Support codenotary verify/signing

.hadolint.yaml

@@ -1,3 +1,4 @@
 ignored:
+  - DL3003
   - DL3006
-  - DL3008
+  - DL3018

Dockerfile

@@ -1,40 +1,50 @@
 ARG BUILD_FROM
 FROM $BUILD_FROM
 
-# Set shell
-SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
 # Setup locals
-RUN apt-get update && apt-get install -y --no-install-recommends \
-        jq \
-        git \
-        python3-setuptools \
-    && rm -rf /var/lib/apt/lists/* \
-ENV LANG C.UTF-8
-
-# Install docker
-# https://docs.docker.com/engine/installation/linux/docker-ce/ubuntu/
-RUN apt-get update && apt-get install -y --no-install-recommends \
-        apt-transport-https \
-        ca-certificates \
-        curl \
-        software-properties-common \
-        gpg-agent \
-    && curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - \
-    && add-apt-repository "deb https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" \
-    && apt-get update && apt-get install -y --no-install-recommends \
-        docker-ce \
-        docker-ce-cli \
-        containerd.io \
-    && rm -rf /var/lib/apt/lists/*
+ENV \
+    VCN_OTP_EMPTY=true \
+    LANG=C.UTF-8
 
-# Setup arm binary support
 ARG BUILD_ARCH
-RUN if [ "$BUILD_ARCH" != "amd64" ]; then exit 0; else \
-    apt-get update && apt-get install -y --no-install-recommends \
-        qemu-user-static \
-        binfmt-support \
-    && rm -rf /var/lib/apt/lists/*; fi
+ARG VCN_VERSION
+
+RUN \
+    set -x \
+    && apk add --no-cache \
+        git \
+        docker \
+    && apk add --no-cache --virtual .build-dependencies \
+        build-base \
+        go \
+    \
+    && git clone -b v${VCN_VERSION} --depth 1 \
+        https://github.com/codenotary/vcn \
+    && cd vcn \
+    \
+    # Fix: https://github.com/codenotary/vcn/issues/131
+    && go get github.com/codenotary/immudb@4cf9e2ae06ac2e6ec98a60364c3de3eab5524757 \
+    \
+    && if [ "${BUILD_ARCH}" = "armhf" ]; then \
+        GOARM=6 GOARCH=arm go build -o vcn -ldflags="-s -w" ./cmd/vcn; \
+    elif [ "${BUILD_ARCH}" = "armv7" ]; then \
+        GOARM=7 GOARCH=arm go build -o vcn -ldflags="-s -w" ./cmd/vcn; \
+    elif [ "${BUILD_ARCH}" = "aarch64" ]; then \
+        GOARCH=arm64 go build -o vcn -ldflags="-s -w" ./cmd/vcn; \
+    elif [ "${BUILD_ARCH}" = "i386" ]; then \
+        GOARCH=386 go build -o vcn -ldflags="-s -w" ./cmd/vcn; \
+    elif [ "${BUILD_ARCH}" = "amd64" ]; then \
+        GOARCH=amd64 go build -o vcn -ldflags="-s -w" ./cmd/vcn; \
+    else \
+        exit 1; \
+    fi \
+    \
+    && rm -rf /root/go /root/.cache \
+    && mv vcn /usr/bin/vcn \
+    \
+    && apk del .build-dependencies \
+    && rm -rf /usr/src/vcn
 
 COPY builder.sh /usr/bin/
 

build.json

@@ -1,9 +1,14 @@
 {
     "image": "homeassistant/{arch}-builder",
     "build_from": {
-        "aarch64": "homeassistant/aarch64-base-ubuntu:18.04",
-        "armv7": "homeassistant/armv7-base-ubuntu:18.04",
-        "amd64": "homeassistant/amd64-base-ubuntu:18.04"
+        "aarch64": "homeassistant/aarch64-base:3.13",
+        "armv7": "homeassistant/armv7-base:3.13",
+        "armhf": "homeassistant/armhf-base:3.13",
+        "amd64": "homeassistant/amd64-base:3.13",
+        "i386": "homeassistant/i386-base:3.13"
+    },
+    "args": {
+        "VCN_VERSION": "0.9.4"
     },
     "labels": {
         "io.hass.type": "builder"

builder.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bashio
 ######################
-# Hass.io Build-env
+# Home Assistant Build-env
 ######################
 set -e
 set +u
@@ -17,6 +17,8 @@ DOCKER_PUSH=true
 DOCKER_USER=
 DOCKER_PASSWORD=
 DOCKER_LOCAL=false
+VCN_NOTARY=false
+VCN_FROM=
 SELF_CACHE=false
 CUSTOM_CACHE_TAG=
 RELEASE_TAG=false
@@ -26,7 +28,6 @@ TARGET=
 VERSION=
 IMAGE=
 RELEASE=
-PYTHON=
 ALPINE=
 BUILD_LIST=()
 BUILD_TYPE="addon"
@@ -123,8 +124,6 @@ Options:
         Default on. Run all things for an addon build.
     --generic <VERSION>
         Build based on the build.json
-    --builder-wheels <PYTHON_TAG>
-        Build the wheels builder for Home Assistant.
     --base <VERSION>
         Build our base images.
     --base-python <VERSION=ALPINE>
@@ -139,6 +138,15 @@ Options:
         Build the landingpage for machines.
     --homeassistant-machine <VERSION=ALL,X,Y>
         Build the machine based image for a release.
+
+  Security:
+    --with-codenotary
+        Enable signing images with CodeNotary. Need set follow env:
+            VCN_USER
+            VCN_PASSWORD
+            VCN_NOTARIZATION_PASSWORD
+    --validate-from <ORG|signer>
+        Validate the FROM image which is used to build the image.
 EOF
 
     bashio::exit.nok
@@ -263,6 +271,9 @@ function run_build() {
         docker_cli+=("--build-arg" "BUILD_ARCH=$build_arch")
     fi
 
+    # Validate the base image
+    codenotary_validate "$build_from"
+
     # Build image
     bashio::log.info "Run build for $repository/$image:$version"
     docker build --pull -t "$repository/$image:$version" \
@@ -312,6 +323,9 @@ function run_build() {
             done
         done
     fi
+
+    # Singing image
+    codenotary_sign "${repository}/${image}:${version}"
 }
 
 
@@ -624,36 +638,6 @@ function build_homeassistant_landingpage() {
 }
 
 
-function build_wheels() {
-    local build_arch=$1
-
-    local version=""
-    local image="{arch}-wheels"
-    local build_from="homeassistant/${build_arch}-base-python:${PYTHON}"
-    local docker_cli=()
-    local docker_tags=()
-
-    # Read version
-    if [ "$VERSION" == "dev" ]; then
-        version="dev"
-    else
-        version="$(python3 "$TARGET/setup.py" -V)"
-    fi
-
-    # If latest python version/build
-    if [ "$RELEASE_TAG" == "true" ]; then
-        docker_tags=("$version")
-    fi
-
-    # Metadata
-    docker_cli+=("--label" "io.hass.type=wheels")
-
-    # Start build
-    run_build "$TARGET" "$DOCKER_HUB" "$image" "$version-${PYTHON}" \
-        "$build_from" "$build_arch" docker_cli[@] docker_tags[@]
-}
-
-
 function extract_machine_build() {
     local list=$1
     local array=()
@@ -688,6 +672,59 @@ function init_crosscompile() {
         > /dev/null 2>&1 || bashio::log.warning "Can't enable crosscompiling feature"
 }
 
+#### Security CodeNotary ####
+
+function codenotary_probe() {
+    if ! bashio::var.has_value "${VCN_USER}" || ! bashio::var.has_value "${VCN_PASSWORD}" || ! bashio::var.has_value "${VCN_NOTARIZATION_PASSWORD}"; then
+        bashio::exit.nok "Missing ENV values for CodeNotary"
+    fi
+}
+
+
+function codenotary_setup() {
+    if bashio::var.false "${DOCKER_PUSH}" || bashio::var.false "${VCN_NOTARY}"; then
+        return 0
+    fi
+
+    vcn login /dev/null 2>&1 || bashio::exit.nok "Login to CodeNotary fails!"
+}
+
+function codenotary_sign() {
+    local image=$1
+
+    if bashio::var.false "${DOCKER_PUSH}" || bashio::var.false "${VCN_NOTARY}"; then
+        return 0
+    fi
+
+    vcn notarize --public "docker://${image}"
+}
+
+function codenotary_validate() {
+    local image=$1
+    local state=
+    local vcn_cli=()
+
+    if ! bashio::var.has_value "${VCN_FROM}"; then
+        return 0
+    fi
+
+    bashio::log.info "Download base image ${image} for CodeNotary validation"
+    docker pull "${image}" > /dev/null 2>&1 || bashio::exit.nok "Can't pull image ${image}"
+
+    if [[ "${VCN_FROM}" =~ 0x.* ]]; then
+        vcn_cli+=("--signerID" "${VCN_FROM}")
+    else
+        vcn_cli+=("--org" "${VCN_FROM}")
+    fi
+
+    state="$(vcn authenticate "${vcn_cli[@]}" --output json "docker://{image}" | jq '.verification.status // 2')"
+    if [[ "${state}" != "0" ]]; then
+        bashio::exit.nok "Validation of base image fails!"
+    fi
+    bashio::log.info "Base imge ${image} is trusted"
+}
+
+
 #### Error handling ####
 
 function error_handling() {
@@ -836,13 +873,14 @@ while [[ $# -gt 0 ]]; do
             extract_machine_build "$(echo "$2" | cut -d '=' -f 2)"
             shift
             ;;
-        --builder-wheels)
-            BUILD_TYPE="builder-wheels"
-            PYTHON=$2
-            SELF_CACHE=true
+        --with-codenotary)
+            VCN_NOTARY=true
+            ;;
+        --validate-from)
+            codenotary_probe
+            VCN_FROM=$2
             shift
             ;;
-
         *)
             bashio::exit.nok "$0 : Argument '$1' unknown"
             ;;
@@ -869,10 +907,11 @@ mkdir -p /data
 init_crosscompile
 start_docker
 
-# Login into dockerhub
+# Login into dockerhub & setup CodeNotary
 if [ -n "$DOCKER_USER" ] && [ -n "$DOCKER_PASSWORD" ]; then
   docker login -u "$DOCKER_USER" -p "$DOCKER_PASSWORD"
 fi
+codenotary_setup
 
 # Load external repository
 if [ -n "$GIT_REPOSITORY" ]; then