Azure · cpuguy83 · Sep 11, 2024
@@ -133,5 +133,5 @@ func specToRpmLLB(ctx context.Context, w worker, client gwclient.Client, spec *d
  specPath := filepath.Join("SPECS", spec.Name, spec.Name+".spec")
  st := rpm.Build(br, base, specPath, opts...)
 
- return frontend.MaybeSign(ctx, client, st, spec, targetKey, sOpt)
+ return frontend.MaybeSign(ctx, client, st, spec, targetKey, sOpt, opts...)
 }
@@ -96,7 +96,7 @@ func buildDeb(ctx context.Context, client gwclient.Client, spec *dalec.Spec, sOp
  return llb.Scratch(), err
  }
 
- signed, err := frontend.MaybeSign(ctx, client, st, spec, targetKey, sOpt)
+ signed, err := frontend.MaybeSign(ctx, client, st, spec, targetKey, sOpt, opts...)
  if err != nil {
  return llb.Scratch(), err
  }

@@ -2,7 +2,6 @@ package frontend
 
 import (
  "context"
- "fmt"
  "strconv"
 
  "github.com/Azure/dalec"
@@ -141,9 +140,9 @@ func marshalDockerfile(ctx context.Context, dt []byte, opts ...llb.ConstraintsOp
  return st.Marshal(ctx)
 }
 
-func getSigningConfigFromContext(ctx context.Context, client gwclient.Client, cfgPath string, configCtxName string, sOpt dalec.SourceOpts) (*dalec.PackageSigner, error) {
+func getSigningConfigFromContext(ctx context.Context, client gwclient.Client, cfgPath string, configCtxName string, sOpt dalec.SourceOpts, opts ...llb.ConstraintsOpt) (*dalec.PackageSigner, error) {
  sc := dalec.SourceContext{Name: configCtxName}
- signConfigState, err := sc.AsState([]string{cfgPath}, nil, sOpt)
+ signConfigState, err := sc.AsState([]string{cfgPath}, nil, sOpt, opts...)
  if err != nil {
  return nil, err
  }
@@ -180,7 +179,7 @@ func getSigningConfigFromContext(ctx context.Context, client gwclient.Client, cf
  return pc.Signer, nil
 }
 
-func MaybeSign(ctx context.Context, client gwclient.Client, st llb.State, spec *dalec.Spec, targetKey string, sOpt dalec.SourceOpts) (llb.State, error) {
+func MaybeSign(ctx context.Context, client gwclient.Client, st llb.State, spec *dalec.Spec, targetKey string, sOpt dalec.SourceOpts, opts ...llb.ConstraintsOpt) (llb.State, error) {
  if signingDisabled(client) {
  Warnf(ctx, client, st, "Signing disabled by build-arg %q", keySkipSigningArg)
  return st, nil
@@ -198,7 +197,7 @@ func MaybeSign(ctx context.Context, client gwclient.Client, st llb.State, spec *
  Warnf(ctx, client, st, "Root signing spec overridden by target signing spec: target %q", targetKey)
  }
 
- return forwardToSigner(ctx, client, cfg, st)
+ return forwardToSigner(ctx, client, cfg, st, opts...)
  }
 
  configCtxName := getSignContextNameWithDefault(client)
@@ -211,7 +210,7 @@ func MaybeSign(ctx context.Context, client gwclient.Client, st llb.State, spec *
  return llb.Scratch(), err
  }
 
- return forwardToSigner(ctx, client, cfg, st)
+ return forwardToSigner(ctx, client, cfg, st, opts...)
 }
 
 func getSignContextNameWithDefault(client gwclient.Client) string {
@@ -245,21 +244,20 @@ func getSignConfigCtxName(client gwclient.Client) string {
  return client.BuildOpts().Opts["build-arg:"+buildArgDalecSigningConfigContextName]
 }
 
-func forwardToSigner(ctx context.Context, client gwclient.Client, cfg *dalec.PackageSigner, s llb.State) (llb.State, error) {
+func forwardToSigner(ctx context.Context, client gwclient.Client, cfg *dalec.PackageSigner, s llb.State, opts ...llb.ConstraintsOpt) (llb.State, error) {
  const (
- sourceKey = "source"
- contextKey = "context"
- inputKey = "input"
+ // See https://github.com/moby/buildkit/blob/d8d946b85c52095d34a52ce210960832f4e06775/frontend/dockerui/context.go#L29
+ contextKey = "contextkey"
  )
 
- opts := client.BuildOpts().Opts
+ bopts := client.BuildOpts().Opts
 
  req, err := newSolveRequest(toFrontend(cfg.Frontend), withBuildArgs(cfg.Args))
  if err != nil {
  return llb.Scratch(), err
  }
 
- for k, v := range opts {
+ for k, v := range bopts {
  if k == "source" || k == "cmdline" {
  continue
  }
@@ -282,18 +280,19 @@ func forwardToSigner(ctx context.Context, client gwclient.Client, cfg *dalec.Pac
  }
  req.FrontendInputs = m
 
- stateDef, err := s.Marshal(ctx)
+ opts = append(opts, dalec.ProgressGroup("Sign package"))
+ stateDef, err := s.Marshal(ctx, opts...)
  if err != nil {
  return llb.Scratch(), err
  }
 
- req.FrontendOpt[contextKey] = compound(inputKey, contextKey)
- req.FrontendInputs[contextKey] = stateDef.ToPB()
- req.FrontendOpt["dalec.target"] = opts["dalec.target"]
+ req.FrontendOpt[contextKey] = dockerui.DefaultLocalNameContext
+ req.FrontendInputs[dockerui.DefaultLocalNameContext] = stateDef.ToPB()
+ req.FrontendOpt["dalec.target"] = bopts["dalec.target"]
 
  res, err := client.Solve(ctx, req)
  if err != nil {
- return llb.Scratch(), err
+ return llb.Scratch(), errors.Wrap(err, "error signing packages")
  }
 
  ref, err := res.SingleRef()
@@ -303,7 +302,3 @@ func forwardToSigner(ctx context.Context, client gwclient.Client, cfg *dalec.Pac
 
  return ref.ToState()
 }
-
-func compound(k, v string) string {
- return fmt.Sprintf("%s:%s", k, v)
-}
@@ -38,12 +38,12 @@ func handleZip(ctx context.Context, client gwclient.Client) (*gwclient.Result, e
  return nil, nil, err
  }
 
- bin, err := buildBinaries(ctx, spec, worker, client, sOpt, targetKey)
+ bin, err := buildBinaries(ctx, spec, worker, client, sOpt, targetKey, pg)
  if err != nil {
  return nil, nil, fmt.Errorf("unable to build binaries: %w", err)
  }
 
- st := getZipLLB(worker, spec.Name, bin)
+ st := getZipLLB(worker, spec.Name, bin, pg)
 
  def, err := st.Marshal(ctx)
  if err != nil {
@@ -82,7 +82,7 @@ func specToSourcesLLB(worker llb.State, spec *dalec.Spec, sOpt dalec.SourceOpts,
  return out, nil
 }
 
-func installBuildDeps(deps []string) llb.StateOption {
+func installBuildDeps(deps []string, opts ...llb.ConstraintsOpt) llb.StateOption {
  return func(s llb.State) llb.State {
  if len(deps) == 0 {
  return s
@@ -94,6 +94,7 @@ func installBuildDeps(deps []string) llb.StateOption {
  return s.Run(
  dalec.ShArgs("apt-get update && apt-get install -y "+strings.Join(sorted, " ")),
  dalec.WithMountedAptCache(aptCachePrefix),
+ dalec.WithConstraints(opts...),
  ).Root()
  }
 }
@@ -127,13 +128,13 @@ func withSourcesMounted(dst string, states map[string]llb.State, sources map[str
  return dalec.WithRunOptions(ordered...)
 }
 
-func buildBinaries(ctx context.Context, spec *dalec.Spec, worker llb.State, client gwclient.Client, sOpt dalec.SourceOpts, targetKey string) (llb.State, error) {
+func buildBinaries(ctx context.Context, spec *dalec.Spec, worker llb.State, client gwclient.Client, sOpt dalec.SourceOpts, targetKey string, opts ...llb.ConstraintsOpt) (llb.State, error) {
  deps := dalec.SortMapKeys(spec.GetBuildDeps(targetKey))
 
  // note: we do not yet support pinning build dependencies for windows workers
- worker = worker.With(installBuildDeps(deps))
+ worker = worker.With(installBuildDeps(deps, opts...))
 
- sources, err := specToSourcesLLB(worker, spec, sOpt)
+ sources, err := specToSourcesLLB(worker, spec, sOpt, opts...)
  if err != nil {
  return llb.Scratch(), errors.Wrap(err, "could not generate sources")
  }
@@ -149,17 +150,19 @@ func buildBinaries(ctx context.Context, spec *dalec.Spec, worker llb.State, clie
  withSourcesMounted("/build", patched, spec.Sources),
  llb.AddMount("/tmp/scripts", buildScript),
  llb.Network(llb.NetModeNone),
+ dalec.WithConstraints(opts...),
  ).AddMount(outputDir, llb.Scratch())
 
  return frontend.MaybeSign(ctx, client, st, spec, targetKey, sOpt)
 }
 
-func getZipLLB(worker llb.State, name string, artifacts llb.State) llb.State {
+func getZipLLB(worker llb.State, name string, artifacts llb.State, opts ...llb.ConstraintsOpt) llb.State {
  outName := filepath.Join(outputDir, name+".zip")
  zipped := worker.Run(
  dalec.ShArgs("zip "+outName+" *"),
  llb.Dir("/tmp/artifacts"),
  llb.AddMount("/tmp/artifacts", artifacts),
+ dalec.WithConstraints(opts...),
  ).AddMount(outputDir, llb.Scratch())
  return zipped
 }
@@ -197,6 +200,7 @@ func workerImg(sOpt dalec.SourceOpts, opts ...llb.ConstraintsOpt) (llb.State, er
  Run(
  dalec.ShArgs("apt-get update && apt-get install -y build-essential binutils-mingw-w64 g++-mingw-w64-x86-64 gcc git make pkg-config quilt zip"),
  dalec.WithMountedAptCache(aptCachePrefix),
+ dalec.WithConstraints(opts...),
  ).Root(), nil
 }
 

@@ -13,6 +13,7 @@ import (
  "github.com/moby/buildkit/client/llb"
  gwclient "github.com/moby/buildkit/frontend/gateway/client"
  moby_buildkit_v1_frontend "github.com/moby/buildkit/frontend/gateway/pb"
+ ocispecs "github.com/opencontainers/image-spec/specs-go/v1"
 )
 
 var azlinuxConstraints = constraintsSymbols{
@@ -35,6 +36,7 @@ func TestMariner2(t *testing.T) {
  FormatDepEqual: func(v, _ string) string {
  return v
  },
+ ListExpectedSignFiles: azlinuxListSignFiles("cm2"),
  },
  LicenseDir: "/usr/share/licenses",
  SystemdDir: struct {
@@ -62,9 +64,10 @@ func TestAzlinux3(t *testing.T) {
  ctx := startTestSpan(baseCtx, t)
  testLinuxDistro(ctx, t, testLinuxConfig{
  Target: targetConfig{
- Package: "azlinux3/rpm",
- Container: "azlinux3/container",
- Worker: "azlinux3/worker",
+ Package: "azlinux3/rpm",
+ Container: "azlinux3/container",
+ Worker: "azlinux3/worker",
+ ListExpectedSignFiles: azlinuxListSignFiles("azl3"),
  },
  LicenseDir: "/usr/share/licenses",
  SystemdDir: struct {
@@ -86,6 +89,27 @@ func TestAzlinux3(t *testing.T) {
  })
 }
 
+func azlinuxListSignFiles(ver string) func(*dalec.Spec, ocispecs.Platform) []string {
+ return func(spec *dalec.Spec, platform ocispecs.Platform) []string {
+ base := fmt.Sprintf("%s-%s-%s.%s", spec.Name, spec.Version, spec.Revision, ver)
+
+ var arch string
+ switch platform.Architecture {
+ case "amd64":
+ arch = "x86_64"
+ case "arm64":
+ arch = "aarch64"
+ default:
+ arch = platform.Architecture
+ }
+
+ return []string{
+ filepath.Join("SRPMS", fmt.Sprintf("%s.src.rpm", base)),
+ filepath.Join("RPMS", arch, fmt.Sprintf("%s.%s.rpm", base, arch)),
+ }
+ }
+}
+
 func azlinuxWithRepo(rpms llb.State) llb.StateOption {
  return func(in llb.State) llb.State {
  localRepo := []byte(`
@@ -145,6 +169,10 @@ type targetConfig struct {
  // what is neccessary for the target distro to set a dependency for an equals
  // operator.
  FormatDepEqual func(ver, rev string) string
+
+ // Given a spec, list all files (including the full path) that are expected
+ // to be sent to be signed.
+ ListExpectedSignFiles func(*dalec.Spec, ocispecs.Platform) []string
 }
 
 type testLinuxConfig struct {
@@ -491,7 +519,7 @@ echo "$BAR" > bar.txt
  })
  })
 
- t.Run("test signing", linuxSigningTests(ctx, testConfig))
+ t.Run("signing", linuxSigningTests(ctx, testConfig))
 
  t.Run("test systemd unit single", func(t *testing.T) {
  t.Parallel()

@@ -5,15 +5,18 @@ import (
  _ "embed"
  "encoding/json"
  "fmt"
+ "io/fs"
  "os"
  "strings"
 
- "github.com/Azure/dalec/frontend"
+ "github.com/Azure/dalec/frontend/pkg/bkfs"
  "github.com/moby/buildkit/client/llb"
+ "github.com/moby/buildkit/frontend/dockerui"
  gwclient "github.com/moby/buildkit/frontend/gateway/client"
  "github.com/moby/buildkit/frontend/gateway/grpcclient"
  "github.com/moby/buildkit/util/appcontext"
  "github.com/moby/buildkit/util/bklog"
+ "github.com/pkg/errors"
  "github.com/sirupsen/logrus"
  "google.golang.org/grpc/grpclog"
 )
@@ -28,11 +31,6 @@ func main() {
  bopts := c.BuildOpts().Opts
  target := bopts["dalec.target"]
 
- inputs, err := c.Inputs(ctx)
- if err != nil {
- return nil, err
- }
-
  type config struct {
  OS string
  }
@@ -46,33 +44,56 @@ func main() {
  cfg.OS = "linux"
  }
 
- curFrontend, ok := c.(frontend.CurrentFrontend)
- if !ok {
- return nil, fmt.Errorf("cast to currentFrontend failed")
+ dc, err := dockerui.NewClient(c)
+ if err != nil {
+ return nil, err
  }
 
- basePtr, err := curFrontend.CurrentFrontend()
- if err != nil || basePtr == nil {
- if err == nil {
- err = fmt.Errorf("base frontend ptr was nil")
- }
+ bctx, err := dc.MainContext(ctx)
+ if err != nil {
  return nil, err
  }
 
- inputId := strings.TrimPrefix(bopts["context"], "input:")
- _, ok = inputs[inputId]
- if !ok {
+ if bctx == nil {
  return nil, fmt.Errorf("no artifact state provided to signer")
  }
 
+ artifactsFS, err := bkfs.FromState(ctx, bctx, c)
+ if err != nil {
+ return nil, err
+ }
+
  configBytes, err := json.Marshal(&cfg)
  if err != nil {
  return nil, err
  }
 
+ var files []string
+ err = fs.WalkDir(artifactsFS, ".", func(p string, info fs.DirEntry, err error) error {
+ if err != nil {
+ return err
+ }
+
+ if info.IsDir() {
+ return nil
+ }
+
+ files = append(files, p)
+ return nil
+ })
+ if err != nil {
+ return nil, errors.Wrap(err, "error walking artifacts")
+ }
+
+ mfst, err := json.Marshal(files)
+ if err != nil {
+ return nil, errors.Wrap(err, "error marshalling file manifest")
+ }
+
  output := llb.Scratch().
  File(llb.Mkfile("/target", 0o600, []byte(target))).
- File(llb.Mkfile("/config.json", 0o600, configBytes))
+ File(llb.Mkfile("/config.json", 0o600, configBytes)).
+ File(llb.Mkfile("/manifest.json", 0o600, mfst))
 
  // For any build-arg seen, write a file to /env/<KEY> with the contents
  // being the value of the arg.