monitor

command

v0.0.0-...-e10fca2 Latest Latest Go to latest Published: Oct 11, 2023 License: Apache-2.0 Imports: 22 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/usbarmory/armory-drive-log

Links

Open Source Insights

README ¶

Reproducible Build Verifier

This continuously monitors the log to look for claims about builds being published. The log properties are checked to ensure the log is consistent with any previous view, and that all claims are verifiably committed to by the log.

For each FirmwareRelease manifest claim that it hasn't seen before, the following steps are taken:

The source repository is cloned at the release tag
The git revision at the tag is checked against the manifest
The imx file is compiled from source
The hash for the imx in the manifest is compared against the locally built version

Running

In order to control the environment in which the code will be built, a Dockerfile is supplied which will create a compatible environment.

This image can be built and executed using the following commands:

docker build . -t armory-drive-monitor -f ./cmd/monitor/Dockerfile
docker run armory-drive-monitor -v=1

Note that it is expected that the first entry in the log is not reproducibly built. This is because of https://github.com/golang/go/issues/48557 which was fixed in https://github.com/usbarmory/armory-drive/commit/f3a32e3ab3aac6866a3bd8b70a6575d87335ef5d.

TODO

Support for toolchains other than tamago 1.17.1
More visible reporting mechanisms than glog on success/failure

Documentation ¶

Overview ¶

monitor starts a long-running process that will continually follow a log for new checkpoints. All checkpoints are checked for consistency, and all leaves in the tree will be downloaded, verified, and the release info will be reproducibly verified. This tool has a number of expectations of the environment, such as a working tamago installation, git, and other make tooling. See the README and Dockerfile in this directory for more details.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL