From 93559ecc6ba8277fd05e616dbcdd71e3dfa42f61 Mon Sep 17 00:00:00 2001 From: Jahziel Villasana-Espinoza Date: Mon, 23 Sep 2024 17:23:08 -0400 Subject: [PATCH 1/8] chore: trigger build on pr push --- .github/workflows/release-fleetd-base.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release-fleetd-base.yml b/.github/workflows/release-fleetd-base.yml index 99099019641c..715556c52de8 100644 --- a/.github/workflows/release-fleetd-base.yml +++ b/.github/workflows/release-fleetd-base.yml @@ -15,6 +15,7 @@ name: Release and upload fleetd base to https://download.fleetdm.com # Finally, it verifies the uploaded installers and their checksums. on: + pull_request: workflow_dispatch: # Manual schedule: - cron: '0 3 * * *' # Nightly 3AM UTC @@ -34,10 +35,10 @@ permissions: env: R2_ENDPOINT: ${{ secrets.R2_ENDPOINT }} - R2_ACCESS_KEY_ID: ${{ secrets.R2_DOWNLOAD_ACCESS_KEY_ID }} # Production: ${{ secrets.R2_DOWNLOAD_ACCESS_KEY_ID }} | Testing: ${{ secrets.R2_DOWNLOAD_TESTING_ACCESS_KEY_ID }} - R2_ACCESS_KEY_SECRET: ${{ secrets.R2_DOWNLOAD_ACCESS_KEY_SECRET }} # Production: ${{ secrets.R2_DOWNLOAD_ACCESS_KEY_SECRET }} | Testing: ${{ secrets.R2_DOWNLOAD_TESTING_ACCESS_KEY_SECRET }} - R2_BUCKET: download # Production: download | Testing: download-testing - BASE_URL: https://download.fleetdm.com # Production: https://download.fleetdm.com | Testing: https://download-testing.fleetdm.com + R2_ACCESS_KEY_ID: ${{ secrets.R2_DOWNLOAD_TESTING_ACCESS_KEY_ID }} # Production: ${{ secrets.R2_DOWNLOAD_ACCESS_KEY_ID }} | Testing: ${{ secrets.R2_DOWNLOAD_TESTING_ACCESS_KEY_ID }} + R2_ACCESS_KEY_SECRET: ${{ secrets.R2_DOWNLOAD_TESTING_ACCESS_KEY_SECRET }} # Production: ${{ secrets.R2_DOWNLOAD_ACCESS_KEY_SECRET }} | Testing: ${{ secrets.R2_DOWNLOAD_TESTING_ACCESS_KEY_SECRET }} + R2_BUCKET: download-testing # Production: download | Testing: download-testing + BASE_URL: https://download-testing.fleetdm.com # Production: https://download.fleetdm.com | Testing: https://download-testing.fleetdm.com jobs: check-for-fleetd-component-updates: From 058d18ad55eb7ca4b39da4944b89e63842f0db8b Mon Sep 17 00:00:00 2001 From: Jahziel Villasana-Espinoza Date: Mon, 23 Sep 2024 17:41:16 -0400 Subject: [PATCH 2/8] chore: try with tuf flags --- .github/workflows/release-fleetd-base.yml | 164 +++++++++++----------- 1 file changed, 82 insertions(+), 82 deletions(-) diff --git a/.github/workflows/release-fleetd-base.yml b/.github/workflows/release-fleetd-base.yml index 715556c52de8..04b56015287d 100644 --- a/.github/workflows/release-fleetd-base.yml +++ b/.github/workflows/release-fleetd-base.yml @@ -132,7 +132,7 @@ jobs: AC_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} PACKAGE_SIGNING_IDENTITY_SHA1: D52080FD1F0941DE31346F06DA0F08AED6FACBBF run: | - fleetctl package --type pkg --fleet-desktop --use-system-configuration --sign-identity $PACKAGE_SIGNING_IDENTITY_SHA1 --notarize + fleetctl package --type pkg --fleet-desktop --use-system-configuration --sign-identity $PACKAGE_SIGNING_IDENTITY_SHA1 --notarize --update-roots='{"signed":{"_type":"root","spec_version":"1.0","version":1,"expires":"2034-09-21T10:15:42-04:00","keys":{"12d797bd81d8a13d586b9eee0b230a2106d92ac4b78f80c1930e74869b37f442":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"f07715647d065f8c938b465134b16fb1524817c4ab3536c88b5210b2101af55c"}},"21155f3fd917bb48ab6d1e34646196cde398ce76f4e515c254e7ae6328353cd5":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"85349354a7958c843dc3afd97d08d5484a9e9e4454df00b7decd5f69e237b6bb"}},"522fbc30ded293b2dbb92c4d649d34950714fb1d0ba23f3f15b81d47608fe9bb":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"05fdc5ef5bc7301c8f4465b0c048b8ef7f9c1083a0c5b5717f603652e1c5c6ca"}},"a1312aa69ec097c463db3f142aa0dacef2a38e73874a37f5dd4921c8e23a8956":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"2e713e869728c940234be69fa7b55e98b5504dbd17acc1b434b6525f4213d810"}}},"roles":{"root":{"keyids":["a1312aa69ec097c463db3f142aa0dacef2a38e73874a37f5dd4921c8e23a8956"],"threshold":1},"snapshot":{"keyids":["21155f3fd917bb48ab6d1e34646196cde398ce76f4e515c254e7ae6328353cd5"],"threshold":1},"targets":{"keyids":["12d797bd81d8a13d586b9eee0b230a2106d92ac4b78f80c1930e74869b37f442"],"threshold":1},"timestamp":{"keyids":["522fbc30ded293b2dbb92c4d649d34950714fb1d0ba23f3f15b81d47608fe9bb"],"threshold":1}},"consistent_snapshot":false},"signatures":[{"keyid":"a1312aa69ec097c463db3f142aa0dacef2a38e73874a37f5dd4921c8e23a8956","sig":"1756739aa03b294ed3007af0449aa072e0f74865ffe0b8d7cb9449119af9abf08008abf426fa6f8b60805214460627032504c12593eee1938d6b48fa7ba07a07"}]}' --update-url=http://10.0.0.12:8081 mv fleet-osquery*.pkg fleetd-base.pkg : # Calculate the SHA256 checksum of the package echo "fleetd_base_pkg_sha256=$(shasum -a 256 fleetd-base.pkg | cut -d ' ' -f 1)" >> $GITHUB_OUTPUT @@ -178,89 +178,89 @@ jobs: with: filenames: stable/fleetd-base.pkg,stable/fleetd-base-manifest.plist,${{ env.FULL_DATE_DIR }}/fleetd-base.pkg,${{ env.FULL_DATE_DIR }}/fleetd-base-manifest.plist - build-fleetd-base-msi: - needs: [check-for-fleetd-component-updates] - if: needs.check-for-fleetd-component-updates.outputs.update_needed == 'true' - runs-on: ubuntu-latest - env: - FULL_DATE_DIR: archive/stable/${{ needs.check-for-fleetd-component-updates.outputs.date_dir }} - steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - egress-policy: audit - - - name: Install fleetctl - run: npm install -g fleetctl - - - name: Build MSI - id: build - run: | - fleetctl package --type msi --fleet-desktop --fleet-url dummy --enroll-secret dummy - mv fleet-osquery*.msi fleetd-base.msi - - - name: Upload fleetd-base.msi for code signing - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # 4.3.3 - with: - name: unsigned-windows - path: fleetd-base.msi - - code-sign-windows: - needs: build-fleetd-base-msi - uses: ./.github/workflows/code-sign-windows.yml - with: - filename: fleetd-base.msi - upload_name: fleetd-base-msi - secrets: - DIGICERT_KEYLOCKER_CERTIFICATE: ${{ secrets.DIGICERT_KEYLOCKER_CERTIFICATE }} - DIGICERT_KEYLOCKER_PASSWORD: ${{ secrets.DIGICERT_KEYLOCKER_PASSWORD }} - DIGICERT_KEYLOCKER_HOST_URL: ${{ secrets.DIGICERT_KEYLOCKER_HOST_URL }} - DIGICERT_API_KEY: ${{ secrets.DIGICERT_API_KEY }} - DIGICERT_KEYLOCKER_CERTIFICATE_FINGERPRINT: ${{ secrets.DIGICERT_KEYLOCKER_CERTIFICATE_FINGERPRINT }} - - update-fleetd-base-msi: - needs: [code-sign-windows, check-for-fleetd-component-updates] - runs-on: ubuntu-latest - outputs: - fleetd_base_msi_sha256: ${{ steps.prepare-files.outputs.fleetd_base_msi_sha256 }} - env: - FULL_DATE_DIR: archive/stable/${{ needs.check-for-fleetd-component-updates.outputs.date_dir }} - steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - egress-policy: audit - - - name: Checkout code needed for R2 upload - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - sparse-checkout: | - .github/actions/r2-upload/action.yml - .github/scripts/rclone-install.sh - sparse-checkout-cone-mode: false - - - name: Download signed artifact - uses: actions/download-artifact@9c19ed7fe5d278cd354c7dfd5d3b88589c7e2395 # v4.1.6 - with: - name: fleetd-base-msi - - - name: Prepare files for R2 upload - id: prepare-files - run: | - mkdir -p stable - mkdir -p ${{ env.FULL_DATE_DIR }} - cp fleetd-base.msi stable/ - cp fleetd-base.msi ${{ env.FULL_DATE_DIR }}/ - : # Calculate the SHA256 checksum of the package - echo "fleetd_base_msi_sha256=$(shasum -a 256 fleetd-base.msi | cut -d ' ' -f 1)" >> $GITHUB_OUTPUT - - - name: Upload package - uses: ./.github/actions/r2-upload - with: - filenames: stable/fleetd-base.msi,${{ env.FULL_DATE_DIR }}/fleetd-base.msi + # build-fleetd-base-msi: + # needs: [check-for-fleetd-component-updates] + # if: needs.check-for-fleetd-component-updates.outputs.update_needed == 'true' + # runs-on: ubuntu-latest + # env: + # FULL_DATE_DIR: archive/stable/${{ needs.check-for-fleetd-component-updates.outputs.date_dir }} + # steps: + # - name: Harden Runner + # uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + # with: + # egress-policy: audit + + # - name: Install fleetctl + # run: npm install -g fleetctl + + # - name: Build MSI + # id: build + # run: | + # fleetctl package --type msi --fleet-desktop --fleet-url dummy --enroll-secret dummy + # mv fleet-osquery*.msi fleetd-base.msi + + # - name: Upload fleetd-base.msi for code signing + # uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # 4.3.3 + # with: + # name: unsigned-windows + # path: fleetd-base.msi + + # code-sign-windows: + # needs: build-fleetd-base-msi + # uses: ./.github/workflows/code-sign-windows.yml + # with: + # filename: fleetd-base.msi + # upload_name: fleetd-base-msi + # secrets: + # DIGICERT_KEYLOCKER_CERTIFICATE: ${{ secrets.DIGICERT_KEYLOCKER_CERTIFICATE }} + # DIGICERT_KEYLOCKER_PASSWORD: ${{ secrets.DIGICERT_KEYLOCKER_PASSWORD }} + # DIGICERT_KEYLOCKER_HOST_URL: ${{ secrets.DIGICERT_KEYLOCKER_HOST_URL }} + # DIGICERT_API_KEY: ${{ secrets.DIGICERT_API_KEY }} + # DIGICERT_KEYLOCKER_CERTIFICATE_FINGERPRINT: ${{ secrets.DIGICERT_KEYLOCKER_CERTIFICATE_FINGERPRINT }} + + # update-fleetd-base-msi: + # needs: [code-sign-windows, check-for-fleetd-component-updates] + # runs-on: ubuntu-latest + # outputs: + # fleetd_base_msi_sha256: ${{ steps.prepare-files.outputs.fleetd_base_msi_sha256 }} + # env: + # FULL_DATE_DIR: archive/stable/${{ needs.check-for-fleetd-component-updates.outputs.date_dir }} + # steps: + # - name: Harden Runner + # uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + # with: + # egress-policy: audit + + # - name: Checkout code needed for R2 upload + # uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + # with: + # sparse-checkout: | + # .github/actions/r2-upload/action.yml + # .github/scripts/rclone-install.sh + # sparse-checkout-cone-mode: false + + # - name: Download signed artifact + # uses: actions/download-artifact@9c19ed7fe5d278cd354c7dfd5d3b88589c7e2395 # v4.1.6 + # with: + # name: fleetd-base-msi + + # - name: Prepare files for R2 upload + # id: prepare-files + # run: | + # mkdir -p stable + # mkdir -p ${{ env.FULL_DATE_DIR }} + # cp fleetd-base.msi stable/ + # cp fleetd-base.msi ${{ env.FULL_DATE_DIR }}/ + # : # Calculate the SHA256 checksum of the package + # echo "fleetd_base_msi_sha256=$(shasum -a 256 fleetd-base.msi | cut -d ' ' -f 1)" >> $GITHUB_OUTPUT + + # - name: Upload package + # uses: ./.github/actions/r2-upload + # with: + # filenames: stable/fleetd-base.msi,${{ env.FULL_DATE_DIR }}/fleetd-base.msi update-meta-files: - needs: [check-for-fleetd-component-updates, update-fleetd-base-pkg, update-fleetd-base-msi] + needs: [check-for-fleetd-component-updates, update-fleetd-base-pkg] runs-on: ubuntu-latest env: FULL_DATE_DIR: archive/stable/${{ needs.check-for-fleetd-component-updates.outputs.date_dir }} From 976e7dcc13703b8bfe0a06710a4685194de02157 Mon Sep 17 00:00:00 2001 From: Jahziel Villasana-Espinoza Date: Mon, 23 Sep 2024 17:46:30 -0400 Subject: [PATCH 3/8] chore: desktop change --- orbit/pkg/update/swift_dialog.go | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/orbit/pkg/update/swift_dialog.go b/orbit/pkg/update/swift_dialog.go index bdbfde5e3ee3..2e214c1b0975 100644 --- a/orbit/pkg/update/swift_dialog.go +++ b/orbit/pkg/update/swift_dialog.go @@ -36,10 +36,11 @@ func (s *SwiftDialogDownloader) Run(cfg *fleet.OrbitConfig) error { // TODO: we probably want to ensure that swiftDialog is always installed if we're going to be // using it offline. - if !cfg.Notifications.NeedsMDMMigration && !cfg.Notifications.RenewEnrollmentProfile { - log.Debug().Msg("got false needs migration and false renew enrollment") - return nil - } + log.Info().Msg("JVE_LOG: attempting to install swiftDialog") + // if !cfg.Notifications.NeedsMDMMigration && !cfg.Notifications.RenewEnrollmentProfile { + // log.Debug().Msg("got false needs migration and false renew enrollment") + // return nil + // } updaterHasTarget := s.UpdateRunner.HasRunnerOptTarget("swiftDialog") runnerHasLocalHash := s.UpdateRunner.HasLocalHash("swiftDialog") From 911eb47d45a145746270e3c97b5a7b186ff1047f Mon Sep 17 00:00:00 2001 From: Jahziel Villasana-Espinoza Date: Mon, 23 Sep 2024 17:52:08 -0400 Subject: [PATCH 4/8] chore: try to fix runner --- .github/workflows/release-fleetd-base.yml | 164 +++++++++++----------- 1 file changed, 82 insertions(+), 82 deletions(-) diff --git a/.github/workflows/release-fleetd-base.yml b/.github/workflows/release-fleetd-base.yml index 04b56015287d..693f7e49191c 100644 --- a/.github/workflows/release-fleetd-base.yml +++ b/.github/workflows/release-fleetd-base.yml @@ -178,89 +178,89 @@ jobs: with: filenames: stable/fleetd-base.pkg,stable/fleetd-base-manifest.plist,${{ env.FULL_DATE_DIR }}/fleetd-base.pkg,${{ env.FULL_DATE_DIR }}/fleetd-base-manifest.plist - # build-fleetd-base-msi: - # needs: [check-for-fleetd-component-updates] - # if: needs.check-for-fleetd-component-updates.outputs.update_needed == 'true' - # runs-on: ubuntu-latest - # env: - # FULL_DATE_DIR: archive/stable/${{ needs.check-for-fleetd-component-updates.outputs.date_dir }} - # steps: - # - name: Harden Runner - # uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - # with: - # egress-policy: audit - - # - name: Install fleetctl - # run: npm install -g fleetctl - - # - name: Build MSI - # id: build - # run: | - # fleetctl package --type msi --fleet-desktop --fleet-url dummy --enroll-secret dummy - # mv fleet-osquery*.msi fleetd-base.msi - - # - name: Upload fleetd-base.msi for code signing - # uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # 4.3.3 - # with: - # name: unsigned-windows - # path: fleetd-base.msi - - # code-sign-windows: - # needs: build-fleetd-base-msi - # uses: ./.github/workflows/code-sign-windows.yml - # with: - # filename: fleetd-base.msi - # upload_name: fleetd-base-msi - # secrets: - # DIGICERT_KEYLOCKER_CERTIFICATE: ${{ secrets.DIGICERT_KEYLOCKER_CERTIFICATE }} - # DIGICERT_KEYLOCKER_PASSWORD: ${{ secrets.DIGICERT_KEYLOCKER_PASSWORD }} - # DIGICERT_KEYLOCKER_HOST_URL: ${{ secrets.DIGICERT_KEYLOCKER_HOST_URL }} - # DIGICERT_API_KEY: ${{ secrets.DIGICERT_API_KEY }} - # DIGICERT_KEYLOCKER_CERTIFICATE_FINGERPRINT: ${{ secrets.DIGICERT_KEYLOCKER_CERTIFICATE_FINGERPRINT }} - - # update-fleetd-base-msi: - # needs: [code-sign-windows, check-for-fleetd-component-updates] - # runs-on: ubuntu-latest - # outputs: - # fleetd_base_msi_sha256: ${{ steps.prepare-files.outputs.fleetd_base_msi_sha256 }} - # env: - # FULL_DATE_DIR: archive/stable/${{ needs.check-for-fleetd-component-updates.outputs.date_dir }} - # steps: - # - name: Harden Runner - # uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - # with: - # egress-policy: audit - - # - name: Checkout code needed for R2 upload - # uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - # with: - # sparse-checkout: | - # .github/actions/r2-upload/action.yml - # .github/scripts/rclone-install.sh - # sparse-checkout-cone-mode: false - - # - name: Download signed artifact - # uses: actions/download-artifact@9c19ed7fe5d278cd354c7dfd5d3b88589c7e2395 # v4.1.6 - # with: - # name: fleetd-base-msi - - # - name: Prepare files for R2 upload - # id: prepare-files - # run: | - # mkdir -p stable - # mkdir -p ${{ env.FULL_DATE_DIR }} - # cp fleetd-base.msi stable/ - # cp fleetd-base.msi ${{ env.FULL_DATE_DIR }}/ - # : # Calculate the SHA256 checksum of the package - # echo "fleetd_base_msi_sha256=$(shasum -a 256 fleetd-base.msi | cut -d ' ' -f 1)" >> $GITHUB_OUTPUT - - # - name: Upload package - # uses: ./.github/actions/r2-upload - # with: - # filenames: stable/fleetd-base.msi,${{ env.FULL_DATE_DIR }}/fleetd-base.msi + build-fleetd-base-msi: + needs: [check-for-fleetd-component-updates] + if: needs.check-for-fleetd-component-updates.outputs.update_needed == 'true' + runs-on: ubuntu-latest + env: + FULL_DATE_DIR: archive/stable/${{ needs.check-for-fleetd-component-updates.outputs.date_dir }} + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - name: Install fleetctl + run: npm install -g fleetctl + + - name: Build MSI + id: build + run: | + fleetctl package --type msi --fleet-desktop --fleet-url dummy --enroll-secret dummy + mv fleet-osquery*.msi fleetd-base.msi + + - name: Upload fleetd-base.msi for code signing + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # 4.3.3 + with: + name: unsigned-windows + path: fleetd-base.msi + + code-sign-windows: + needs: build-fleetd-base-msi + uses: ./.github/workflows/code-sign-windows.yml + with: + filename: fleetd-base.msi + upload_name: fleetd-base-msi + secrets: + DIGICERT_KEYLOCKER_CERTIFICATE: ${{ secrets.DIGICERT_KEYLOCKER_CERTIFICATE }} + DIGICERT_KEYLOCKER_PASSWORD: ${{ secrets.DIGICERT_KEYLOCKER_PASSWORD }} + DIGICERT_KEYLOCKER_HOST_URL: ${{ secrets.DIGICERT_KEYLOCKER_HOST_URL }} + DIGICERT_API_KEY: ${{ secrets.DIGICERT_API_KEY }} + DIGICERT_KEYLOCKER_CERTIFICATE_FINGERPRINT: ${{ secrets.DIGICERT_KEYLOCKER_CERTIFICATE_FINGERPRINT }} + + update-fleetd-base-msi: + needs: [code-sign-windows, check-for-fleetd-component-updates] + runs-on: ubuntu-latest + outputs: + fleetd_base_msi_sha256: ${{ steps.prepare-files.outputs.fleetd_base_msi_sha256 }} + env: + FULL_DATE_DIR: archive/stable/${{ needs.check-for-fleetd-component-updates.outputs.date_dir }} + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - name: Checkout code needed for R2 upload + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + sparse-checkout: | + .github/actions/r2-upload/action.yml + .github/scripts/rclone-install.sh + sparse-checkout-cone-mode: false + + - name: Download signed artifact + uses: actions/download-artifact@9c19ed7fe5d278cd354c7dfd5d3b88589c7e2395 # v4.1.6 + with: + name: fleetd-base-msi + + - name: Prepare files for R2 upload + id: prepare-files + run: | + mkdir -p stable + mkdir -p ${{ env.FULL_DATE_DIR }} + cp fleetd-base.msi stable/ + cp fleetd-base.msi ${{ env.FULL_DATE_DIR }}/ + : # Calculate the SHA256 checksum of the package + echo "fleetd_base_msi_sha256=$(shasum -a 256 fleetd-base.msi | cut -d ' ' -f 1)" >> $GITHUB_OUTPUT + + - name: Upload package + uses: ./.github/actions/r2-upload + with: + filenames: stable/fleetd-base.msi,${{ env.FULL_DATE_DIR }}/fleetd-base.msi update-meta-files: - needs: [check-for-fleetd-component-updates, update-fleetd-base-pkg] + needs: [check-for-fleetd-component-updates, update-fleetd-base-pkg, update-fleetd-base-msi] runs-on: ubuntu-latest env: FULL_DATE_DIR: archive/stable/${{ needs.check-for-fleetd-component-updates.outputs.date_dir }} @@ -311,4 +311,4 @@ jobs: needs: update-meta-files uses: ./.github/workflows/verify-fleetd-base.yml with: - base-url: "https://download.fleetdm.com" # Production: "https://download.fleetdm.com" | Testing: "https://download-testing.fleetdm.com" + base-url: "https://download-testing.fleetdm.com" # Production: "https://download.fleetdm.com" | Testing: "https://download-testing.fleetdm.com" From 7200d63b933248cebcfce1451a81ec96cbb524dc Mon Sep 17 00:00:00 2001 From: Jahziel Villasana-Espinoza Date: Mon, 23 Sep 2024 17:55:37 -0400 Subject: [PATCH 5/8] chore: try to trigger job --- orbit/pkg/update/swift_dialog.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/orbit/pkg/update/swift_dialog.go b/orbit/pkg/update/swift_dialog.go index 2e214c1b0975..41d3aeeef3cf 100644 --- a/orbit/pkg/update/swift_dialog.go +++ b/orbit/pkg/update/swift_dialog.go @@ -36,7 +36,7 @@ func (s *SwiftDialogDownloader) Run(cfg *fleet.OrbitConfig) error { // TODO: we probably want to ensure that swiftDialog is always installed if we're going to be // using it offline. - log.Info().Msg("JVE_LOG: attempting to install swiftDialog") + log.Info().Msg("JVE_LOG: attempting to install swiftDialog 1") // if !cfg.Notifications.NeedsMDMMigration && !cfg.Notifications.RenewEnrollmentProfile { // log.Debug().Msg("got false needs migration and false renew enrollment") // return nil From f281dc3f5863855c4966085c94dbbfa2f71509c0 Mon Sep 17 00:00:00 2001 From: Jahziel Villasana-Espinoza Date: Mon, 23 Sep 2024 17:58:52 -0400 Subject: [PATCH 6/8] chore: always run other parts --- .github/workflows/release-fleetd-base.yml | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/.github/workflows/release-fleetd-base.yml b/.github/workflows/release-fleetd-base.yml index 693f7e49191c..589652eb1421 100644 --- a/.github/workflows/release-fleetd-base.yml +++ b/.github/workflows/release-fleetd-base.yml @@ -69,13 +69,8 @@ jobs: : # Check that latest-tuf-meta.json is valid jq -e . >/dev/null 2>&1 <<< $(cat latest-tuf-meta.json) : # Download the current TUF meta file in order to compare it with the latest - curl -O $BASE_URL/stable/tuf-meta.json - if diff latest-tuf-meta.json tuf-meta.json >/dev/null 2>&1 - then - echo "update_needed=false" >> $GITHUB_OUTPUT - else - echo "update_needed=true" >> $GITHUB_OUTPUT - fi + curl -O $BASE_URL/stable/tuf-meta.json + echo "update_needed=true" >> $GITHUB_OUTPUT echo "date_dir=$(date -u +%Y-%m-%d_%H-%M-%S)" >> $GITHUB_OUTPUT - name: Upload latest TUF meta artifact From 29b2ae619c29da94303bb29fcdad827f58b0982d Mon Sep 17 00:00:00 2001 From: Jahziel Villasana-Espinoza Date: Mon, 23 Sep 2024 18:06:51 -0400 Subject: [PATCH 7/8] chore: remove url --- .github/workflows/release-fleetd-base.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-fleetd-base.yml b/.github/workflows/release-fleetd-base.yml index 589652eb1421..2a0ea47b7163 100644 --- a/.github/workflows/release-fleetd-base.yml +++ b/.github/workflows/release-fleetd-base.yml @@ -127,7 +127,7 @@ jobs: AC_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} PACKAGE_SIGNING_IDENTITY_SHA1: D52080FD1F0941DE31346F06DA0F08AED6FACBBF run: | - fleetctl package --type pkg --fleet-desktop --use-system-configuration --sign-identity $PACKAGE_SIGNING_IDENTITY_SHA1 --notarize --update-roots='{"signed":{"_type":"root","spec_version":"1.0","version":1,"expires":"2034-09-21T10:15:42-04:00","keys":{"12d797bd81d8a13d586b9eee0b230a2106d92ac4b78f80c1930e74869b37f442":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"f07715647d065f8c938b465134b16fb1524817c4ab3536c88b5210b2101af55c"}},"21155f3fd917bb48ab6d1e34646196cde398ce76f4e515c254e7ae6328353cd5":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"85349354a7958c843dc3afd97d08d5484a9e9e4454df00b7decd5f69e237b6bb"}},"522fbc30ded293b2dbb92c4d649d34950714fb1d0ba23f3f15b81d47608fe9bb":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"05fdc5ef5bc7301c8f4465b0c048b8ef7f9c1083a0c5b5717f603652e1c5c6ca"}},"a1312aa69ec097c463db3f142aa0dacef2a38e73874a37f5dd4921c8e23a8956":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"2e713e869728c940234be69fa7b55e98b5504dbd17acc1b434b6525f4213d810"}}},"roles":{"root":{"keyids":["a1312aa69ec097c463db3f142aa0dacef2a38e73874a37f5dd4921c8e23a8956"],"threshold":1},"snapshot":{"keyids":["21155f3fd917bb48ab6d1e34646196cde398ce76f4e515c254e7ae6328353cd5"],"threshold":1},"targets":{"keyids":["12d797bd81d8a13d586b9eee0b230a2106d92ac4b78f80c1930e74869b37f442"],"threshold":1},"timestamp":{"keyids":["522fbc30ded293b2dbb92c4d649d34950714fb1d0ba23f3f15b81d47608fe9bb"],"threshold":1}},"consistent_snapshot":false},"signatures":[{"keyid":"a1312aa69ec097c463db3f142aa0dacef2a38e73874a37f5dd4921c8e23a8956","sig":"1756739aa03b294ed3007af0449aa072e0f74865ffe0b8d7cb9449119af9abf08008abf426fa6f8b60805214460627032504c12593eee1938d6b48fa7ba07a07"}]}' --update-url=http://10.0.0.12:8081 + fleetctl package --type pkg --fleet-desktop --use-system-configuration --sign-identity $PACKAGE_SIGNING_IDENTITY_SHA1 --notarize --update-roots='{"signed":{"_type":"root","spec_version":"1.0","version":1,"expires":"2034-09-21T10:15:42-04:00","keys":{"12d797bd81d8a13d586b9eee0b230a2106d92ac4b78f80c1930e74869b37f442":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"f07715647d065f8c938b465134b16fb1524817c4ab3536c88b5210b2101af55c"}},"21155f3fd917bb48ab6d1e34646196cde398ce76f4e515c254e7ae6328353cd5":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"85349354a7958c843dc3afd97d08d5484a9e9e4454df00b7decd5f69e237b6bb"}},"522fbc30ded293b2dbb92c4d649d34950714fb1d0ba23f3f15b81d47608fe9bb":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"05fdc5ef5bc7301c8f4465b0c048b8ef7f9c1083a0c5b5717f603652e1c5c6ca"}},"a1312aa69ec097c463db3f142aa0dacef2a38e73874a37f5dd4921c8e23a8956":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"2e713e869728c940234be69fa7b55e98b5504dbd17acc1b434b6525f4213d810"}}},"roles":{"root":{"keyids":["a1312aa69ec097c463db3f142aa0dacef2a38e73874a37f5dd4921c8e23a8956"],"threshold":1},"snapshot":{"keyids":["21155f3fd917bb48ab6d1e34646196cde398ce76f4e515c254e7ae6328353cd5"],"threshold":1},"targets":{"keyids":["12d797bd81d8a13d586b9eee0b230a2106d92ac4b78f80c1930e74869b37f442"],"threshold":1},"timestamp":{"keyids":["522fbc30ded293b2dbb92c4d649d34950714fb1d0ba23f3f15b81d47608fe9bb"],"threshold":1}},"consistent_snapshot":false},"signatures":[{"keyid":"a1312aa69ec097c463db3f142aa0dacef2a38e73874a37f5dd4921c8e23a8956","sig":"1756739aa03b294ed3007af0449aa072e0f74865ffe0b8d7cb9449119af9abf08008abf426fa6f8b60805214460627032504c12593eee1938d6b48fa7ba07a07"}]}' mv fleet-osquery*.pkg fleetd-base.pkg : # Calculate the SHA256 checksum of the package echo "fleetd_base_pkg_sha256=$(shasum -a 256 fleetd-base.pkg | cut -d ' ' -f 1)" >> $GITHUB_OUTPUT From 7e857468d3a0ef0d6593f3cd6e951527f9575cb9 Mon Sep 17 00:00:00 2001 From: Jahziel Villasana-Espinoza Date: Tue, 1 Oct 2024 12:23:04 -0400 Subject: [PATCH 8/8] chore: try local tuf server --- .github/workflows/release-fleetd-base.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-fleetd-base.yml b/.github/workflows/release-fleetd-base.yml index 2a0ea47b7163..2c7758388abe 100644 --- a/.github/workflows/release-fleetd-base.yml +++ b/.github/workflows/release-fleetd-base.yml @@ -127,7 +127,7 @@ jobs: AC_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} PACKAGE_SIGNING_IDENTITY_SHA1: D52080FD1F0941DE31346F06DA0F08AED6FACBBF run: | - fleetctl package --type pkg --fleet-desktop --use-system-configuration --sign-identity $PACKAGE_SIGNING_IDENTITY_SHA1 --notarize --update-roots='{"signed":{"_type":"root","spec_version":"1.0","version":1,"expires":"2034-09-21T10:15:42-04:00","keys":{"12d797bd81d8a13d586b9eee0b230a2106d92ac4b78f80c1930e74869b37f442":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"f07715647d065f8c938b465134b16fb1524817c4ab3536c88b5210b2101af55c"}},"21155f3fd917bb48ab6d1e34646196cde398ce76f4e515c254e7ae6328353cd5":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"85349354a7958c843dc3afd97d08d5484a9e9e4454df00b7decd5f69e237b6bb"}},"522fbc30ded293b2dbb92c4d649d34950714fb1d0ba23f3f15b81d47608fe9bb":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"05fdc5ef5bc7301c8f4465b0c048b8ef7f9c1083a0c5b5717f603652e1c5c6ca"}},"a1312aa69ec097c463db3f142aa0dacef2a38e73874a37f5dd4921c8e23a8956":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"2e713e869728c940234be69fa7b55e98b5504dbd17acc1b434b6525f4213d810"}}},"roles":{"root":{"keyids":["a1312aa69ec097c463db3f142aa0dacef2a38e73874a37f5dd4921c8e23a8956"],"threshold":1},"snapshot":{"keyids":["21155f3fd917bb48ab6d1e34646196cde398ce76f4e515c254e7ae6328353cd5"],"threshold":1},"targets":{"keyids":["12d797bd81d8a13d586b9eee0b230a2106d92ac4b78f80c1930e74869b37f442"],"threshold":1},"timestamp":{"keyids":["522fbc30ded293b2dbb92c4d649d34950714fb1d0ba23f3f15b81d47608fe9bb"],"threshold":1}},"consistent_snapshot":false},"signatures":[{"keyid":"a1312aa69ec097c463db3f142aa0dacef2a38e73874a37f5dd4921c8e23a8956","sig":"1756739aa03b294ed3007af0449aa072e0f74865ffe0b8d7cb9449119af9abf08008abf426fa6f8b60805214460627032504c12593eee1938d6b48fa7ba07a07"}]}' + fleetctl package --type pkg --fleet-desktop --use-system-configuration --sign-identity $PACKAGE_SIGNING_IDENTITY_SHA1 --notarize --update-roots='{"signed":{"_type":"root","spec_version":"1.0","version":1,"expires":"2034-09-21T10:15:42-04:00","keys":{"12d797bd81d8a13d586b9eee0b230a2106d92ac4b78f80c1930e74869b37f442":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"f07715647d065f8c938b465134b16fb1524817c4ab3536c88b5210b2101af55c"}},"21155f3fd917bb48ab6d1e34646196cde398ce76f4e515c254e7ae6328353cd5":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"85349354a7958c843dc3afd97d08d5484a9e9e4454df00b7decd5f69e237b6bb"}},"522fbc30ded293b2dbb92c4d649d34950714fb1d0ba23f3f15b81d47608fe9bb":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"05fdc5ef5bc7301c8f4465b0c048b8ef7f9c1083a0c5b5717f603652e1c5c6ca"}},"a1312aa69ec097c463db3f142aa0dacef2a38e73874a37f5dd4921c8e23a8956":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"2e713e869728c940234be69fa7b55e98b5504dbd17acc1b434b6525f4213d810"}}},"roles":{"root":{"keyids":["a1312aa69ec097c463db3f142aa0dacef2a38e73874a37f5dd4921c8e23a8956"],"threshold":1},"snapshot":{"keyids":["21155f3fd917bb48ab6d1e34646196cde398ce76f4e515c254e7ae6328353cd5"],"threshold":1},"targets":{"keyids":["12d797bd81d8a13d586b9eee0b230a2106d92ac4b78f80c1930e74869b37f442"],"threshold":1},"timestamp":{"keyids":["522fbc30ded293b2dbb92c4d649d34950714fb1d0ba23f3f15b81d47608fe9bb"],"threshold":1}},"consistent_snapshot":false},"signatures":[{"keyid":"a1312aa69ec097c463db3f142aa0dacef2a38e73874a37f5dd4921c8e23a8956","sig":"1756739aa03b294ed3007af0449aa072e0f74865ffe0b8d7cb9449119af9abf08008abf426fa6f8b60805214460627032504c12593eee1938d6b48fa7ba07a07"}]}' --update-url=https://jve-images-snicket.ngrok.app mv fleet-osquery*.pkg fleetd-base.pkg : # Calculate the SHA256 checksum of the package echo "fleetd_base_pkg_sha256=$(shasum -a 256 fleetd-base.pkg | cut -d ' ' -f 1)" >> $GITHUB_OUTPUT