SilverLABS/SilverMetal
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7058fb775c1f608e1caafa28b5d509efb598ae75
SilverMetal/linux/build/scripts/build-inner.sh
SysAdmin 8a3cd0ba22
Some checks failed
Build SilverMetal Linux ISO (reproducibility-gated) / build-and-verify (push) Failing after 1m24s
Details
fix(linux/build): allow untagged / uncommitted submodule commits (M1.1) 
Run #4256 finally cleared every preceding obstacle and reached
git_sanity_test's per-submodule verification phase. sq-git authenticated
every commit signature in the chain — that part is working perfectly —
but failed at:

    ERROR: Untagged commit in: qubes/qubes-template-kicksecure
    INFO: As a developer or advanced user you might want to use:
    WARNING: This can be insecure if you cannot audit the changes.
    --allow-untagged true --allow-uncommitted true

git_sanity_test runs two orthogonal checks:
  1. signatures (sq-git, verified )
  2. tagged-commit-only mode (verified  for one submodule)

The pinned upstream tag (18.1.7.4-developers-only — the name itself
flags the intent) deliberately ships with some submodule pointers at
intermediate / merge commits rather than release tags. parse-cmd
documents `--allow-untagged true` and `--allow-uncommitted true` for
exactly this case. Signatures remain verified; we're only relaxing the
release-tag check, which is appropriate when we've deliberately pinned
to a developer tag.

If/when we move to a redistributable upstream tag in M1.10+ (signing
ceremony milestone), these flags should come back out.

No image rebuild needed — script-only change.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-07 11:35:27 +01:00

64 lines
3.0 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
# SilverMetal Linux — inner build step.
#
# Runs *inside* the silvermetal-builder container, as the unprivileged
# `builder` user. build.sh sets up the container, chowns the workspace,
# and runuser's into here. derivative-maker takes it from there and uses
# sudo internally for its privileged operations.
#
# Why this is its own file:
# The previous incarnation lived as a heredoc inside build.sh's docker
# run command. Once we needed to drop privileges from root to builder,
# the nested-heredoc / nested-quoting situation became unreadable; a
# plain script with normal quoting is far easier to maintain.
#
# Required env vars (set by build.sh and forwarded into the container):
# REPO_ROOT — absolute path to the SilverMetal repo root
# BUILD_DIR — where to drop the resulting *.iso and manifests
# SOURCE_DATE_EPOCH — reproducibility timestamp (forwarded to live-build)
# SNAPSHOT_TIMESTAMP — apt snapshot pin (forwarded to live-build)
set -euo pipefail
: "${REPO_ROOT:?REPO_ROOT must be set}"
: "${BUILD_DIR:?BUILD_DIR must be set}"
# shellcheck disable=SC1091
source "${REPO_ROOT}/linux/build/config/silvermetal-base.conf"
cd "${REPO_ROOT}/linux/build/derivative-maker"
# CLI grammar comes from derivative-maker/help-steps/parse-cmd. The
# valid options are a closed set; passing anything else (including
# --build, --dist, or --config) trips the "unknown option" guard at
# parse-cmd line 725. Spelling matters too: upstream uses --flavor
# (American), not --flavour. --freedom is mandatory for amd64/i386.
# Dist is implicit from --flavor (kicksecure-cli => trixie), and
# the silvermetal-base.conf is sourced into the env above rather than
# passed as a flag because derivative-maker has no --config option.
#
# --allow-untagged true / --allow-uncommitted true: the pinned upstream
# tag (18.1.7.4-developers-only — name says it all) deliberately ships
# with some submodules at intermediate / merge commits. sq-git still
# verifies every signature in the chain — these flags only relax the
# additional "must be at a release tag" check. Appropriate for a
# downstream consumer pinned to a developer tag.
./derivative-maker \
--flavor "${DERIVATIVE_FLAVOUR}" \
--target "${DERIVATIVE_BUILD_TARGET}" \
--arch "${DERIVATIVE_TARGET_ARCH}" \
--freedom "${DERIVATIVE_FREEDOM}" \
--allow-untagged true \
--allow-uncommitted true
# derivative-maker writes into its own build/ tree; collect into BUILD_DIR.
# Exact upstream output paths can shift between tags — keep this tolerant.
# Anything matching *.iso under the tree is what we want.
find . -maxdepth 6 -type f -name "*.iso" -print0 \
| xargs -0 -I{} cp -av "{}" "${BUILD_DIR}/"
# Manifest of file metadata that lives inside the ISO. Useful when
# diagnosing reproducibility regressions without re-extracting.
find . -maxdepth 6 -type f -name "*.manifest" -print0 \
| xargs -0 -I{} cp -av "{}" "${BUILD_DIR}/" 2>/dev/null || true
Reference in New Issue View Git Blame Copy Permalink