reproducible package

Signed-off-by: Valentyn Faychuk <valy@detee.ltd>
2024-12-19 03:35:52 +02:00 · 2024-12-19 03:35:52 +02:00 · e5cc423e07
commit e5cc423e07
parent 0829ba4d07
1 changed files with 55 additions and 3 deletions
--- a/scripts/package.sh
+++ b/scripts/package.sh
@ -20,10 +20,10 @@ if [ "$prerequisites" == "--prep" ]; then
    (cd occlum/tools/toolchains/utils_lib && ./build.sh)
 fi

-
 echo "Building the hacker-challenge signed bundle"
 occlum-cargo build --release
 strip target/x86_64-unknown-linux-musl/release/hacker-challenge
+sha256sum target/x86_64-unknown-linux-musl/release/hacker-challenge

 cat > challenge.yaml <<EOF
 includes:
@ -46,5 +46,57 @@ cp ../scripts/Occlum.json ./
 copy_bom -f ../challenge.yaml --root image --include-dir /opt/occlum/etc/template
 # TODO: "--enable-edmm Y" must be only for platforms that support SGX2
 # TODO: make sure the bundle needs SGX2 to run since SGX1 is vulnerable to https://x.com/PratyushRT/status/1828183761055330373
-occlum build --sign-key ../scripts/signing_key.pem
-occlum package challenge.tar.gz
+occlum build --sgx-mode HW --sign-key ../scripts/signing_key.pem
+
+echo "Packaging the hacker-challenge signed bundle"
+
+cd ..
+git config --global --add safe.directory '*'
+
+# If occlum was built in HYPER mode, pkg_files also need
+# ./challenge_instance/build/lib/libocclum-pal_hyper.so*
+pkg_files="\
+    ./challenge_instance/Occlum.json \
+    ./challenge_instance/build/bin \
+    ./challenge_instance/build/lib/libocclum-libos.signed.so \
+    ./challenge_instance/build/lib/libocclum-pal.so* \
+    ./challenge_instance/build/initfs ./challenge_instance/build/mount \
+    ./challenge_instance/build/.Occlum_sys.json.protected \
+    ./challenge_instance/initfs ./challenge_instance/run \
+    ./challenge_instance/.__occlum_status ./challenge_instance/.sgx_mode"
+
+function get_commit_time() {
+    TZ=UTC0 git log -1 \
+        --format=tformat:%cd \
+        --date=format:%Y-%m-%dT%H:%M:%SZ \
+        "$@"
+}
+
+# Set each source file timestamp to that of its latest commit
+git ls-files | while read -r file; do
+    commit_time=$(get_commit_time "$file") &&
+    touch -md $commit_time "$file"
+done
+
+# Set timestamp of each directory to the latest timestamp
+# of any descendant
+find $pkg_files -depth -type d -exec sh -c \
+    'touch -r "$0/$(ls -At "$0" | head -n 1)" "$0"' \
+    {} ';'
+
+# Pretend that the modification time for each newer file
+# is that of the most recent commit of any source file
+source_epoch=$(get_commit_time)
+tarflags="
+  --sort=name --format=posix
+  --pax-option=exthdr.name=%d/PaxHeaders/%f
+  --pax-option=delete=atime,delete=ctime
+  --clamp-mtime --mtime=$source_epoch
+  --numeric-owner --owner=0 --group=0
+  --mode=go+u,go-w
+"
+LC_ALL=C tar $tarflags -cvzf challenge_instance/challenge.tar.gz \
+    --transform s/challenge_instance/$(basename challenge.tar.gz .tar.gz)/ \
+    $pkg_files
+
+sha256sum challenge_instance/challenge.tar.gz