From 2e1704090af809a26bb50020292662229a06c056 Mon Sep 17 00:00:00 2001 From: Dan Nicholson Date: Thu, 12 Sep 2024 08:38:44 -0600 Subject: [PATCH] Improve build Dockerfile A few minor changes to building shim: * Tell gbp to use a separate export directory instead of doing everything within the source directory. * Extract shim from the built package so we're definitely comparing what would be installed by this build. * Validate the checksum of the source tarball to give confidence that we're really using the upstream tarball unchanged. --- Dockerfile | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index b0ae3c3b..2a04648d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,16 +14,19 @@ RUN gbp clone --pristine-tar https://github.com/endlessm/shim.git && \ cd /shim && \ git checkout -B endless/master "${GIT_TAG}" && \ export DEB_BUILD_OPTIONS=nocheck && \ - gbp buildpackage --git-builder=dpkg-buildpackage && \ - cp debian/shim-efi-image/boot/efi/EFI/endless/shimx64.efi /shim && \ - hexdump -Cv /shim/shimx64.efi > /shim/shimx64.efi.hd + gbp buildpackage --git-builder=dpkg-buildpackage --git-export-dir=/shim-build && \ + dpkg-deb -x /shim-build/shim-efi-image_*.deb /shim-build/shim-efi-image && \ + cp /shim-build/shim-efi-image/boot/efi/EFI/endless/shimx64.efi /shim-build && \ + rm -rf /shim-build/shim-efi-image && \ + hexdump -Cv /shim-build/shimx64.efi > /shim-build/shimx64.efi.hd -RUN sha256sum /shim-review/shimx64.efi && \ - sha256sum /shim/shimx64.efi && \ - if cmp -s /shim-review/shimx64.efi /shim/shimx64.efi; then \ +RUN echo 'a79f0a9b89f3681ab384865b1a46ab3f79d88b11b4ca59aa040ab03fffae80a9 /shim-build/shim_15.8.orig.tar.bz2' | sha256sum -c && \ + sha256sum /shim-review/shimx64.efi && \ + sha256sum /shim-build/shimx64.efi && \ + if cmp -s /shim-review/shimx64.efi /shim-build/shimx64.efi; then \ echo "Built shim matches review shim"; \ else \ echo "ERROR: Built shim does not match review shim!" && \ - diff -u /shim-review/shimx64.efi.hd /shim/shimx64.efi.hd || \ + diff -u /shim-review/shimx64.efi.hd /shim-build/shimx64.efi.hd || \ true; \ fi