general/hacker-challenge
4
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

reproducible package

Browse Source 
Signed-off-by: Valentyn Faychuk <valy@detee.ltd>
This commit is contained in:
Valentyn Faychuk 2024-12-19 03:35:52 +02:00
parent 0829ba4d07
commit e5cc423e07
Signed by: valy
GPG Key ID: F1AB995E20FEADC5
1 changed files with 55 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
scripts/package.sh
View File

@ -20,10 +20,10 @@ if [ "$prerequisites" == "--prep" ]; then
(cd occlum/tools/toolchains/utils_lib && ./build.sh) (cd occlum/tools/toolchains/utils_lib && ./build.sh)
fi fi
echo "Building the hacker-challenge signed bundle" echo "Building the hacker-challenge signed bundle"
occlum-cargo build --release occlum-cargo build --release
strip target/x86_64-unknown-linux-musl/release/hacker-challenge strip target/x86_64-unknown-linux-musl/release/hacker-challenge
sha256sum target/x86_64-unknown-linux-musl/release/hacker-challenge
cat > challenge.yaml <<EOF cat > challenge.yaml <<EOF
includes: includes:
@ -46,5 +46,57 @@ cp ../scripts/Occlum.json ./
copy_bom -f ../challenge.yaml --root image --include-dir /opt/occlum/etc/template copy_bom -f ../challenge.yaml --root image --include-dir /opt/occlum/etc/template
# TODO: "--enable-edmm Y" must be only for platforms that support SGX2 # TODO: "--enable-edmm Y" must be only for platforms that support SGX2
# TODO: make sure the bundle needs SGX2 to run since SGX1 is vulnerable to https://x.com/PratyushRT/status/1828183761055330373 # TODO: make sure the bundle needs SGX2 to run since SGX1 is vulnerable to https://x.com/PratyushRT/status/1828183761055330373
occlum build --sign-key ../scripts/signing_key.pem occlum build --sgx-mode HW --sign-key ../scripts/signing_key.pem
occlum package challenge.tar.gz
echo "Packaging the hacker-challenge signed bundle"
cd ..
git config --global --add safe.directory '*'
# If occlum was built in HYPER mode, pkg_files also need
# ./challenge_instance/build/lib/libocclum-pal_hyper.so*
pkg_files="\
./challenge_instance/Occlum.json \
./challenge_instance/build/bin \
./challenge_instance/build/lib/libocclum-libos.signed.so \
./challenge_instance/build/lib/libocclum-pal.so* \
./challenge_instance/build/initfs ./challenge_instance/build/mount \
./challenge_instance/build/.Occlum_sys.json.protected \
./challenge_instance/initfs ./challenge_instance/run \
./challenge_instance/.__occlum_status ./challenge_instance/.sgx_mode"
function get_commit_time() {
TZ=UTC0 git log -1 \
--format=tformat:%cd \
--date=format:%Y-%m-%dT%H:%M:%SZ \
"$@"
}
# Set each source file timestamp to that of its latest commit
git ls-files | while read -r file; do
commit_time=$(get_commit_time "$file") &&
touch -md $commit_time "$file"
done
# Set timestamp of each directory to the latest timestamp
# of any descendant
find $pkg_files -depth -type d -exec sh -c \
'touch -r "$0/$(ls -At "$0" | head -n 1)" "$0"' \
{} ';'
# Pretend that the modification time for each newer file
# is that of the most recent commit of any source file
source_epoch=$(get_commit_time)
tarflags="
--sort=name --format=posix
--pax-option=exthdr.name=%d/PaxHeaders/%f
--pax-option=delete=atime,delete=ctime
--clamp-mtime --mtime=$source_epoch
--numeric-owner --owner=0 --group=0
--mode=go+u,go-w
"
LC_ALL=C tar $tarflags -cvzf challenge_instance/challenge.tar.gz \
--transform s/challenge_instance/$(basename challenge.tar.gz .tar.gz)/ \
$pkg_files
sha256sum challenge_instance/challenge.tar.gz