many: port changes for FIPS that was done in core24

canonical · Nov 21, 2024 · c0321be · c0321be
1 parent 080a1a3
commit c0321be
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 18 deletions.
diff --git a/Makefile b/Makefile
@@ -1,17 +1,20 @@
 # dir that contans the filesystem that must be checked
 TESTDIR ?= "prime/"
 SNAP_NAME=core22
-CODENAME:="$(shell . /etc/os-release; echo "$$VERSION_CODENAME")"
+SNAP_BUILD_NAME=core22
 SNAP_CORE_TRACK:=latest
+CODENAME:="$(shell . /etc/os-release; echo "$$VERSION_CODENAME")"
 
 # include any fips environmental setup if the file exists.
 # Variables:
 # - SNAP_FIPS_BUILD
 # - SNAP_CORE_TRACK
+# - SNAP_BUILD_NAME
 -include .fips-env
 ifdef SNAP_FIPS_BUILD
     export SNAP_FIPS_BUILD
     export SNAP_CORE_TRACK
+    export SNAP_BUILD_NAME
 endif
 
 .PHONY: all
@@ -86,7 +89,7 @@ endif
 	# a git repository
 	if git rev-parse HEAD && [ -e "/snap/$(SNAP_NAME)/current/usr/share/snappy/dpkg.yaml" ]; then \
 		CHG_PARAMS=; \
-		if [ -e /build/$(SNAP_NAME) ]; then \
+		if [ -e /build/$(SNAP_BUILD_NAME) ]; then \
 			CHG_PARAMS=--launchpad; \
 		fi; \
 		./tools/generate-changelog.py \
@@ -99,11 +102,11 @@ endif
 	fi
 
 	# only generate manifest and dpkg.yaml files for lp build
-	if [ -e /build/"$(SNAP_NAME)" ]; then \
-		/bin/cp $(DESTDIR)/usr/share/snappy/dpkg.list /build/$(SNAP_NAME)/$(SNAP_NAME)-$$(date +%Y%m%d%H%M)_$(DPKG_ARCH).manifest; \
-		/bin/cp $(DESTDIR)/usr/share/snappy/dpkg.yaml /build/$(SNAP_NAME)/$(SNAP_NAME)-$$(date +%Y%m%d%H%M)_$(DPKG_ARCH).dpkg.yaml; \
+	if [ -e /build/"$(SNAP_BUILD_NAME)" ]; then \
+		/bin/cp $(DESTDIR)/usr/share/snappy/dpkg.list /build/$(SNAP_BUILD_NAME)/$(SNAP_NAME)-$$(date +%Y%m%d%H%M)_$(DPKG_ARCH).manifest; \
+		/bin/cp $(DESTDIR)/usr/share/snappy/dpkg.yaml /build/$(SNAP_BUILD_NAME)/$(SNAP_NAME)-$$(date +%Y%m%d%H%M)_$(DPKG_ARCH).dpkg.yaml; \
 		if [ -e $(DESTDIR)/usr/share/doc/ChangeLog ]; then \
-			/bin/cp $(DESTDIR)/usr/share/doc/ChangeLog $(BUILDDIR)/$(SNAP_NAME)-$$(date +%Y%m%d%H%M)_$(DPKG_ARCH).ChangeLog; \
+			/bin/cp $(DESTDIR)/usr/share/doc/ChangeLog /build/$(SNAP_BUILD_NAME)-$$(date +%Y%m%d%H%M)_$(DPKG_ARCH).ChangeLog; \
 		fi \
 	fi;
 

diff --git a/hooks/001-extra-packages.chroot b/hooks/001-extra-packages.chroot
@@ -90,14 +90,11 @@ ebrtrD1Hrw3BetRY4aQ0ysRSugvbTwqS0d17zepomYJS49Jy2w2D
 
 EOF
 
-# write FIPS PPA files if the current build is a FIPS build
-if [[ ${SNAP_FIPS_BUILD+x} ]]; then
-    # for private builds a conf file is neccessary, setup for PPA access
-    # if provided
-    if [ -e etc/apt/auth.conf.d/01-fips.conf ]; then
-        # add fips personal token
-        echo "deb https://private-ppa.launchpadcontent.net/ubuntu-advantage/pro-fips-updates/ubuntu $CODENAME main" > /etc/apt/sources.list.d/fips.list
-        cat >etc/apt/trusted.gpg.d/fips-cc-stig.asc <<'EOF'
+# write FIPS PPA files if the current build is a local FIPS build
+# for private builds a conf file is necessary, setup for PPA access if provided
+if [ -e etc/apt/auth.conf.d/01-fips.conf ]; then
+    echo "deb https://private-ppa.launchpadcontent.net/ubuntu-advantage/pro-fips-updates/ubuntu $CODENAME main" > /etc/apt/sources.list.d/fips.list
+    cat >etc/apt/trusted.gpg.d/fips-cc-stig.asc <<'EOF'
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 Comment: Hostname: 
 Version: Hockeypuck 2.2
@@ -141,8 +138,11 @@ Dyi6+RIJ+lHVuuiZH3fqNER795RdpLHKLpgj4kO6ywfeliM3qLeJMWulTHvt6bUY
 =1S42
 -----END PGP PUBLIC KEY BLOCK-----
 EOF
-    fi
+fi
 
+# always install the preference though, both for LP and
+# local
+if [[ ${SNAP_FIPS_BUILD+x} ]]; then
     mkdir -p etc/apt/preferences.d/
     cat >etc/apt/preferences.d/fips.pref <<'EOF'
 Package: *
@@ -232,9 +232,8 @@ esac
 
 if [[ ${SNAP_FIPS_BUILD+x} ]]; then
     # Ensure vital crypt packages are refreshed / downgraded and downloaded
-    # from the FIPS ppa. This should also contain openssh-server, but we already
-    # have that one listed above.
-    PACKAGES+=(libgcrypt20 libgnutls30 openssl-fips-module-3)
+    # from the FIPS ppa.
+    PACKAGES+=(libgcrypt20 libgnutls30 openssl-fips-module-3 ssh)
     apt-get install --no-install-recommends --allow-downgrades -y "${PACKAGES[@]}"
 else
     apt-get install --no-install-recommends -y "${PACKAGES[@]}"

diff --git a/snapcraft.yaml b/snapcraft.yaml
@@ -103,6 +103,7 @@ parts:
         craftctl set version="$(/bin/date +%Y%m%d)+fips"
         echo "SNAP_FIPS_BUILD=1" > ./.fips-env
         echo "SNAP_CORE_TRACK=fips-updates" >> ./.fips-env
+        echo "SNAP_BUILD_NAME=core22-fips" >> ./.fips-env
       else
         craftctl set version="$(/bin/date +%Y%m%d)"
         rm -f ./.fips-env