Skip to content

Commit

Permalink
Improve build Dockerfile
Browse files Browse the repository at this point in the history
A few minor changes to building shim:

* Tell gbp to use a separate export directory instead of doing
  everything within the source directory.
* Extract shim from the built package so we're definitely comparing what
  would be installed by this build.
* Validate the checksum of the source tarball to give confidence that
  we're really using the upstream tarball unchanged.
  • Loading branch information
dbnicholson committed Sep 12, 2024
1 parent 2c0d178 commit 2e17040
Showing 1 changed file with 10 additions and 7 deletions.
17 changes: 10 additions & 7 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -14,16 +14,19 @@ RUN gbp clone --pristine-tar https://github.com/endlessm/shim.git && \
cd /shim && \
git checkout -B endless/master "${GIT_TAG}" && \
export DEB_BUILD_OPTIONS=nocheck && \
gbp buildpackage --git-builder=dpkg-buildpackage && \
cp debian/shim-efi-image/boot/efi/EFI/endless/shimx64.efi /shim && \
hexdump -Cv /shim/shimx64.efi > /shim/shimx64.efi.hd
gbp buildpackage --git-builder=dpkg-buildpackage --git-export-dir=/shim-build && \
dpkg-deb -x /shim-build/shim-efi-image_*.deb /shim-build/shim-efi-image && \
cp /shim-build/shim-efi-image/boot/efi/EFI/endless/shimx64.efi /shim-build && \
rm -rf /shim-build/shim-efi-image && \
hexdump -Cv /shim-build/shimx64.efi > /shim-build/shimx64.efi.hd

RUN sha256sum /shim-review/shimx64.efi && \
sha256sum /shim/shimx64.efi && \
if cmp -s /shim-review/shimx64.efi /shim/shimx64.efi; then \
RUN echo 'a79f0a9b89f3681ab384865b1a46ab3f79d88b11b4ca59aa040ab03fffae80a9 /shim-build/shim_15.8.orig.tar.bz2' | sha256sum -c && \
sha256sum /shim-review/shimx64.efi && \
sha256sum /shim-build/shimx64.efi && \
if cmp -s /shim-review/shimx64.efi /shim-build/shimx64.efi; then \
echo "Built shim matches review shim"; \
else \
echo "ERROR: Built shim does not match review shim!" && \
diff -u /shim-review/shimx64.efi.hd /shim/shimx64.efi.hd || \
diff -u /shim-review/shimx64.efi.hd /shim-build/shimx64.efi.hd || \
true; \
fi

0 comments on commit 2e17040

Please sign in to comment.