refactor(e2e): harden supply chain and binary verification logic (#139)

- Add --strict to sha256sum checks for Helm and Kubectl to prevent silent failures on malformed hashes.
- Refactor RKE2 installation to eliminate the "pipe-to-shell" pattern and use systemctl enable --now.
- Move AWS CLI GPG public key from an inline Makefile string to a standalone file (awscli-publickey.pub).
- Implement GPG signature verification for AWS CLI downloads to ensure artifact authenticity.
- Update RKE2 wait logic and environment configuration for better E2E reliability.
- Lower release.yml's top level permissions

Signed-off-by: Andy Pitcher <andy.pitcher@suse.com>

Author: andypitcher

.github/workflows/release.yml

@@ -5,6 +5,8 @@ on:
     tags:
       - v*
 
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-latest

hack/e2e/setup-vm.sh

@@ -76,7 +76,7 @@ function installDependencies(){
     local HELM_SHA256="${!HELM_SHA256_VAR}"
     local HELM_FILE="helm-${HELM_VERSION}-linux-${ARCH}.tar.gz"
     curl -fsSLO "https://get.helm.sh/${HELM_FILE}"
-    echo "${HELM_SHA256}  ${HELM_FILE}" | sha256sum -c -
+    echo "${HELM_SHA256}  ${HELM_FILE}" | sha256sum -c - --strict
     tar xzf "${HELM_FILE}"
     install -o root -g root -m 0755 linux-${ARCH}/helm /usr/local/bin/helm
     rm -rf linux-${ARCH} "${HELM_FILE}"
@@ -86,21 +86,22 @@ function installDependencies(){
     local KUBECTL_SHA256_VAR="KUBECTL_SHA256_${ARCH}"
     local KUBECTL_SHA256="${!KUBECTL_SHA256_VAR}"
     curl -fsSLO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${ARCH}/kubectl"
-    echo "${KUBECTL_SHA256}  kubectl" | sha256sum -c -
+    echo "${KUBECTL_SHA256}  kubectl" | sha256sum -c - --strict
     install -o root -g root -m 0755 kubectl /usr/bin/kubectl
     rm -f kubectl
     kubectl version --client=true
 }
 
 function installRKE2(){
-    echo "> Installing RKE2 ${INSTALL_RKE2_VERSION}"
-    curl -sfL https://get.rke2.io | INSTALL_RKE2_VERSION="${INSTALL_RKE2_VERSION}" sh -
+    echo "> Installing RKE2 ${INSTALL_RKE2_VERSION} for ${ARCH}"
+    curl -sfL https://get.rke2.io -o install.sh
+    INSTALL_RKE2_VERSION="${INSTALL_RKE2_VERSION}" sh install.sh
+    rm -f install.sh
     # RKE2 install script does not install the SELinux policy by default for tumbleweed; manual setup required.
     if isSUSE; then
         sudo zypper -n install rke2-selinux
     fi
-    systemctl start rke2-server.service
-    systemctl enable rke2-server.service
+    systemctl enable --now rke2-server.service
 
     export KUBECONFIG=/etc/rancher/rke2/rke2.yaml
     echo "export KUBECONFIG=/etc/rancher/rke2/rke2.yaml" >> ~/.bashrc

hack/make/awscli-publickey.pub

@@ -0,0 +1,30 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Comment: Sourced from https://awscli.amazonaws.com/awscli-exe-linux-x86_64.sig
+
+mQINBF2Cr7UBEADJZHcgusOJl7ENSyumXh85z0TRV0xJorM2B/JL0kHOyigQluUG
+ZMLhENaG0bYatdrKP+3H91lvK050pXwnO/R7fB/FSTouki4ciIx5OuLlnJZIxSzx
+PqGl0mkxImLNbGWoi6Lto0LYxqHN2iQtzlwTVmq9733zd3XfcXrZ3+LblHAgEt5G
+TfNxEKJ8soPLyWmwDH6HWCnjZ/aIQRBTIQ05uVeEoYxSh6wOai7ss/KveoSNBbYz
+gbdzoqI2Y8cgH2nbfgp3DSasaLZEdCSsIsK1u05CinE7k2qZ7KgKAUIcT/cR/grk
+C6VwsnDU0OUCideXcQ8WeHutqvgZH1JgKDbznoIzeQHJD238GEu+eKhRHcz8/jeG
+94zkcgJOz3KbZGYMiTh277Fvj9zzvZsbMBCedV1BTg3TqgvdX4bdkhf5cH+7NtWO
+lrFj6UwAsGukBTAOxC0l/dnSmZhJ7Z1KmEWilro/gOrjtOxqRQutlIqG22TaqoPG
+fYVN+en3Zwbt97kcgZDwqbuykNt64oZWc4XKCa3mprEGC3IbJTBFqglXmZ7l9ywG
+EEUJYOlb2XrSuPWml39beWdKM8kzr1OjnlOm6+lpTRCBfo0wa9F8YZRhHPAkwKkX
+XDeOGpWRj4ohOx0d2GWkyV5xyN14p2tQOCdOODmz80yUTgRpPVQUtOEhXQARAQAB
+tCFBV1MgQ0xJIFRlYW0gPGF3cy1jbGlAYW1hem9uLmNvbT6JAlQEEwEIAD4CGwMF
+CwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQT7Xbd/1cEYuAURraimMQrMRnJHXAUC
+aGveYQUJDMpiLAAKCRCmMQrMRnJHXKBYD/9Ab0qQdGiO5hObchG8xh8Rpb4Mjyf6
+0JrVo6m8GNjNj6BHkSc8fuTQJ/FaEhaQxj3pjZ3GXPrXjIIVChmICLlFuRXYzrXc
+Pw0lniybypsZEVai5kO0tCNBCCFuMN9RsmmRG8mf7lC4FSTbUDmxG/QlYK+0IV/l
+uJkzxWa+rySkdpm0JdqumjegNRgObdXHAQDWlubWQHWyZyIQ2B4U7AxqSpcdJp6I
+S4Zds4wVLd1WE5pquYQ8vS2cNlDm4QNg8wTj58e3lKN47hXHMIb6CHxRnb947oJa
+pg189LLPR5koh+EorNkA1wu5mAJtJvy5YMsppy2y/kIjp3lyY6AmPT1posgGk70Z
+CmToEZ5rbd7ARExtlh76A0cabMDFlEHDIK8RNUOSRr7L64+KxOUegKBfQHb9dADY
+qqiKqpCbKgvtWlds909Ms74JBgr2KwZCSY1HaOxnIr4CY43QRqAq5YHOay/mU+6w
+hhmdF18vpyK0vfkvvGresWtSXbag7Hkt3XjaEw76BzxQH21EBDqU8WJVjHgU6ru+
+DJTs+SxgJbaT3hb/vyjlw0lK+hFfhWKRwgOXH8vqducF95NRSUxtS4fpqxWVaw3Q
+V2OWSjbne99A5EPEySzryFTKbMGwaTlAwMCwYevt4YT6eb7NmFhTx0Fis4TalUs+
+j+c7Kg92pDx2uQ==
+=OBAt
+-----END PGP PUBLIC KEY BLOCK-----

hack/make/tools.mk

@@ -1,12 +1,25 @@
+MKFILE_DIR := $(abspath $(dir $(lastword $(MAKEFILE_LIST))))
 TOOLS_BIN := $(shell mkdir -p build/tools && realpath build/tools)
+ARCH := $(shell uname -m | sed 's/arm64/aarch64/')
+
+# renovate-local: awscli-exe-linux-x86_64=2.34.30
+AWSCLI_VERSION := 2.34.30
+AWSCLI_PUB_KEY := $(MKFILE_DIR)/awscli-publickey.pub
 
 AWSCLI = $(TOOLS_BIN)/aws/dist/aws
-$(AWSCLI): ## Download awscliv2 if not yet downloaded.
-	curl "https://awscli.amazonaws.com/awscli-exe-linux-$(shell uname -m).zip" -o "$(TOOLS_BIN)/awscliv2.zip"
-	cd $(TOOLS_BIN) && unzip -q $(TOOLS_BIN)/awscliv2.zip
-	rm $(TOOLS_BIN)/awscliv2.zip
+$(AWSCLI): ## Download, verify, and install awscliv2.
+	@mkdir -p $(TOOLS_BIN)
+	@echo "Downloading AWS CLI v$(AWSCLI_VERSION) for ${ARCH}"
+	curl -sL "https://awscli.amazonaws.com/awscli-exe-linux-$(ARCH)-$(AWSCLI_VERSION).zip" -o "$(TOOLS_BIN)/awscliv2.zip"
+	curl -sL "https://awscli.amazonaws.com/awscli-exe-linux-$(ARCH)-$(AWSCLI_VERSION).zip.sig" -o "$(TOOLS_BIN)/awscliv2.sig"
+	@echo "Verifying GPG signature using $(AWSCLI_PUB_KEY)"
+	gpg --import $(AWSCLI_PUB_KEY)
+	gpg --verify $(TOOLS_BIN)/awscliv2.sig $(TOOLS_BIN)/awscliv2.zip
+	cd $(TOOLS_BIN) && unzip -q awscliv2.zip
+	@rm $(TOOLS_BIN)/awscliv2.zip $(TOOLS_BIN)/awscliv2.sig
+	@echo "AWS CLI installed to $(AWSCLI)"
 
 GH = $(shell which gh)
 $(GH):
-	echo "GitHub CLI gh was not found. To install use your package manager."
-	exit 1
+	@echo "GitHub CLI gh was not found. To install use your package manager."
+	@exit 1