From ab580636e6ad73be6902f46e1f8ecdf2fd823759 Mon Sep 17 00:00:00 2001 From: Le-Caignec Date: Thu, 21 Aug 2025 16:32:26 +0200 Subject: [PATCH 1/4] feat: update signing key generation and image tagging for TEE application --- .../advanced/create-your-first-sgx-app.md | 35 +++++++++++-------- 1 file changed, 20 insertions(+), 15 deletions(-) diff --git a/src/guides/build-iapp/advanced/create-your-first-sgx-app.md b/src/guides/build-iapp/advanced/create-your-first-sgx-app.md index 9894b2f..4b65d4c 100644 --- a/src/guides/build-iapp/advanced/create-your-first-sgx-app.md +++ b/src/guides/build-iapp/advanced/create-your-first-sgx-app.md @@ -74,6 +74,19 @@ chmod +x sconify.sh ## Build the TEE docker image +Before wrapping your iExec confidential application with Scone, you need to +generate a custom signing key. This key is required for the sconification +process and will be referenced in the Docker command below. + +Generate your enclave signing key with: + +```bash +openssl genrsa -3 -out enclave-key.pem 3072 +``` + +This will create an `enclave-key.pem` file in your current directory. You will +use this file in the sconify Docker command to sign your TEE image. + We will use the following script to wrap the sconification process, copy the `sconify.sh` script in the current directory: @@ -88,10 +101,11 @@ ENTRYPOINT="node /app/app.js" # Declare image related variables IMG_NAME=tee-scone-hello-world IMG_FROM=/hello-world:1.0.0 -IMG_TO=/${IMG_NAME}:1.0.0-debug +IMG_TO=/${IMG_NAME}:1.0.0 # Run the sconifier to build the TEE image based on the non-TEE image docker run -it --rm \ + -v $PWD/enclave-key.pem:/sig/enclave-key.pem \ -v /var/run/docker.sock:/var/run/docker.sock \ registry.scontain.com/scone-production/iexec-sconify-image:5.9.1-v16\ sconify_iexec \ @@ -122,10 +136,11 @@ ENTRYPOINT="python3 /app/app.py" # Declare image related variables IMG_NAME=tee-scone-hello-world IMG_FROM=/hello-world:1.0.0 -IMG_TO=/${IMG_NAME}:1.0.0-debug +IMG_TO=/${IMG_NAME}:1.0.0 # Run the sconifier to build the TEE image based on the non-TEE image docker run -it \ + -v $PWD/enclave-key.pem:/sig/enclave-key.pem \ -v /var/run/docker.sock:/var/run/docker.sock \ registry.scontain.com/scone-production/iexec-sconify-image:5.9.1-v16\ sconify_iexec \ @@ -158,21 +173,11 @@ Run the `sconify.sh` script to build the Scone TEE application: Push your image on DockerHub: ```bash -docker push /tee-scone-hello-world:1.0.0-debug +docker push /tee-scone-hello-world:1.0.0 ``` Congratulations, you just built your Scone TEE application. -::: info - -You may have noticed the `tee-debug` flag in the image name, the built image is -actually in TEE debug mode, this allows you to have some debug features while -developing the app. - -Once you are happy with the debug app, contact us to go to production! - -::: - ## Test your app on iExec At this stage, your application is ready to be tested on iExec. The process is @@ -198,7 +203,7 @@ Edit `iexec.json` and fill in the standard keys and the `mrenclave` object: "owner": "", // starts with 0x "name": "tee-scone-hello-world", // application name "type": "DOCKER", - "multiaddr": "docker.io//tee-scone-hello-world:1.0.0-debug", // app image + "multiaddr": "docker.io//tee-scone-hello-world:1.0.0", // app image "checksum": "", // starts with 0x, update it with your own image digest "mrenclave": { "framework": "SCONE", // TEE framework (keep default value) @@ -225,7 +230,7 @@ Run your TEE image with `SCONE_HASH=1` to get the enclave fingerprint (mrenclave): ```bash -docker run --rm -e SCONE_HASH=1 /tee-scone-hello-world:1.0.0-debug +docker run --rm -e SCONE_HASH=1 /tee-scone-hello-world:1.0.0 ``` ::: From 1c46d93a05d299f047e614fc72d5f89762b3336b Mon Sep 17 00:00:00 2001 From: Le-Caignec Date: Thu, 21 Aug 2025 16:33:05 +0200 Subject: [PATCH 2/4] chore: remove warning about omitted best practices in demo examples --- .../build-iapp/advanced/create-your-first-sgx-app.md | 8 -------- 1 file changed, 8 deletions(-) diff --git a/src/guides/build-iapp/advanced/create-your-first-sgx-app.md b/src/guides/build-iapp/advanced/create-your-first-sgx-app.md index 4b65d4c..12c6fea 100644 --- a/src/guides/build-iapp/advanced/create-your-first-sgx-app.md +++ b/src/guides/build-iapp/advanced/create-your-first-sgx-app.md @@ -43,14 +43,6 @@ docker login registry.scontain.com ## Prepare your application -::: warning - -For demo purposes, we omitted some development best practices in these examples. - -Make sure to check your field's best practices before going to production. - -::: - Before going further, your `/hello-world:1.0.0` image built previously is required. From 9d1359fbb808c53db44bee432bb5693cdb3687c1 Mon Sep 17 00:00:00 2001 From: Le-Caignec Date: Thu, 21 Aug 2025 17:07:15 +0200 Subject: [PATCH 3/4] fix: update signing key generation instructions and clean up example scripts --- .../advanced/create-your-first-sgx-app.md | 34 ++++--------------- 1 file changed, 6 insertions(+), 28 deletions(-) diff --git a/src/guides/build-iapp/advanced/create-your-first-sgx-app.md b/src/guides/build-iapp/advanced/create-your-first-sgx-app.md index 12c6fea..9d6ae45 100644 --- a/src/guides/build-iapp/advanced/create-your-first-sgx-app.md +++ b/src/guides/build-iapp/advanced/create-your-first-sgx-app.md @@ -67,8 +67,7 @@ chmod +x sconify.sh ## Build the TEE docker image Before wrapping your iExec confidential application with Scone, you need to -generate a custom signing key. This key is required for the sconification -process and will be referenced in the Docker command below. +generate a custom signing key. This key is used for the sconification process. Generate your enclave signing key with: @@ -84,16 +83,12 @@ We will use the following script to wrap the sconification process, copy the ::: code-group -```bash [for Javascript] +```bash [Javascript] #!/bin/bash -# Declare the app entrypoint -ENTRYPOINT="node /app/app.js" - # Declare image related variables -IMG_NAME=tee-scone-hello-world IMG_FROM=/hello-world:1.0.0 -IMG_TO=/${IMG_NAME}:1.0.0 +IMG_TO=/tee-scone-hello-world:1.0.0 # Run the sconifier to build the TEE image based on the non-TEE image docker run -it --rm \ @@ -101,7 +96,6 @@ docker run -it --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ registry.scontain.com/scone-production/iexec-sconify-image:5.9.1-v16\ sconify_iexec \ - --name=${IMG_NAME} \ --from=${IMG_FROM} \ --to=${IMG_TO} \ --binary-fs \ @@ -111,32 +105,25 @@ docker run -it --rm \ --binary=/usr/local/bin/node \ --heap=1G \ --dlopen=1 \ - --no-color \ --verbose \ - --command=${ENTRYPOINT} \ && echo -e "\n------------------\n" \ && echo "successfully built TEE docker image => ${IMG_TO}" \ && echo "application mrenclave.fingerprint is $(docker run --rm -e SCONE_HASH=1 ${IMG_TO})" ``` -```bash [for Python] +```bash [Python] #!/bin/bash -# Declare the app entrypoint -ENTRYPOINT="python3 /app/app.py" - # Declare image related variables -IMG_NAME=tee-scone-hello-world IMG_FROM=/hello-world:1.0.0 -IMG_TO=/${IMG_NAME}:1.0.0 +IMG_TO=/tee-scone-hello-world:1.0.0 # Run the sconifier to build the TEE image based on the non-TEE image -docker run -it \ +docker run -it --rm \ -v $PWD/enclave-key.pem:/sig/enclave-key.pem \ -v /var/run/docker.sock:/var/run/docker.sock \ registry.scontain.com/scone-production/iexec-sconify-image:5.9.1-v16\ sconify_iexec \ - --name=${IMG_NAME} \ --from=${IMG_FROM} \ --to=${IMG_TO} \ --binary-fs \ @@ -146,9 +133,7 @@ docker run -it \ --binary=/usr/local/bin/python3 \ --heap=1G \ --dlopen=1 \ - --no-color \ --verbose \ - --command=${ENTRYPOINT} \ && echo -e "\n------------------\n" \ && echo "successfully built TEE docker image => ${IMG_TO}" \ && echo "application mrenclave.fingerprint is $(docker run --rm -e SCONE_HASH=1 ${IMG_TO})" @@ -248,13 +233,6 @@ iexec app run --chain {{chainName}} --tag tee,scone --workerpool {{workerpoolAdd ::: info -You noticed we used `{{workerpoolAddress}}` instead of an ethereum address, this -is an ENS name. - -::: - -::: info - Remember, you can access task and app logs by following the instructions on page [Debug your tasks](/guides/build-iapp/debugging). From 4f3fa4dc28d2b1cb9b422e12bc4fa6b085192dbe Mon Sep 17 00:00:00 2001 From: Le-Caignec Date: Thu, 21 Aug 2025 17:42:09 +0200 Subject: [PATCH 4/4] fix: update installation commands for consistency across package managers --- src/guides/build-iapp/manage-access.md | 16 ++++++++++++---- .../use-iapp/run-iapp-without-ProtectedData.md | 8 ++++---- src/references/dataProtector/migrate-from-v1.md | 2 +- 3 files changed, 17 insertions(+), 9 deletions(-) diff --git a/src/guides/build-iapp/manage-access.md b/src/guides/build-iapp/manage-access.md index ecb6425..6efb38f 100644 --- a/src/guides/build-iapp/manage-access.md +++ b/src/guides/build-iapp/manage-access.md @@ -71,12 +71,20 @@ CLI: ::: code-group -```bash [npm] -npm install -g iexec +```sh [npm] +npm install iexec ``` -```bash [yarn] -yarn global add iexec +```sh [yarn] +yarn add iexec +``` + +```sh [pnpm] +pnpm add iexec +``` + +```sh [bun] +bun add iexec ``` ::: diff --git a/src/guides/use-iapp/run-iapp-without-ProtectedData.md b/src/guides/use-iapp/run-iapp-without-ProtectedData.md index 53ac2e2..36d35ed 100644 --- a/src/guides/use-iapp/run-iapp-without-ProtectedData.md +++ b/src/guides/use-iapp/run-iapp-without-ProtectedData.md @@ -21,19 +21,19 @@ Before you begin, make sure you have the iExec SDK installed. ::: code-group ```sh [npm] -npm install -g iexec +npm install iexec ``` ```sh [yarn] -yarn global add iexec +yarn add iexec ``` ```sh [pnpm] -pnpm add -g iexec +pnpm add iexec ``` ```sh [bun] -bun add -g iexec +bun add iexec ``` ::: diff --git a/src/references/dataProtector/migrate-from-v1.md b/src/references/dataProtector/migrate-from-v1.md index 6e8ae51..3a1844a 100644 --- a/src/references/dataProtector/migrate-from-v1.md +++ b/src/references/dataProtector/migrate-from-v1.md @@ -5,7 +5,7 @@ description: the latest npm package --- -# Migrate from V1 to V2 +# Migrate from V1 to V2 ::: tip