Skip to content

Revert to working state #33

Revert to working state

Revert to working state #33

Workflow file for this run

name: CentOS binaries
# This machine tests building the software on a both 32 and 64 Windows architecture.
on: [push]
jobs:
redhat_based:
strategy:
fail-fast: false
matrix:
include:
- environment: "centos:7"
cc: "gcc"
upload_for_test: "false"
name: build on ${{ matrix.environment }}
runs-on: ubuntu-latest
container: ${{ matrix.environment }}
steps:
- name: Setup OS
run: |
sed -i s/mirror.centos.org/vault.centos.org/g /etc/yum.repos.d/*.repo
sed -i s/^#.*baseurl=http/baseurl=http/g /etc/yum.repos.d/*.repo
sed -i s/^mirrorlist=http/#mirrorlist=http/g /etc/yum.repos.d/*.repo
yum -y update
yum -y install epel-release
yum -y install gcc gcc-c++ cmake gengetopt openssl openssl-devel libedit-devel libcurl-devel libusbx-devel
yum -y install pcsc-lite-devel help2man chrpath rpm-build redhat-rpm-config
yum -y install checksec procps-ng jq file which curl wget glibc
- name: install OpenSSL
run: |
wget https://github.com/openssl/openssl/releases/download/OpenSSL_1_1_1w/openssl-1.1.1w.tar.gz
tar xfz openssl-1.1.1w.tar.gz
cd openssl-1.1.1w
./config --prefix=$GITHUB_WORKSPACE/openssl --openssldir=$GITHUB_WORKSPACE/openssl
make
make install
- name: clone the Yubico/yubihsm-shell repository
run: |
yum -y install git
git clone https://github.com/Yubico/yubihsm-shell.git
- name: apply environment specific changes to CMakeLists.txt
working-directory: yubihsm-shell
if: ${{ matrix.environment == 'centos:7' }}
run: |
# centos 7 comes with cmake version 2.8, but the project requires 3.5
# we downgrade that requirement for the centos 7 build
sed -i 's/cmake_minimum_required (VERSION 3.5)/cmake_minimum_required (VERSION 2.8)/' CMakeLists.txt
# we also remove the following policies which are not supported in the older cmake version
sed -i 's/cmake_policy(SET CMP0025 NEW)/#cmake_policy(SET CMP0025 NEW)/' CMakeLists.txt
sed -i 's/cmake_policy(SET CMP0042 NEW)/#cmake_policy(SET CMP0042 NEW)/' CMakeLists.txt
sed -i 's/cmake_policy(SET CMP0054 NEW)/#cmake_policy(SET CMP0054 NEW)/' CMakeLists.txt
sed -i 's/cmake_policy(SET CMP0091 NEW)/#cmake_policy(SET CMP0091 NEW)/' CMakeLists.txt
# append the following flags: -Wno-missing-braces -Wno-missing-field-initializers -Wno-implicit-function-declaration
sed -i 's/-Wall -Wextra -Werror/-Wall -Wextra -Werror -Wno-missing-braces -Wno-missing-field-initializers/' cmake/SecurityFlags.cmake
- name: extract platform name
env:
DOCKER_IMAGE: ${{ matrix.environment }}
run: |
# Remove everything from DOCKER_IMAGE that is not a letter or a number
PLATFORM=$(echo -n "$DOCKER_IMAGE" | sed -E 's/[^a-zA-Z0-9]//g')
echo "PLATFORM=$PLATFORM" >> $GITHUB_ENV
# - name: install dependencies
# env:
# PLATFORM: ${{ env.PLATFORM }}
# run: |
# cd yubihsm-shell/resources/release/linux
# ./install_redhat_dependencies.sh $PLATFORM
#
# if [ $PLATFORM = "centos7" ]; then
# # enable the epel repository for centos
# yum install -y epel-release
# fi
# yum install -y checksec procps-ng jq file which curl
- name: build release
working-directory: yubihsm-shell
env:
PLATFORM: ${{ env.PLATFORM }}
run: |
export CMAKE="cmake"
export INPUT=$GITHUB_WORKSPACE/yubihsm-shell
export OUTPUT=$GITHUB_WORKSPACE/$PLATFORM/yubihsm-shell
rm -rf $OUTPUT
mkdir -p $OUTPUT
export PKG_CONFIG_PATH=$GITHUB_WORKSPACE/openssl/lib/pkgconfig
# These 2 lines can be replaced by the command "rpmdev-setuptree", but this command seems to add macros that force check paths that do not exist
mkdir -p $GITHUB_WORKSPACE/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
echo '%_topdir %(echo $HOME)/rpmbuild' > $GITHUB_WORKSPACE/.rpmmacros
RPM_DIR=$GITHUB_WORKSPACE/rpmbuild
cp resources/release/linux/yubihsm-shell.spec $RPM_DIR/SPECS/
QA_SKIP_BUILD_ROOT=1 QA_RPATHS=$(( 0x0001|0x0010 )) rpmbuild -bb $RPM_DIR/SPECS/yubihsm-shell.spec
cp /github/home/rpmbuild/RPMS/x86_64/*.rpm $OUTPUT/
LICENSE_DIR="$OUTPUT/share/yubihsm-shell"
mkdir -p $LICENSE_DIR
cp -r $INPUT/resources/release/linux/licenses $LICENSE_DIR/
for lf in $LICENSE_DIR/licenses/*; do
chmod 644 $lf
done
cd $OUTPUT
rm -f "yubihsm-shell-$PLATFORM-amd64.tar.gz"
tar -C ".." -zcvf "../yubihsm-shell-$PLATFORM-amd64.tar.gz" "yubihsm-shell"
rm -f *.rpm
rm -rf licenses
rm -rf ../yubihsm-shell
- name: install binaries
working-directory: /github/home/rpmbuild/RPMS/x86_64
run: |
yum install -y ./yubihsm-shell-*.rpm
- name: check binaries for hardening
run: |
cs() {
checksec --file=/usr/bin/yubihsm-shell --format=json | jq -r ".[] | .$1"
}
if [ "`cs relro`" != "full" ]; then echo "relro is `cs relro`"; exit 1; fi
if [ "`cs canary`" != "yes" ]; then echo "canary is `cs canary`"; exit 1; fi
if [ "`cs nx`" != "yes" ]; then echo "nx is `cs nx`"; exit 1; fi
if [ "`cs pie`" != "yes" ]; then echo "pie is `cs pie`"; exit 1; fi
if [ "`cs fortify_source`" != "yes" ]; then echo "fortify_source is `cs fortify_source`"; exit 1; fi
- name: upload artifacts
uses: actions/upload-artifact@v3
with:
name: "yubihsm-shell-${{ env.PLATFORM }}-amd64"
path: ${{ env.PLATFORM }}