18f010f228
#20571 ## Summary of changes We have a few moving parts in fleetctl land (`fleetdm/wix` is used to build `msi`s and `fleetdm/bomutils` is used to build `pkg`s, and `fleetdm/fleetctl` can be used to build packages using docker, no need for fleetctl executable): ```mermaid graph LR fleetctl_exec[fleetctl<br>executable]; wix_image[fleetdm/wix<br>docker image]; bomutils_image[fleetdm/bomutils<br>docker image]; fleetctl_image[fleetdm/fleetctl<br>docker image]; fleetctl_exec -- uses --> wix_image; fleetctl_image -- COPY dependencies<br>FROM --> wix_image; fleetctl_exec -- uses --> bomutils_image; fleetctl_image -- COPY dependencies<br>FROM --> bomutils_image; ``` So, we'll need to update the three images: `fleetdm/bomutils`, `fleetdm/wix` & `fleetdm/fleetctl`. - `tools/bomutils-docker/Dockerfile`, `tools/wix-docker/Dockerfile` and `tools/fleetctl-docker/Dockerfile`: Updating the base image to fix the CRITICAL vulnerabilities. - Modified existing+unused `.github/workflows/build-and-check-fleetctl-docker-and-deps.yml` to run every day to check for CRITICAL vulnerabilities in `fleetdm/wix`, `fleetdm/bomutils` and `fleetdm/fleetctl`. - `.github/workflows/goreleaser-fleetctl-docker-deps.yaml`: `fleetdm/bomutils` and `fleetdm/wix` were pushed manually a few years ago (most likely by Zach), so I've added a new action to release them when we have changes to release (like now). It will basically release `fleetctl/bomutils` and `fleetdm/wix` when pushing a tag of the form `fleetctl-docker-deps-*` (we'll need to protect such tag prefix). - Changes in `.github/workflows/test-native-tooling-packaging.yml` to build `fleetdm/bomutils` and `fleetdm/wix` for `fleetdm/fleetctl` to use them instead of the ones in docker hub. -- Build before upgrading `debian:stable-slim`: https://github.com/fleetdm/fleet/actions/runs/10255391418/job/28372231837  Build after upgrading `debian:stable-slim`: https://github.com/fleetdm/fleet/actions/runs/10255550034 - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Manual QA for all new/changed functionality |
||
|---|---|---|
| .. | ||
| Dockerfile | ||
| README.md | ||
fleetdm/fleetctl
This docker image allows to run fleetctl in a Linux environment that has all
the necessary dependencies to package msi, pkg, deb and rpm packages.
Usage
docker run fleetdm/fleetctl command [flags]
Build artifacts are generated at /build. To get a package using this image:
docker run -v "$(pwd):/build" fleetdm/fleetctl package --type=msi
Building
This image needs to be built from the root of the repo in order for the build
context to have access to the fleetctl binary. To build the image, run:
make fleetctl-docker
macOS signing + notarization
To sign and notarize a generated pkg you must have:
- A Developer ID certificate in PEM format
- An Apple Store Connect API key
Note: the Developer ID certificate must be in PEM format because this image can be run in automated enviroments where secrets are passed via environment variables, and thus they must be in plain text.
To convert a PKCS 12 certificate to PEM, you can run the following command:
openssl pkcs12 -in /path/to/cert.p12 -out signing-keypair.pem -nodes
Once you are set, you can build and notarize/staple your package with:
docker run -v "$(pwd):/build" fleetdm/fleetctl package --type=pkg \
--macos-devid-pem-content="$(cat /path/to/signing-keypair.pem)" \
--notarize \
--app-store-connect-api-key-id="A6DX865SKS" \
--app-store-connect-api-key-issuer="68911d4c-110c-4172-b9f7-b7efa30f9680 " \
--app-store-connect-api-key-content="$(cat /path/to/AuthKey_A6DX865SKS.p8)"
Publishing
There's a GitHub workflow to build and publish this image to Docker Hub, currently it has to be triggered manually.