Skip to content

Githubactions: Fix hardening check for Fedora binaries #1094

Githubactions: Fix hardening check for Fedora binaries

Githubactions: Fix hardening check for Fedora binaries #1094

Workflow file for this run

name: Release binaries
# This machine tests building the software on a both 32 and 64 Windows architecture.
on: [push]
jobs:
source:
name: Build dist with Linux
runs-on: ubuntu-latest
env:
VERSION: 2.6.0
steps:
- name: checkout
uses: actions/checkout@v4
- name: Install prerequisites
run: |
set -x
sudo apt -q update
sudo apt install libpcsclite-dev gengetopt help2man libedit-dev libcurl4-openssl-dev libssl-dev libusb-1.0-0-dev
- name: Create tar.gz
run: |
set -x
./resources/make_src_dist.sh $VERSION
cd ..
mkdir $GITHUB_WORKSPACE/artifact
mv $GITHUB_WORKSPACE/yubihsm-shell-$VERSION.tar.gz $GITHUB_WORKSPACE/artifact/
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: yubihsm-shell-src
path: artifact
Windowsx-build:
name: Build Windows release
needs: source
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
include:
- os: windows-latest
arch: x86
- os: windows-latest
arch: x64
env:
VERSION: 2.6.0
steps:
- name: Download source from source job
uses: actions/download-artifact@v4
with:
name: yubihsm-shell-src
- name: Extract source
run: |
Set-PSDebug -Trace 1
tar xf yubihsm-shell-$env:VERSION.tar.gz
- name: Build release binaries
env:
ARCH: ${{ matrix.arch }}
run: |
Set-PSDebug -Trace 1
$YHSHELL_SRC_DIR="$env:GITHUB_WORKSPACE\yubihsm-shell-$env:VERSION"
cd $YHSHELL_SRC_DIR/resources/release/win
if($env:ARCH -eq "x86")
{
./make_release_binaries.ps1 Win32 C:/vcpkg
}
else
{
./make_release_binaries.ps1 x64 C:/vcpkg
}
mkdir $env:GITHUB_WORKSPACE/artifact
cp -r $YHSHELL_SRC_DIR/resources/release/win/yubihsm-shell-$env:ARCH $env:GITHUB_WORKSPACE/artifact/
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: yubihsm-shell-${{ matrix.arch }}
path: artifact
macos-build:
name: Build MacOS release
needs: source
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
include:
- os: macos-14-large
arch: amd
- os: macos-latest-xlarge
arch: arm
env:
VERSION: 2.6.0
SO_VERSION: 2
steps:
- name: Download source from source job
uses: actions/download-artifact@v4
with:
name: yubihsm-shell-src
- name: Extract source
run: |
set -x
tar xf yubihsm-shell-$VERSION.tar.gz
- name: Install dependecies
run: |
brew update
brew install cmake pkg-config gengetopt help2man
brew reinstall openssl@3
- name: Build and make MSI installer
env:
ARCH: ${{ matrix.arch }}
run: |
set -e -o pipefail
set -x
uname -a
YHSHELL_SRC_DIR="$GITHUB_WORKSPACE/yubihsm-shell-$VERSION"
cd $YHSHELL_SRC_DIR
./resources/release/macos/make_release_binaries.sh $ARCH $VERSION $SO_VERSION
mkdir $GITHUB_WORKSPACE/artifact
cp -r $YHSHELL_SRC_DIR/resources/release/macos/yubihsm-shell-darwin-$ARCH-$VERSION $GITHUB_WORKSPACE/artifact/
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: yubihsm-shell-darwin-${{ matrix.arch }}64
path: artifact
debian_based:
strategy:
fail-fast: false
matrix:
environment: [
"ubuntu:24.10",
"ubuntu:24.04",
"ubuntu:22.04",
"ubuntu:20.04",
"debian:12",
"debian:11",
]
# perform gcc builds for all environments
cc: [ "gcc" ]
name: build on ${{ matrix.environment }}
runs-on: ubuntu-latest
container: ${{ matrix.environment }}
steps:
- name: install dependencies from package management
env:
CC: ${{ matrix.cc }}
DEBIAN_FRONTEND: noninteractive
run: |
export DEBIAN_FRONTEND=noninteractive
apt-get update && apt-get dist-upgrade -y
apt-get install -y build-essential \
chrpath \
cmake \
pkg-config \
gengetopt \
help2man \
libedit-dev \
libcurl4-openssl-dev \
liblzma-dev \
libssl-dev \
libseccomp-dev \
libusb-1.0.0-dev \
dh-exec \
git-buildpackage \
curl \
libpcsclite-dev \
file \
curl \
jq
- name: clone the Yubico/yubihsm-shell repository
uses: actions/checkout@v3
with:
path: yubihsm-shell
- name: apply environment specific changes to CMakeLists.txt
working-directory: yubihsm-shell
if: ${{ matrix.environment == 'ubuntu:14.04' }}
run: |
# ubuntu 14.04 comes with cmake version 2.8, but the project requires 3.5
# we downgrade that requirement for the ubuntu 14.04 build
sed -i 's/cmake_minimum_required (VERSION 3.5)/cmake_minimum_required (VERSION 2.8)/' CMakeLists.txt
# we also remove the following policies which are not supported in the older cmake version
sed -i 's/cmake_policy(SET CMP0025 NEW)/#cmake_policy(SET CMP0025 NEW)/' CMakeLists.txt
sed -i 's/cmake_policy(SET CMP0042 NEW)/#cmake_policy(SET CMP0042 NEW)/' CMakeLists.txt
sed -i 's/cmake_policy(SET CMP0054 NEW)/#cmake_policy(SET CMP0054 NEW)/' CMakeLists.txt
# append the following flags: -Wno-missing-braces -Wno-missing-field-initializers -Wno-implicit-function-declaration
sed -i 's/-Wall -Wextra -Werror/-Wall -Wextra -Werror -Wno-missing-braces -Wno-missing-field-initializers -Wno-implicit-function-declaration/' cmake/SecurityFlags.cmake
- name: apply environment specific changes to CMakeLists.txt
working-directory: yubihsm-shell
env:
DOCKER_IMAGE: ${{ matrix.environment }}
run: |
if [ "$DOCKER_IMAGE" = "ubuntu:24.04" ] || [ "$DOCKER_IMAGE" = "ubuntu:24.10" ]; then
# ubuntu 24.04 and above come with _FORTIFY_SOURCE already set
sed -i 's/add_definitions (-D_FORTIFY_SOURCE=2)/add_definitions (-D_FORTIFY_SOURCE=3)/' cmake/SecurityFlags.cmake
fi
if [ "$DOCKER_IMAGE" = "ubuntu:24.10" ]; then
# Set PCSC flags
sed -i 's/#SET(CMAKE_C_FLAGS/SET(CMAKE_C_FLAGS/' ykhsmauth/CMakeLists.txt
fi
- name: extract platform name
env:
DOCKER_IMAGE: ${{ matrix.environment }}
run: |
# Remove everything from DOCKER_IMAGE that is not a letter or a number
PLATFORM=$(echo -n "$DOCKER_IMAGE" | sed -E 's/[^a-zA-Z0-9]//g')
echo "PLATFORM=$PLATFORM" >> $GITHUB_ENV
- name: build release
working-directory: yubihsm-shell
env:
PLATFORM: ${{ env.PLATFORM }}
run: |
set -x
uname -a
# Create directory containing all output
OUTPUT=$GITHUB_WORKSPACE/$PLATFORM/yubihsm-shell
mkdir -p $OUTPUT
if [ $PLATFORM == "debian10" ] || [ $PLATFORM == "debian11" ] || [ $PLATFORM == "ubuntu1804" ]; then
dpkg-buildpackage -b --no-sign
else
dpkg-buildpackage
fi
cp ../*.deb $OUTPUT/
LICENSE_DIR="$OUTPUT/share/yubihsm-shell"
mkdir -p $LICENSE_DIR
cp -r $GITHUB_WORKSPACE/yubihsm-shell/resources/release/linux/licenses $LICENSE_DIR/
for lf in $LICENSE_DIR/licenses/*; do
chmod 644 $lf
done
cd $OUTPUT
rm -f yubihsm-shell-$PLATFORM-amd64.tar.gz
tar -C .. -zcvf ../yubihsm-shell-$PLATFORM-amd64.tar.gz yubihsm-shell
rm -f *.deb
rm -rf licenses
rm -rf ../yubihsm-shell
- name: install binaries
run: |
set -x
dpkg -i ./libykhsmauth1_*.deb ./libyubihsm-usb1_*.deb ./libyubihsm-http1_*.deb ./libyubihsm1_*.deb ./yubihsm-shell_*.deb
- name: check binaries for hardening
run: |
curl -o checksec.sh-2.5.0.tar.gz -L https://github.com/slimm609/checksec.sh/archive/refs/tags/2.5.0.tar.gz
tar xfz checksec.sh-2.5.0.tar.gz
cs() {
checksec-2.5.0/checksec --file=/usr/bin/yubihsm-shell --format=json | jq -r ".[] | .$1"
}
if [ "`cs relro`" != "full" ]; then echo "relro is `cs relro`"; exit 1; fi
if [ "`cs canary`" != "yes" ]; then echo "canary is `cs canary`"; exit 1; fi
if [ "`cs nx`" != "yes" ]; then echo "nx is `cs nx`"; exit 1; fi
if [ "`cs pie`" != "yes" ]; then echo "pie is `cs pie`"; exit 1; fi
if [ "`cs fortify_source`" != "yes" ]; then echo "fortify_source is `cs fortify_source`"; exit 1; fi
- name: upload artifacts
uses: actions/upload-artifact@v3
with:
name: "yubihsm-shell-${{ env.PLATFORM }}-amd64"
path: ${{ env.PLATFORM }}
redhat_based:
strategy:
fail-fast: false
matrix:
environment: [
"fedora:40",
"fedora:41",
]
name: build on ${{ matrix.environment }}
runs-on: ubuntu-latest
container: ${{ matrix.environment }}
steps:
- name: clone the Yubico/yubihsm-shell repository
uses: actions/checkout@v3
with:
path: yubihsm-shell
- name: apply environment specific changes to CMakeLists.txt
working-directory: yubihsm-shell
if: ${{ matrix.environment == 'centos:7' }}
run: |
# centos 7 comes with cmake version 2.8, but the project requires 3.5
# we downgrade that requirement for the centos 7 build
sed -i 's/cmake_minimum_required (VERSION 3.5)/cmake_minimum_required (VERSION 2.8)/' CMakeLists.txt
# we also remove the following policies which are not supported in the older cmake version
sed -i 's/cmake_policy(SET CMP0025 NEW)/#cmake_policy(SET CMP0025 NEW)/' CMakeLists.txt
sed -i 's/cmake_policy(SET CMP0042 NEW)/#cmake_policy(SET CMP0042 NEW)/' CMakeLists.txt
sed -i 's/cmake_policy(SET CMP0054 NEW)/#cmake_policy(SET CMP0054 NEW)/' CMakeLists.txt
# append the following flags: -Wno-missing-braces -Wno-missing-field-initializers -Wno-implicit-function-declaration
sed -i 's/-Wall -Wextra -Werror/-Wall -Wextra -Werror -Wno-missing-braces -Wno-missing-field-initializers/' cmake/SecurityFlags.cmake
- name: apply environment specific changes to ykhsmauth/CMakeLists.txt
working-directory: yubihsm-shell
if: ${{ matrix.environment == 'fedora:41' }}
run: |
# Set PCSC flags
sed -i 's/#SET(CMAKE_C_FLAGS/SET(CMAKE_C_FLAGS/' ykhsmauth/CMakeLists.txt
- name: extract platform name
env:
DOCKER_IMAGE: ${{ matrix.environment }}
run: |
# Remove everything from DOCKER_IMAGE that is not a letter or a number
PLATFORM=$(echo -n "$DOCKER_IMAGE" | sed -E 's/[^a-zA-Z0-9]//g')
echo "PLATFORM=$PLATFORM" >> $GITHUB_ENV
- name: install dependencies
env:
PLATFORM: ${{ env.PLATFORM }}
run: |
cd yubihsm-shell/resources/release/linux
./install_redhat_dependencies.sh $PLATFORM
if [ $PLATFORM = "centos7" ]; then
# enable the epel repository for centos
yum install -y epel-release
fi
yum install -y procps-ng jq file which curl
- name: build release
working-directory: yubihsm-shell
env:
PLATFORM: ${{ env.PLATFORM }}
run: |
uname -a
export CMAKE="cmake"
export INPUT=$GITHUB_WORKSPACE/yubihsm-shell
export OUTPUT=$GITHUB_WORKSPACE/$PLATFORM/yubihsm-shell
rm -rf $OUTPUT
mkdir -p $OUTPUT
# These 2 lines can be replaced by the command "rpmdev-setuptree", but this command seems to add macros that force check paths that do not exist
mkdir -p $GITHUB_WORKSPACE/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
echo '%_topdir %(echo $HOME)/rpmbuild' > $GITHUB_WORKSPACE/.rpmmacros
RPM_DIR=$GITHUB_WORKSPACE/rpmbuild
cp resources/release/linux/yubihsm-shell.spec $RPM_DIR/SPECS/
QA_SKIP_BUILD_ROOT=1 QA_RPATHS=$(( 0x0001|0x0010 )) rpmbuild -bb $RPM_DIR/SPECS/yubihsm-shell.spec
cp /github/home/rpmbuild/RPMS/x86_64/*.rpm $OUTPUT/
LICENSE_DIR="$OUTPUT/share/yubihsm-shell"
mkdir -p $LICENSE_DIR
cp -r $INPUT/resources/release/linux/licenses $LICENSE_DIR/
for lf in $LICENSE_DIR/licenses/*; do
chmod 644 $lf
done
cd $OUTPUT
rm -f "yubihsm-shell-$PLATFORM-amd64.tar.gz"
tar -C ".." -zcvf "../yubihsm-shell-$PLATFORM-amd64.tar.gz" "yubihsm-shell"
rm -f *.rpm
rm -rf licenses
rm -rf ../yubihsm-shell
- name: install binaries
working-directory: /github/home/rpmbuild/RPMS/x86_64
run: |
yum install -y ./yubihsm-shell-*.rpm
- name: check binaries for hardening
run: |
curl -o checksec.sh-2.5.0.tar.gz -L https://github.com/slimm609/checksec.sh/archive/refs/tags/2.5.0.tar.gz
tar xfz checksec.sh-2.5.0.tar.gz
cs() {
checksec-2.5.0/checksec --file=/usr/bin/yubihsm-shell --format=json | jq -r ".[] | .$1"
}
if [ "`cs relro`" != "full" ]; then echo "relro is `cs relro`"; exit 1; fi
if [ "`cs canary`" != "yes" ]; then echo "canary is `cs canary`"; exit 1; fi
if [ "`cs nx`" != "yes" ]; then echo "nx is `cs nx`"; exit 1; fi
if [ "`cs pie`" != "yes" ]; then echo "pie is `cs pie`"; exit 1; fi
if [ "`cs fortify_source`" != "yes" ]; then echo "fortify_source is `cs fortify_source`"; exit 1; fi
- name: upload artifacts
uses: actions/upload-artifact@v3
with:
name: "yubihsm-shell-${{ env.PLATFORM }}-amd64"
path: ${{ env.PLATFORM }}