Remove port auto-detect on macos, getting rid of CGO

With CGO out of the way the make-release-builds.sh script can build
binaries for all OSs & architectures reproducibly in a container. Also
create a Macos univeral binary.

Commit checksums of all tkey-verification binaries (of the next version
that is expected to be released), which the script checks after
building.

Signed-off-by: Daniel Lublin <[email protected]>

Author: quite

.gitignore

@@ -1,4 +1,5 @@
 /gotools/golangci-lint
 /gotools/certstrap
+/gotools/lipo
 /show-pubkey
 /tkey-verification

Makefile

@@ -33,7 +33,9 @@ clean:
 .PHONY: lint
 lint:
 	$(MAKE) -C gotools golangci-lint
-	./gotools/golangci-lint run
+	GOOS=linux   ./gotools/golangci-lint run
+	GOOS=windows ./gotools/golangci-lint run
+	GOOS=darwin  ./gotools/golangci-lint run
 
 .PHONY: certs
 certs:

README.md

@@ -6,10 +6,18 @@ produced by [Tillitis](https://tillitis.se/) (the vendor).
 
 If you own a TKey and want make sure it's genuine you can follow
 [these
-instructions](https://tillitis.se/app/tkey-device-verification/) (On
+instructions](https://tillitis.se/app/tkey-device-verification/) (on
 Tillitis' web). Or just download a release of the tool right away:
 https://github.com/tillitis/tkey-verification/releases
 
+The published binaries can be reproduced by running
+`./make-release-builds.sh` with the wanted version (for example
+"0.0.2"). The [release-builds](release-builds) directory contains
+checksums of released versions (since we got reproducibility in
+place), which the script verifies after building. Running the script
+requires a rootless podman setup. On Ubuntu 22.10, running `apt
+install podman rootlesskit slirp4netns` should be enough.
+
 ## Terminology
 
 - "device under verification": The device the vendor is provisioning
@@ -276,3 +284,25 @@ Example file content:
   "signature": "db4e7a72b720b33f6d4887df0f9dcdd6988ca8adb6b0042d8e8c92b5be3e4e39d908f166d093f3ab20880102d43a2b0c8e31178ab7cdb59977dcf7204116cc0c"
 }
 ```
+
+## Making releases of tkey-verification
+
+Make the new release binaries for the expected version:
+
+    ./make-release-builds 0.0.42
+
+Generate and commit the new checksums:
+
+    ./gen-release-checksums 0.0.42
+    git add release-builds/*_0.0.42_*.sha512
+    git commit -m "Release 0.0.42"
+
+Then tag a new version and push it all:
+
+    git tag -a v0.0.42 -m v0.0.42
+    git push origin main v0.0.42
+
+Publish the new release at
+https://github.com/tillitis/tkey-verification/releases and upload the
+binaries and checksum files. For MacOS we'll provide only the
+universal binary.

build-appbin-in-container.sh

@@ -55,7 +55,7 @@ cname="tkey-build"
 
 podman run -it --name "$cname" \
        --mount type=bind,source="$(pwd)",target=/contrib \
-       ghcr.io/tillitis/tkey-builder:1 \
+       ghcr.io/tillitis/tkey-builder:2 \
        /bin/bash /contrib/containerbuild "$tag" "$appsrepotag"
 
 podman cp "$cname":/tkey-verification/apps/verisigner/app.bin "$destd/$destf"

cmd/tkey-verification/main.go

@@ -87,9 +87,9 @@ Known firmwares:
 		desc := fmt.Sprintf(`Usage: %s command [flags...]
 
 Commands:
-  serve-signer  TODO write...
+  serve-signer  Run the server that offers an API for creating vendor signatures.
 
-  remote-sign   TODO write...
+  remote-sign   Call the remote signing server to sign for a local TKey.
 
   verify        Verify that a TKey is genuine by extracting the TKey UDI and using it
                 to fetch the verification data, including tag and signature from the

cmd/tkey-verification/verify.go

@@ -128,7 +128,7 @@ func verify(devPath string, verbose bool, showURLOnly bool, baseDir string, veri
 func verificationFromURL(verifyURL string) (Verification, error) {
 	var verification Verification
 
-	le.Printf("Fetching %s ...\n", verifyURL)
+	le.Printf("Fetching verification data from %s ...\n", verifyURL)
 	client := http.Client{Timeout: 10 * time.Second}
 	resp, err := client.Get(verifyURL) // #nosec G107
 	if err != nil {
@@ -155,7 +155,7 @@ func verificationFromURL(verifyURL string) (Verification, error) {
 func verificationFromFile(fn string) (Verification, error) {
 	var verification Verification
 
-	le.Printf("Reading %s ...\n", fn)
+	le.Printf("Reading verification data from file %s ...\n", fn)
 	verificationJSON, err := os.ReadFile(fn)
 	if err != nil {
 		return verification, fmt.Errorf("ReadFile failed: %w", err)

gen-release-checksums

@@ -0,0 +1,34 @@
+#!/bin/sh -e
+
+if ! hash 2>/dev/null sha512sum; then
+  sha512sum() {
+    shasum -a 512 "$@"
+  }
+fi
+
+version="$1"
+if [ -z "$version" ]; then
+  printf "give me a version number\n"
+  exit 1
+fi
+shift
+
+cd release-builds
+
+any=
+for file in *_"$version"_*; do
+  [ -e "$file" ] || continue
+  [ "${file##*.}" != "sha512" ] || continue
+  hashf="$file.sha512"
+  if [ -e "$hashf" ]; then
+    printf "%s already exists, bailing out\n" "$hashf"
+    exit 1
+  fi
+  sha512sum >"$hashf" "$file"
+  printf "wrote %s\n" "$hashf"
+  any=any
+done
+
+if [ -z "$any" ]; then
+  printf "no binaries in release-builds/ with that version?\n"
+fi

gotools/Makefile

@@ -15,3 +15,10 @@ certstrap:
 	go mod download github.com/square/certstrap
 	go mod tidy
 	go build github.com/square/certstrap
+
+# .PHONY to let go-build handle deps and rebuilds
+.PHONY: lipo
+lipo:
+	go mod download github.com/konoui/lipo
+	go mod tidy
+	go build github.com/konoui/lipo

gotools/go.mod

@@ -4,6 +4,7 @@ go 1.19
 
 require (
 	github.com/golangci/golangci-lint v1.51.0
+	github.com/konoui/lipo v0.4.1
 	github.com/square/certstrap v1.3.0
 )
 
@@ -87,6 +88,7 @@ require (
 	github.com/kisielk/errcheck v1.6.3 // indirect
 	github.com/kisielk/gotool v1.0.0 // indirect
 	github.com/kkHAIKE/contextcheck v1.1.3 // indirect
+	github.com/konoui/go-qsort v0.0.1 // indirect
 	github.com/kulti/thelper v0.6.3 // indirect
 	github.com/kunwardeep/paralleltest v1.0.6 // indirect
 	github.com/kyoh86/exportloopref v0.1.11 // indirect

gotools/go.sum

@@ -330,6 +330,10 @@ github.com/kisielk/gotool v1.0.0 h1:AV2c/EiW3KqPNT9ZKl07ehoAGi4C5/01Cfbblndcapg=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/kkHAIKE/contextcheck v1.1.3 h1:l4pNvrb8JSwRd51ojtcOxOeHJzHek+MtOyXbaR0uvmw=
 github.com/kkHAIKE/contextcheck v1.1.3/go.mod h1:PG/cwd6c0705/LM0KTr1acO2gORUxkSVWyLJOFW5qoo=
+github.com/konoui/go-qsort v0.0.1 h1:7scLI7DAKynqS6enK0vnpwoiw7L38pBI49ofIahb9rc=
+github.com/konoui/go-qsort v0.0.1/go.mod h1:UOsvdDPBzyQDk9Tb21hETK6KYXGYQTnoZB5qeKA1ARs=
+github.com/konoui/lipo v0.4.1 h1:DbaBYvafcdXx2DMlmMtwVugO8GywlFgywR7qZGMxP1E=
+github.com/konoui/lipo v0.4.1/go.mod h1:PpyG5pH3dW3h7QSsAu69JZIBZ4V5e9fg/H67azfQ1f8=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=

gotools/gotools.go

@@ -1,10 +1,11 @@
-// Copyright (C) 2022 - Tillitis AB
+// Copyright (C) 2022, 2023 - Tillitis AB
 // SPDX-License-Identifier: GPL-2.0-only
 
 package gotools
 
 import (
 	// Import tools we use
 	_ "github.com/golangci/golangci-lint/cmd/golangci-lint"
+	_ "github.com/konoui/lipo"
 	_ "github.com/square/certstrap"
 )

internal/firmwares/firmwares.go

@@ -68,7 +68,7 @@ func initFirmwares() error {
 
 	var err error
 
-	// TODO This is the default/qemu UDI0, with firmware from main at
+	// This is the default/qemu UDI0, with firmware from main at
 	// c126199a41149f6284aa9533e72395c978733b44
 	err = addFirmware("00010203", 0x0010, 8, 3, 4192, "3769540390ee3d990ea3f9e4cc9a0d1af5bcaebb82218185a78c39c6bf01d9cdc305ba253a1fb9f3f9fcc63d97c8e5f34bbb1f7bec56a8f246f1d2239867b623")
 	if err != nil {

internal/util/ports_darwin.go

@@ -0,0 +1,21 @@
+// Copyright (C) 2023 - Tillitis AB
+// SPDX-License-Identifier: GPL-2.0-only
+
+//go:build darwin
+
+package util
+
+import (
+	"fmt"
+	"os"
+)
+
+func DetectSerialPort(verbose bool) (string, error) {
+	fmt.Fprintf(os.Stderr, `Serial port detection is not available on MacOS.
+Please find the serial port device path using:
+    ls -l /dev/cu.*
+Then run like:
+    tkey-verification command --port /dev/cu.usbmodemN
+`)
+	return "", fmt.Errorf("not available on MacOS")
+}

internal/util/ports.go renamed to internal/util/ports_linuxwindows.go

@@ -1,6 +1,8 @@
-// Copyright (C) 2022 - Tillitis AB
+// Copyright (C) 2023 - Tillitis AB
 // SPDX-License-Identifier: GPL-2.0-only
 
+//go:build linux || windows
+
 package util
 
 import (
@@ -10,15 +12,18 @@ import (
 	"go.bug.st/serial/enumerator"
 )
 
+const (
+	tillitisUSBVID = "1207"
+	tillitisUSBPID = "8887"
+)
+
 type constError string
 
 func (err constError) Error() string {
 	return string(err)
 }
 
 const (
-	tillitisUSBVID = "1207"
-	tillitisUSBPID = "8887"
 	// Custom errors
 	ErrNoDevice    = constError("no TKey connected")
 	ErrManyDevices = constError("more than one TKey connected")
@@ -30,7 +35,7 @@ type SerialPort struct {
 }
 
 func DetectSerialPort(verbose bool) (string, error) {
-	ports, err := GetSerialPorts()
+	ports, err := getSerialPorts()
 	if err != nil {
 		return "", err
 	}
@@ -56,19 +61,19 @@ func DetectSerialPort(verbose bool) (string, error) {
 	return ports[0].DevPath, nil
 }
 
-func GetSerialPorts() ([]SerialPort, error) {
+func getSerialPorts() ([]SerialPort, error) {
 	var ports []SerialPort
+
 	portDetails, err := enumerator.GetDetailedPortsList()
 	if err != nil {
 		return nil, fmt.Errorf("GetDetailedPortsList: %w", err)
 	}
-	if len(portDetails) == 0 {
-		return ports, nil
-	}
+
 	for _, port := range portDetails {
 		if port.IsUSB && port.VID == tillitisUSBVID && port.PID == tillitisUSBPID {
 			ports = append(ports, SerialPort{port.Name, port.SerialNumber})
 		}
 	}
+
 	return ports, nil
 }