From 89c6904423e688d67e0d9a069e7a2ff0126e1d2d Mon Sep 17 00:00:00 2001 From: Aveen Ismail Date: Sun, 29 Sep 2024 18:08:16 +0200 Subject: [PATCH] Revert to not compiling glibc from source, testing installer and checking for hardening --- .github/workflows/build_centos.yml | 57 ++++++++++++------------------ 1 file changed, 22 insertions(+), 35 deletions(-) diff --git a/.github/workflows/build_centos.yml b/.github/workflows/build_centos.yml index 0f718d35..fefbd863 100644 --- a/.github/workflows/build_centos.yml +++ b/.github/workflows/build_centos.yml @@ -34,13 +34,13 @@ jobs: yum -y install pcsc-lite-devel help2man chrpath rpm-build redhat-rpm-config yum -y install checksec procps-ng jq file which curl wget git - yum -y install bison make - git clone https://sourceware.org/git/glibc.git -b glibc-2.25 --depth 1 - mkdir glibc/build - cd glibc/build - ./../configure --prefix=/usr - make - make install +# yum -y install bison make +# git clone https://sourceware.org/git/glibc.git -b glibc-2.25 --depth 1 +# mkdir glibc/build +# cd glibc/build +# ./../configure --prefix=/usr +# make +# make install - name: install OpenSSL run: | @@ -78,19 +78,6 @@ jobs: PLATFORM=$(echo -n "$DOCKER_IMAGE" | sed -E 's/[^a-zA-Z0-9]//g') echo "PLATFORM=$PLATFORM" >> $GITHUB_ENV -# - name: install dependencies -# env: -# PLATFORM: ${{ env.PLATFORM }} -# run: | -# cd yubihsm-shell/resources/release/linux -# ./install_redhat_dependencies.sh $PLATFORM -# -# if [ $PLATFORM = "centos7" ]; then -# # enable the epel repository for centos -# yum install -y epel-release -# fi -# yum install -y checksec procps-ng jq file which curl - - name: build release working-directory: yubihsm-shell env: @@ -129,21 +116,21 @@ jobs: rm -rf licenses rm -rf ../yubihsm-shell -# - name: install binaries -# working-directory: /github/home/rpmbuild/RPMS/x86_64 -# run: | -# yum install -y ./yubihsm-shell-*.rpm - -# - name: check binaries for hardening -# run: | -# cs() { -# checksec --file=/usr/bin/yubihsm-shell --format=json | jq -r ".[] | .$1" -# } -# if [ "`cs relro`" != "full" ]; then echo "relro is `cs relro`"; exit 1; fi -# if [ "`cs canary`" != "yes" ]; then echo "canary is `cs canary`"; exit 1; fi -# if [ "`cs nx`" != "yes" ]; then echo "nx is `cs nx`"; exit 1; fi -# if [ "`cs pie`" != "yes" ]; then echo "pie is `cs pie`"; exit 1; fi -# if [ "`cs fortify_source`" != "yes" ]; then echo "fortify_source is `cs fortify_source`"; exit 1; fi + - name: install binaries + working-directory: /github/home/rpmbuild/RPMS/x86_64 + run: | + yum install -y ./yubihsm-shell-*.rpm + + - name: check binaries for hardening + run: | + cs() { + checksec --file=/usr/bin/yubihsm-shell --format=json | jq -r ".[] | .$1" + } + if [ "`cs relro`" != "full" ]; then echo "relro is `cs relro`"; exit 1; fi + if [ "`cs canary`" != "yes" ]; then echo "canary is `cs canary`"; exit 1; fi + if [ "`cs nx`" != "yes" ]; then echo "nx is `cs nx`"; exit 1; fi + if [ "`cs pie`" != "yes" ]; then echo "pie is `cs pie`"; exit 1; fi + if [ "`cs fortify_source`" != "yes" ]; then echo "fortify_source is `cs fortify_source`"; exit 1; fi - name: upload artifacts