Githubactions: Fix hardening check for Fedora binaries #1094
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Release binaries | |
# This machine tests building the software on a both 32 and 64 Windows architecture. | |
on: [push] | |
jobs: | |
source: | |
name: Build dist with Linux | |
runs-on: ubuntu-latest | |
env: | |
VERSION: 2.6.0 | |
steps: | |
- name: checkout | |
uses: actions/checkout@v4 | |
- name: Install prerequisites | |
run: | | |
set -x | |
sudo apt -q update | |
sudo apt install libpcsclite-dev gengetopt help2man libedit-dev libcurl4-openssl-dev libssl-dev libusb-1.0-0-dev | |
- name: Create tar.gz | |
run: | | |
set -x | |
./resources/make_src_dist.sh $VERSION | |
cd .. | |
mkdir $GITHUB_WORKSPACE/artifact | |
mv $GITHUB_WORKSPACE/yubihsm-shell-$VERSION.tar.gz $GITHUB_WORKSPACE/artifact/ | |
- name: Upload artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: yubihsm-shell-src | |
path: artifact | |
Windowsx-build: | |
name: Build Windows release | |
needs: source | |
runs-on: ${{ matrix.os }} | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- os: windows-latest | |
arch: x86 | |
- os: windows-latest | |
arch: x64 | |
env: | |
VERSION: 2.6.0 | |
steps: | |
- name: Download source from source job | |
uses: actions/download-artifact@v4 | |
with: | |
name: yubihsm-shell-src | |
- name: Extract source | |
run: | | |
Set-PSDebug -Trace 1 | |
tar xf yubihsm-shell-$env:VERSION.tar.gz | |
- name: Build release binaries | |
env: | |
ARCH: ${{ matrix.arch }} | |
run: | | |
Set-PSDebug -Trace 1 | |
$YHSHELL_SRC_DIR="$env:GITHUB_WORKSPACE\yubihsm-shell-$env:VERSION" | |
cd $YHSHELL_SRC_DIR/resources/release/win | |
if($env:ARCH -eq "x86") | |
{ | |
./make_release_binaries.ps1 Win32 C:/vcpkg | |
} | |
else | |
{ | |
./make_release_binaries.ps1 x64 C:/vcpkg | |
} | |
mkdir $env:GITHUB_WORKSPACE/artifact | |
cp -r $YHSHELL_SRC_DIR/resources/release/win/yubihsm-shell-$env:ARCH $env:GITHUB_WORKSPACE/artifact/ | |
- name: Upload artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: yubihsm-shell-${{ matrix.arch }} | |
path: artifact | |
macos-build: | |
name: Build MacOS release | |
needs: source | |
runs-on: ${{ matrix.os }} | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- os: macos-14-large | |
arch: amd | |
- os: macos-latest-xlarge | |
arch: arm | |
env: | |
VERSION: 2.6.0 | |
SO_VERSION: 2 | |
steps: | |
- name: Download source from source job | |
uses: actions/download-artifact@v4 | |
with: | |
name: yubihsm-shell-src | |
- name: Extract source | |
run: | | |
set -x | |
tar xf yubihsm-shell-$VERSION.tar.gz | |
- name: Install dependecies | |
run: | | |
brew update | |
brew install cmake pkg-config gengetopt help2man | |
brew reinstall openssl@3 | |
- name: Build and make MSI installer | |
env: | |
ARCH: ${{ matrix.arch }} | |
run: | | |
set -e -o pipefail | |
set -x | |
uname -a | |
YHSHELL_SRC_DIR="$GITHUB_WORKSPACE/yubihsm-shell-$VERSION" | |
cd $YHSHELL_SRC_DIR | |
./resources/release/macos/make_release_binaries.sh $ARCH $VERSION $SO_VERSION | |
mkdir $GITHUB_WORKSPACE/artifact | |
cp -r $YHSHELL_SRC_DIR/resources/release/macos/yubihsm-shell-darwin-$ARCH-$VERSION $GITHUB_WORKSPACE/artifact/ | |
- name: Upload artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: yubihsm-shell-darwin-${{ matrix.arch }}64 | |
path: artifact | |
debian_based: | |
strategy: | |
fail-fast: false | |
matrix: | |
environment: [ | |
"ubuntu:24.10", | |
"ubuntu:24.04", | |
"ubuntu:22.04", | |
"ubuntu:20.04", | |
"debian:12", | |
"debian:11", | |
] | |
# perform gcc builds for all environments | |
cc: [ "gcc" ] | |
name: build on ${{ matrix.environment }} | |
runs-on: ubuntu-latest | |
container: ${{ matrix.environment }} | |
steps: | |
- name: install dependencies from package management | |
env: | |
CC: ${{ matrix.cc }} | |
DEBIAN_FRONTEND: noninteractive | |
run: | | |
export DEBIAN_FRONTEND=noninteractive | |
apt-get update && apt-get dist-upgrade -y | |
apt-get install -y build-essential \ | |
chrpath \ | |
cmake \ | |
pkg-config \ | |
gengetopt \ | |
help2man \ | |
libedit-dev \ | |
libcurl4-openssl-dev \ | |
liblzma-dev \ | |
libssl-dev \ | |
libseccomp-dev \ | |
libusb-1.0.0-dev \ | |
dh-exec \ | |
git-buildpackage \ | |
curl \ | |
libpcsclite-dev \ | |
file \ | |
curl \ | |
jq | |
- name: clone the Yubico/yubihsm-shell repository | |
uses: actions/checkout@v3 | |
with: | |
path: yubihsm-shell | |
- name: apply environment specific changes to CMakeLists.txt | |
working-directory: yubihsm-shell | |
if: ${{ matrix.environment == 'ubuntu:14.04' }} | |
run: | | |
# ubuntu 14.04 comes with cmake version 2.8, but the project requires 3.5 | |
# we downgrade that requirement for the ubuntu 14.04 build | |
sed -i 's/cmake_minimum_required (VERSION 3.5)/cmake_minimum_required (VERSION 2.8)/' CMakeLists.txt | |
# we also remove the following policies which are not supported in the older cmake version | |
sed -i 's/cmake_policy(SET CMP0025 NEW)/#cmake_policy(SET CMP0025 NEW)/' CMakeLists.txt | |
sed -i 's/cmake_policy(SET CMP0042 NEW)/#cmake_policy(SET CMP0042 NEW)/' CMakeLists.txt | |
sed -i 's/cmake_policy(SET CMP0054 NEW)/#cmake_policy(SET CMP0054 NEW)/' CMakeLists.txt | |
# append the following flags: -Wno-missing-braces -Wno-missing-field-initializers -Wno-implicit-function-declaration | |
sed -i 's/-Wall -Wextra -Werror/-Wall -Wextra -Werror -Wno-missing-braces -Wno-missing-field-initializers -Wno-implicit-function-declaration/' cmake/SecurityFlags.cmake | |
- name: apply environment specific changes to CMakeLists.txt | |
working-directory: yubihsm-shell | |
env: | |
DOCKER_IMAGE: ${{ matrix.environment }} | |
run: | | |
if [ "$DOCKER_IMAGE" = "ubuntu:24.04" ] || [ "$DOCKER_IMAGE" = "ubuntu:24.10" ]; then | |
# ubuntu 24.04 and above come with _FORTIFY_SOURCE already set | |
sed -i 's/add_definitions (-D_FORTIFY_SOURCE=2)/add_definitions (-D_FORTIFY_SOURCE=3)/' cmake/SecurityFlags.cmake | |
fi | |
if [ "$DOCKER_IMAGE" = "ubuntu:24.10" ]; then | |
# Set PCSC flags | |
sed -i 's/#SET(CMAKE_C_FLAGS/SET(CMAKE_C_FLAGS/' ykhsmauth/CMakeLists.txt | |
fi | |
- name: extract platform name | |
env: | |
DOCKER_IMAGE: ${{ matrix.environment }} | |
run: | | |
# Remove everything from DOCKER_IMAGE that is not a letter or a number | |
PLATFORM=$(echo -n "$DOCKER_IMAGE" | sed -E 's/[^a-zA-Z0-9]//g') | |
echo "PLATFORM=$PLATFORM" >> $GITHUB_ENV | |
- name: build release | |
working-directory: yubihsm-shell | |
env: | |
PLATFORM: ${{ env.PLATFORM }} | |
run: | | |
set -x | |
uname -a | |
# Create directory containing all output | |
OUTPUT=$GITHUB_WORKSPACE/$PLATFORM/yubihsm-shell | |
mkdir -p $OUTPUT | |
if [ $PLATFORM == "debian10" ] || [ $PLATFORM == "debian11" ] || [ $PLATFORM == "ubuntu1804" ]; then | |
dpkg-buildpackage -b --no-sign | |
else | |
dpkg-buildpackage | |
fi | |
cp ../*.deb $OUTPUT/ | |
LICENSE_DIR="$OUTPUT/share/yubihsm-shell" | |
mkdir -p $LICENSE_DIR | |
cp -r $GITHUB_WORKSPACE/yubihsm-shell/resources/release/linux/licenses $LICENSE_DIR/ | |
for lf in $LICENSE_DIR/licenses/*; do | |
chmod 644 $lf | |
done | |
cd $OUTPUT | |
rm -f yubihsm-shell-$PLATFORM-amd64.tar.gz | |
tar -C .. -zcvf ../yubihsm-shell-$PLATFORM-amd64.tar.gz yubihsm-shell | |
rm -f *.deb | |
rm -rf licenses | |
rm -rf ../yubihsm-shell | |
- name: install binaries | |
run: | | |
set -x | |
dpkg -i ./libykhsmauth1_*.deb ./libyubihsm-usb1_*.deb ./libyubihsm-http1_*.deb ./libyubihsm1_*.deb ./yubihsm-shell_*.deb | |
- name: check binaries for hardening | |
run: | | |
curl -o checksec.sh-2.5.0.tar.gz -L https://github.com/slimm609/checksec.sh/archive/refs/tags/2.5.0.tar.gz | |
tar xfz checksec.sh-2.5.0.tar.gz | |
cs() { | |
checksec-2.5.0/checksec --file=/usr/bin/yubihsm-shell --format=json | jq -r ".[] | .$1" | |
} | |
if [ "`cs relro`" != "full" ]; then echo "relro is `cs relro`"; exit 1; fi | |
if [ "`cs canary`" != "yes" ]; then echo "canary is `cs canary`"; exit 1; fi | |
if [ "`cs nx`" != "yes" ]; then echo "nx is `cs nx`"; exit 1; fi | |
if [ "`cs pie`" != "yes" ]; then echo "pie is `cs pie`"; exit 1; fi | |
if [ "`cs fortify_source`" != "yes" ]; then echo "fortify_source is `cs fortify_source`"; exit 1; fi | |
- name: upload artifacts | |
uses: actions/upload-artifact@v3 | |
with: | |
name: "yubihsm-shell-${{ env.PLATFORM }}-amd64" | |
path: ${{ env.PLATFORM }} | |
redhat_based: | |
strategy: | |
fail-fast: false | |
matrix: | |
environment: [ | |
"fedora:40", | |
"fedora:41", | |
] | |
name: build on ${{ matrix.environment }} | |
runs-on: ubuntu-latest | |
container: ${{ matrix.environment }} | |
steps: | |
- name: clone the Yubico/yubihsm-shell repository | |
uses: actions/checkout@v3 | |
with: | |
path: yubihsm-shell | |
- name: apply environment specific changes to CMakeLists.txt | |
working-directory: yubihsm-shell | |
if: ${{ matrix.environment == 'centos:7' }} | |
run: | | |
# centos 7 comes with cmake version 2.8, but the project requires 3.5 | |
# we downgrade that requirement for the centos 7 build | |
sed -i 's/cmake_minimum_required (VERSION 3.5)/cmake_minimum_required (VERSION 2.8)/' CMakeLists.txt | |
# we also remove the following policies which are not supported in the older cmake version | |
sed -i 's/cmake_policy(SET CMP0025 NEW)/#cmake_policy(SET CMP0025 NEW)/' CMakeLists.txt | |
sed -i 's/cmake_policy(SET CMP0042 NEW)/#cmake_policy(SET CMP0042 NEW)/' CMakeLists.txt | |
sed -i 's/cmake_policy(SET CMP0054 NEW)/#cmake_policy(SET CMP0054 NEW)/' CMakeLists.txt | |
# append the following flags: -Wno-missing-braces -Wno-missing-field-initializers -Wno-implicit-function-declaration | |
sed -i 's/-Wall -Wextra -Werror/-Wall -Wextra -Werror -Wno-missing-braces -Wno-missing-field-initializers/' cmake/SecurityFlags.cmake | |
- name: apply environment specific changes to ykhsmauth/CMakeLists.txt | |
working-directory: yubihsm-shell | |
if: ${{ matrix.environment == 'fedora:41' }} | |
run: | | |
# Set PCSC flags | |
sed -i 's/#SET(CMAKE_C_FLAGS/SET(CMAKE_C_FLAGS/' ykhsmauth/CMakeLists.txt | |
- name: extract platform name | |
env: | |
DOCKER_IMAGE: ${{ matrix.environment }} | |
run: | | |
# Remove everything from DOCKER_IMAGE that is not a letter or a number | |
PLATFORM=$(echo -n "$DOCKER_IMAGE" | sed -E 's/[^a-zA-Z0-9]//g') | |
echo "PLATFORM=$PLATFORM" >> $GITHUB_ENV | |
- name: install dependencies | |
env: | |
PLATFORM: ${{ env.PLATFORM }} | |
run: | | |
cd yubihsm-shell/resources/release/linux | |
./install_redhat_dependencies.sh $PLATFORM | |
if [ $PLATFORM = "centos7" ]; then | |
# enable the epel repository for centos | |
yum install -y epel-release | |
fi | |
yum install -y procps-ng jq file which curl | |
- name: build release | |
working-directory: yubihsm-shell | |
env: | |
PLATFORM: ${{ env.PLATFORM }} | |
run: | | |
uname -a | |
export CMAKE="cmake" | |
export INPUT=$GITHUB_WORKSPACE/yubihsm-shell | |
export OUTPUT=$GITHUB_WORKSPACE/$PLATFORM/yubihsm-shell | |
rm -rf $OUTPUT | |
mkdir -p $OUTPUT | |
# These 2 lines can be replaced by the command "rpmdev-setuptree", but this command seems to add macros that force check paths that do not exist | |
mkdir -p $GITHUB_WORKSPACE/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS} | |
echo '%_topdir %(echo $HOME)/rpmbuild' > $GITHUB_WORKSPACE/.rpmmacros | |
RPM_DIR=$GITHUB_WORKSPACE/rpmbuild | |
cp resources/release/linux/yubihsm-shell.spec $RPM_DIR/SPECS/ | |
QA_SKIP_BUILD_ROOT=1 QA_RPATHS=$(( 0x0001|0x0010 )) rpmbuild -bb $RPM_DIR/SPECS/yubihsm-shell.spec | |
cp /github/home/rpmbuild/RPMS/x86_64/*.rpm $OUTPUT/ | |
LICENSE_DIR="$OUTPUT/share/yubihsm-shell" | |
mkdir -p $LICENSE_DIR | |
cp -r $INPUT/resources/release/linux/licenses $LICENSE_DIR/ | |
for lf in $LICENSE_DIR/licenses/*; do | |
chmod 644 $lf | |
done | |
cd $OUTPUT | |
rm -f "yubihsm-shell-$PLATFORM-amd64.tar.gz" | |
tar -C ".." -zcvf "../yubihsm-shell-$PLATFORM-amd64.tar.gz" "yubihsm-shell" | |
rm -f *.rpm | |
rm -rf licenses | |
rm -rf ../yubihsm-shell | |
- name: install binaries | |
working-directory: /github/home/rpmbuild/RPMS/x86_64 | |
run: | | |
yum install -y ./yubihsm-shell-*.rpm | |
- name: check binaries for hardening | |
run: | | |
curl -o checksec.sh-2.5.0.tar.gz -L https://github.com/slimm609/checksec.sh/archive/refs/tags/2.5.0.tar.gz | |
tar xfz checksec.sh-2.5.0.tar.gz | |
cs() { | |
checksec-2.5.0/checksec --file=/usr/bin/yubihsm-shell --format=json | jq -r ".[] | .$1" | |
} | |
if [ "`cs relro`" != "full" ]; then echo "relro is `cs relro`"; exit 1; fi | |
if [ "`cs canary`" != "yes" ]; then echo "canary is `cs canary`"; exit 1; fi | |
if [ "`cs nx`" != "yes" ]; then echo "nx is `cs nx`"; exit 1; fi | |
if [ "`cs pie`" != "yes" ]; then echo "pie is `cs pie`"; exit 1; fi | |
if [ "`cs fortify_source`" != "yes" ]; then echo "fortify_source is `cs fortify_source`"; exit 1; fi | |
- name: upload artifacts | |
uses: actions/upload-artifact@v3 | |
with: | |
name: "yubihsm-shell-${{ env.PLATFORM }}-amd64" | |
path: ${{ env.PLATFORM }} |