From e063373f7f2e3ebcb751eafd0af0340927a5860e Mon Sep 17 00:00:00 2001
From: Jan Dubois <jan.dubois@suse.com>
Date: Thu, 1 Feb 2024 09:16:27 -0800
Subject: [PATCH 1/5] =?UTF-8?q?Bump=20package=20version=201.12.2=20?=
 =?UTF-8?q?=E2=86=92=201.12.3?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Jan Dubois <jan.dubois@suse.com>
---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 7ef6e94dc81..655a4216186 100644
--- a/package.json
+++ b/package.json
@@ -2,7 +2,7 @@
   "name": "rancher-desktop",
   "productName": "Rancher Desktop",
   "license": "Apache-2.0",
-  "version": "1.12.2",
+  "version": "1.12.3",
   "author": {
     "name": "SUSE",
     "email": "containers@suse.com"

From d991e1b395e6145f472915fb97da6c729b332135 Mon Sep 17 00:00:00 2001
From: Mark Yen <mark.yen@suse.com>
Date: Tue, 9 Jan 2024 10:18:13 -0800
Subject: [PATCH 2/5] Signing: also produce signed zip file on macOS

We use the zip file for upgrades on macOS; therefore, we need to ensure we
emit a zip file during signing there so that we can have an artifact with
signed applications for the user to upgrade to.

Signed-off-by: Mark Yen <mark.yen@suse.com>
(cherry picked from commit eed8ba13eaffa412d8ab2ea6c771e025325488db)
---
 .github/actions/spelling/expect.txt |  1 +
 scripts/lib/sign-macos.ts           | 22 ++++++++++++++--------
 scripts/lib/sign-win32.ts           |  4 ++--
 scripts/sign.ts                     | 15 +++++++++------
 4 files changed, 26 insertions(+), 16 deletions(-)

diff --git a/.github/actions/spelling/expect.txt b/.github/actions/spelling/expect.txt
index 1746e6e594c..b8f60bb557b 100644
--- a/.github/actions/spelling/expect.txt
+++ b/.github/actions/spelling/expect.txt
@@ -68,6 +68,7 @@ bindir
 binfmt
 bitnami
 blkio
+blockmap
 bootfs
 bosco
 bottlesofbeeronthewall
diff --git a/scripts/lib/sign-macos.ts b/scripts/lib/sign-macos.ts
index 2adca8ea3b6..e3b006aaf5f 100644
--- a/scripts/lib/sign-macos.ts
+++ b/scripts/lib/sign-macos.ts
@@ -31,7 +31,7 @@ type SigningConfig = {
   remove: string[];
 };
 
-export async function sign(workDir: string): Promise<string> {
+export async function sign(workDir: string): Promise<string[]> {
   const certFingerprint = process.env.CSC_FINGERPRINT ?? '';
   const appleId = process.env.APPLEID;
   const appleIdPassword = process.env.AC_PASSWORD;
@@ -125,28 +125,34 @@ export async function sign(workDir: string): Promise<string> {
     throw new Error(message.join('\n'));
   }
 
-  console.log('Building disk image...');
+  console.log('Building disk image and update archive...');
   const arch = process.env.M1 ? Arch.arm64 : Arch.x64;
   const productFileName = config.productName?.replace(/\s+/g, '.');
   const productArch = process.env.M1 ? 'aarch64' : 'x86_64';
   const artifactName = `${ productFileName }-\${version}.${ productArch }.\${ext}`;
+  const formats = ['dmg', 'zip'];
 
   // Build the dmg, explicitly _not_ using an identity; we just signed
   // everything as we wanted already.
   const results = await build({
-    targets:     new Map([[Platform.MAC, new Map([[arch, ['dmg']]])]]),
+    targets:     new Map([[Platform.MAC, new Map([[arch, formats]])]]),
     config:      _.merge<Configuration, Configuration>(config, { mac: { artifactName, identity: null } }),
     prepackaged: appDir,
   });
 
-  const dmgFile = results.find(v => v.endsWith('.dmg'));
+  const filesToSign = results.filter(f => !f.endsWith('.blockmap'));
 
-  if (!dmgFile) {
-    throw new Error(`Could not find signed disk image`);
+  for (const extension of formats) {
+    if (!filesToSign.find(v => v.endsWith(`.${ extension }`))) {
+      throw new Error(`Could not find built ${ extension } file`);
+    }
   }
-  await spawnFile('codesign', ['--sign', certFingerprint, '--timestamp', dmgFile], { stdio: 'inherit' });
 
-  return dmgFile;
+  await Promise.all(Object.values(filesToSign).map((f) => {
+    return spawnFile('codesign', ['--sign', certFingerprint, '--timestamp', f], { stdio: 'inherit' });
+  }));
+
+  return Object.values(filesToSign);
 }
 
 /**
diff --git a/scripts/lib/sign-win32.ts b/scripts/lib/sign-win32.ts
index f2012fa5183..bac669e3de8 100644
--- a/scripts/lib/sign-win32.ts
+++ b/scripts/lib/sign-win32.ts
@@ -44,7 +44,7 @@ interface ElectronBuilderConfiguration {
   }
 }
 
-export async function sign(workDir: string): Promise<string> {
+export async function sign(workDir: string): Promise<string[]> {
   const certFingerprint = process.env.CSC_FINGERPRINT ?? '';
   const certPassword = process.env.CSC_KEY_PASSWORD ?? '';
 
@@ -98,7 +98,7 @@ export async function sign(workDir: string): Promise<string> {
 
   await signFn(...filesToSign);
 
-  return await buildWiX(workDir, unpackedDir, signFn);
+  return [await buildWiX(workDir, unpackedDir, signFn)];
 }
 
 /**
diff --git a/scripts/sign.ts b/scripts/sign.ts
index 54d18ae3cbb..d547aaf06e0 100644
--- a/scripts/sign.ts
+++ b/scripts/sign.ts
@@ -21,7 +21,7 @@ async function signArchive(archive: string): Promise<void> {
   await fs.promises.mkdir(distDir, { recursive: true });
   const workDir = await fs.promises.mkdtemp(path.join(distDir, 'sign-'));
   const archiveDir = path.join(workDir, 'unpacked');
-  let artifact: string | undefined;
+  let artifacts: string[] | undefined;
 
   try {
     // Extract the archive
@@ -32,20 +32,23 @@ async function signArchive(archive: string): Promise<void> {
     // Detect the archive type
     for (const file of await fs.promises.readdir(archiveDir)) {
       if (file.endsWith('.exe')) {
-        artifact = await windows.sign(workDir);
+        artifacts = await windows.sign(workDir);
         break;
       }
       if (file.endsWith('.app')) {
-        artifact = await macos.sign(workDir);
+        artifacts = await macos.sign(workDir);
         break;
       }
     }
 
-    if (!artifact) {
+    if (!artifacts) {
       throw new Error(`Could not find any files to sign in ${ archive }`);
     }
-    await computeChecksum(artifact);
-    console.log(`Signed result: ${ artifact }`);
+    await Promise.all(artifacts.map(f => computeChecksum(f)));
+
+    for (const line of ['Signed results:', ...artifacts.map(f => ` - ${ f }`)]) {
+      console.log(line);
+    }
   } finally {
     await fs.promises.rm(workDir, { recursive: true, maxRetries: 3 });
   }

From d89f396d39072a57c9c74994b2d9cc33aacb6aac Mon Sep 17 00:00:00 2001
From: Mark Yen <mark.yen@suse.com>
Date: Tue, 16 Jan 2024 14:12:30 -0800
Subject: [PATCH 3/5] Signing: macOS: fix zip file name

We expect the zip file name to be `Rancher.Desktop-VERSION-mac.ARCH.zip`
but the dmg file name to be `Rancher.Desktop-VERSION.ARCH.dmg`; ensure that
the signing script outputs the correct file names so the user can just
upload them to GitHub as-is.

Signed-off-by: Mark Yen <mark.yen@suse.com>
(cherry picked from commit 0a53582011cde45dcc0f7f57d8576c41d450fb97)
---
 scripts/lib/sign-macos.ts | 24 ++++++++++++++++--------
 1 file changed, 16 insertions(+), 8 deletions(-)

diff --git a/scripts/lib/sign-macos.ts b/scripts/lib/sign-macos.ts
index e3b006aaf5f..f46bae3bb7c 100644
--- a/scripts/lib/sign-macos.ts
+++ b/scripts/lib/sign-macos.ts
@@ -129,7 +129,7 @@ export async function sign(workDir: string): Promise<string[]> {
   const arch = process.env.M1 ? Arch.arm64 : Arch.x64;
   const productFileName = config.productName?.replace(/\s+/g, '.');
   const productArch = process.env.M1 ? 'aarch64' : 'x86_64';
-  const artifactName = `${ productFileName }-\${version}.${ productArch }.\${ext}`;
+  const artifactName = `${ productFileName }-\${version}-mac.${ productArch }.\${ext}`;
   const formats = ['dmg', 'zip'];
 
   // Build the dmg, explicitly _not_ using an identity; we just signed
@@ -140,19 +140,27 @@ export async function sign(workDir: string): Promise<string[]> {
     prepackaged: appDir,
   });
 
-  const filesToSign = results.filter(f => !f.endsWith('.blockmap'));
+  // The .dmg and the .zip have slightly different file names, so we need to
+  // deal with them separately.
 
-  for (const extension of formats) {
-    if (!filesToSign.find(v => v.endsWith(`.${ extension }`))) {
-      throw new Error(`Could not find built ${ extension } file`);
-    }
+  const dmgFile = results.find(f => f.endsWith('.dmg'));
+  const zipFile = results.find(f => f.endsWith('.zip'));
+
+  if (!dmgFile) {
+    throw new Error(`Could not find build disk image`);
   }
+  if (!zipFile) {
+    throw new Error(`Could not find build zip file`);
+  }
+
+  const dmgRenamedFile = dmgFile.replace('-mac.', '.');
 
-  await Promise.all(Object.values(filesToSign).map((f) => {
+  await fs.promises.rename(dmgFile, dmgRenamedFile);
+  await Promise.all([dmgRenamedFile, zipFile].map((f) => {
     return spawnFile('codesign', ['--sign', certFingerprint, '--timestamp', f], { stdio: 'inherit' });
   }));
 
-  return Object.values(filesToSign);
+  return Object.values([dmgRenamedFile, zipFile]);
 }
 
 /**

From dd678bd9d945dcc546e4d02c0c4b32258b1981ac Mon Sep 17 00:00:00 2001
From: Jan Dubois <jan.dubois@suse.com>
Date: Thu, 1 Feb 2024 09:22:53 -0800
Subject: [PATCH 4/5] Bump alpine-lima to 0.2.31.rd12 and wsl-distro to 0.51.1

This updates runc to 1.1.12 and buildkit to 0.12.5 to address CVEs.

Signed-off-by: Jan Dubois <jan.dubois@suse.com>
---
 pkg/rancher-desktop/assets/dependencies.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkg/rancher-desktop/assets/dependencies.yaml b/pkg/rancher-desktop/assets/dependencies.yaml
index 1b5a7067a37..174c5610c03 100644
--- a/pkg/rancher-desktop/assets/dependencies.yaml
+++ b/pkg/rancher-desktop/assets/dependencies.yaml
@@ -1,9 +1,9 @@
 lima: 0.19.0.rd5
 limaAndQemu: 1.31.2
 alpineLimaISO:
-  isoVersion: 0.2.31.rd11
+  isoVersion: 0.2.31.rd12
   alpineVersion: 3.18.0
-WSLDistro: "0.51"
+WSLDistro: 0.51.1
 kuberlr: 0.4.4
 helm: 3.13.3
 dockerCLI: 24.0.7

From 8604c4816fc710f094d8abf1b3b8c656718856b6 Mon Sep 17 00:00:00 2001
From: Mark Yen <mark.yen@suse.com>
Date: Thu, 1 Feb 2024 10:52:31 -0800
Subject: [PATCH 5/5] nerdctl-stub: Regenerate for 1.7.3

Signed-off-by: Mark Yen <mark.yen@suse.com>
---
 src/go/nerdctl-stub/nerdctl_commands_generated.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/go/nerdctl-stub/nerdctl_commands_generated.go b/src/go/nerdctl-stub/nerdctl_commands_generated.go
index 39ffdafdaf3..60abd797972 100644
--- a/src/go/nerdctl-stub/nerdctl_commands_generated.go
+++ b/src/go/nerdctl-stub/nerdctl_commands_generated.go
@@ -140,6 +140,7 @@ var commands = map[string]commandDefinition{
 		commandPath: "build",
 		subcommands: map[string]struct{}{},
 		options: map[string]argHandler{
+			"--allow":         ignoredArgHandler,
 			"--build-arg":     ignoredArgHandler,
 			"--buildkit-host": ignoredArgHandler,
 			"--cache-from":    ignoredArgHandler,
@@ -179,6 +180,7 @@ var commands = map[string]commandDefinition{
 		commandPath: "builder build",
 		subcommands: map[string]struct{}{},
 		options: map[string]argHandler{
+			"--allow":         ignoredArgHandler,
 			"--build-arg":     ignoredArgHandler,
 			"--buildkit-host": ignoredArgHandler,
 			"--cache-from":    ignoredArgHandler,
@@ -1229,6 +1231,7 @@ var commands = map[string]commandDefinition{
 		commandPath: "image build",
 		subcommands: map[string]struct{}{},
 		options: map[string]argHandler{
+			"--allow":         ignoredArgHandler,
 			"--build-arg":     ignoredArgHandler,
 			"--buildkit-host": ignoredArgHandler,
 			"--cache-from":    ignoredArgHandler,