge.cadoles.com/Cadoles/Jenkins/raw/branch/master/resources/com/cadoles/common/add-letsencrypt-ca.sh | bash
--- a/modd.conf
+++ b/modd.conf
@ -2,8 +2,4 @@
 !vendor/**.go {
    prep: make test
    prep: make bin/keygen
-}
-
-doc/sequence-diagram/*.seq {
-    prep: make sequence-diagram
 }
--- a/script/release
+++ b/script/release
@ -3,7 +3,9 @@
 set -eo pipefail

 OS_TARGETS=(linux)
-ARCH_TARGETS=${ARCH_TARGETS:-amd64}
+ARCH_TARGETS=${ARCH_TARGETS:-amd64 mipsle}
+
+export GOMIPS=softfloat

 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )"

@ -29,10 +31,16 @@ function build {
    -o "$destdir/$name" \
    "$srcdir"

-  if [ ! -z "$(which upx)" ]; then
+  # Disable UPX compression for MIPS archs
+  # See https://github.com/upx/upx/issues/339
+  if [ ! -z "$(which upx)" ] && [[ ! "$arch" =~ "mips" ]]; then
    upx --best "$destdir/$name"
  fi

+  if [ ! -z "${GPG_SIGNING_KEY}" ]; then
+    echo "signing '$destdir/$name' with gpg key '$GPG_SIGNING_KEY'..."
+    gpg --sign --default-key "${GPG_SIGNING_KEY}" --output "$destdir/$name.sig" "$destdir/$name"
+  fi
 }

 function copy {
--- a/server/middleware.go
+++ b/server/middleware.go
@ -8,14 +8,13 @@ import (
 	"errors"
 	"io"
 	"io/ioutil"
+	"net/http"
 	"time"

 	peeringCrypto "forge.cadoles.com/Cadoles/go-http-peering/crypto"

 	peering "forge.cadoles.com/Cadoles/go-http-peering"
 	jwt "github.com/dgrijalva/jwt-go"
-
-	"net/http"
 )

 const (
@ -38,7 +37,6 @@ func Authenticate(store peering.Store, key *rsa.PublicKey, funcs ...OptionFunc)

 	middleware := func(next http.Handler) http.Handler {
 		fn := func(w http.ResponseWriter, r *http.Request) {
-
 			serverToken := r.Header.Get(ServerTokenHeader)
 			if serverToken == "" {
 				sendError(w, http.StatusUnauthorized)
@ -77,6 +75,7 @@ func Authenticate(store peering.Store, key *rsa.PublicKey, funcs ...OptionFunc)
 						return
 					}
 					sendError(w, http.StatusUnauthorized)
+					return
 				case ErrPeerRejected:
 					if err := store.UpdateLastContact(serverClaims.PeerID, r.RemoteAddr, time.Now()); err != nil {
 						logger.Printf("[ERROR] %s", err)
@ -115,7 +114,6 @@ func Authenticate(store peering.Store, key *rsa.PublicKey, funcs ...OptionFunc)
 			r.Body = ioutil.NopCloser(bytes.NewBuffer(body))

 			next.ServeHTTP(w, r)
-
 		}
 		return http.HandlerFunc(fn)
 	}
Author	SHA1	Message	Date
William Petit	cf8f026574	feat: sign released binaries Some checks reported warnings Cadoles/go-http-peering/pipeline/head This commit is unstable Details	2023-10-19 15:44:01 +02:00
William Petit	891cfa7540	Fix panic when peer is not yet associated Some checks reported warnings Cadoles/go-http-peering/pipeline/head This commit is unstable Details	2023-09-04 21:08:46 -06:00
William Petit	d38f0be312	Use GOMIPS=softfloat by default and do not use UPX on mips targeted binaries Some checks reported warnings Cadoles/go-http-peering/pipeline/head This commit is unstable Details	2022-09-16 14:47:40 +02:00
wpetit	5be381d2b7	Disable upx compression for mips arch Some checks reported warnings Cadoles/go-http-peering/pipeline/head This commit is unstable Details	2022-09-12 18:22:49 +02:00
William Petit	7cff0e3f91	Add mipsle target Some checks reported warnings Cadoles/go-http-peering/pipeline/head This commit is unstable Details	2022-09-12 17:47:51 +02:00
William Petit	f872a68906	Return wrapped errors	2022-09-12 17:46:59 +02:00
William Petit	6257330dd3	Use jenkins main library version Some checks reported warnings Cadoles/go-http-peering/pipeline/head This commit is unstable Details	2022-09-05 14:40:36 +02:00
William Petit	9c26b79769	Refactor Makefile Some checks reported warnings Cadoles/go-http-peering/pipeline/head This commit is unstable Details	2022-09-05 12:54:33 +02:00
William Petit	932aa46a18	Add Jenkinsfile All checks were successful Cadoles/go-http-peering/pipeline/head This commit looks good Details	2022-09-05 12:30:00 +02:00