Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-22 08:28:52 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 107
fleet/tools/tuf/test/gen_pkgs.sh
Lucas Manuel Rodriguez 134c74a94b
Add initial Arch Linux support (#33096) 
For #32859.

We can ignore the "Dependency review" failure in
[CVE-2023-32698](https://github.com/advisories/GHSA-w7jw-q4fg-qc4c)
because we already have the rules to ignore it (we are not vulnerable).
I'm not updating nfpm to latest because it would require further changes
on all deb/rpm generation (source code breaking changes on the golang
interfaces).

---

<img width="448" height="151" alt="screenshot-2025-09-11_08-38-20"
src="https://github.com/user-attachments/assets/4c00b960-568a-48d9-8098-308c8ab8916f"
/>
<img width="391" height="73" alt="screenshot-2025-09-11_08-37-40"
src="https://github.com/user-attachments/assets/dec6ea22-31f8-4930-b067-0b04b4ec2b5f"
/>

<img width="759" height="428" alt="Image"
src="https://github.com/user-attachments/assets/0a76d070-4709-4a35-8e6e-caf869473d28"
/>
<img width="1178" height="634" alt="Image"
src="https://github.com/user-attachments/assets/98e6fa2a-ba07-4a55-81aa-ad747f1c57b9"
/>
<img width="1388" height="830" alt="Image"
src="https://github.com/user-attachments/assets/19d36bad-d01d-4130-b271-38bea2534833"
/>
<img width="933" height="930" alt="Image"
src="https://github.com/user-attachments/assets/1d6a369b-65d7-46a4-98a6-e6f0b29be2c8"
/>
<img width="2241" height="693" alt="Image"
src="https://github.com/user-attachments/assets/d8f98e97-f027-4c1c-ae5d-c4fa3b592a20"
/>

- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.

## Testing

- [x] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
2025-09-18 18:55:31 -03:00

269 lines
13 KiB
Bash
Executable file
Raw Blame History

#!/bin/bash
set -ex
# This script generates fleet-osquery packages for all supported platforms
# using the specified TUF server.
# Input:
# Values for generating a package for a macOS host:
# PKG_FLEET_URL: Fleet server URL.
# PKG_TUF_URL: URL of the TUF server.
#
# Values for generating a package for an Ubuntu host:
# DEB_FLEET_URL: Fleet server URL.
# DEB_TUF_URL: URL of the TUF server.
#
# Values for generating a package for a CentOS host:
# RPM_FLEET_URL: Fleet server URL.
# RPM_TUF_URL: URL of the TUF server.
#
# Values for generating a package for a Windows host:
# MSI_FLEET_URL: Fleet server URL.
# MSI_TUF_URL: URL of the TUF server.
#
# Values for generating a package for a Arch Linux host:
# PKG_TAR_ZST_FLEET_URL: Fleet server URL.
# PKG_TAR_ZST_TUF_URL: URL of the TUF server.
#
# ENROLL_SECRET: Fleet server enroll secret.
# ROOT_KEYS: TUF repository root keys.
# FLEET_DESKTOP: Whether to build with Fleet Desktop support.
# INSECURE: Whether to use the --insecure flag.
# USE_FLEET_SERVER_CERTIFICATE: Whether to use a custom certificate bundle.
# FLEET_MANAGED_HOST_IDENTITY_CERTIFICATE: Whether to use TPM-backed key for HTTP signing (Linux only).
# USE_UPDATE_SERVER_CERTIFICATE: Whether to use a custom certificate bundle.
# FLEET_DESKTOP_ALTERNATIVE_BROWSER_HOST: Alternative host:port to use for the Fleet Desktop browser URLs.
# DEBUG: Whether or not to build the package with --debug.
ENABLE_SCRIPTS="1"
if [[ -n $DISABLE_SCRIPTS ]]; then
ENABLE_SCRIPTS=""
fi
if [ -n "$GENERATE_PKG" ]; then
echo "Generating pkg..."
./build/fleetctl package \
--type=pkg \
${FLEET_DESKTOP:+--fleet-desktop} \
--fleet-url=$PKG_FLEET_URL \
--enroll-secret=$ENROLL_SECRET \
${USE_FLEET_SERVER_CERTIFICATE:+--fleet-certificate=./tools/osquery/fleet.crt} \
${USE_UPDATE_SERVER_CERTIFICATE:+--update-tls-certificate=./tools/osquery/fleet.crt} \
${INSECURE:+--insecure} \
${DEBUG:+--debug} \
--update-roots="$ROOT_KEYS" \
--update-interval=10s \
--disable-open-folder \
${USE_FLEET_CLIENT_CERTIFICATE:+--fleet-tls-client-certificate=./tools/test-orbit-mtls/client.crt} \
${USE_FLEET_CLIENT_CERTIFICATE:+--fleet-tls-client-key=./tools/test-orbit-mtls/client.key} \
${USE_UPDATE_CLIENT_CERTIFICATE:+--update-tls-client-certificate=./tools/test-orbit-mtls/client.crt} \
${USE_UPDATE_CLIENT_CERTIFICATE:+--update-tls-client-key=./tools/test-orbit-mtls/client.key} \
${FLEET_DESKTOP_ALTERNATIVE_BROWSER_HOST:+--fleet-desktop-alternative-browser-host=$FLEET_DESKTOP_ALTERNATIVE_BROWSER_HOST} \
--update-url=$PKG_TUF_URL \
${ENABLE_SCRIPTS:+--enable-scripts} \
--disable-keystore
fi
if [ -n "$GENERATE_DEB" ]; then
echo "Generating deb (amd64)..."
./build/fleetctl package \
--type=deb \
--arch=amd64 \
${FLEET_DESKTOP:+--fleet-desktop} \
--fleet-url=$DEB_FLEET_URL \
--enroll-secret=$ENROLL_SECRET \
${USE_FLEET_SERVER_CERTIFICATE:+--fleet-certificate=./tools/osquery/fleet.crt} \
${USE_UPDATE_SERVER_CERTIFICATE:+--update-tls-certificate=./tools/osquery/fleet.crt} \
${INSECURE:+--insecure} \
${DEBUG:+--debug} \
--update-roots="$ROOT_KEYS" \
--update-interval=10s \
--disable-open-folder \
${USE_FLEET_CLIENT_CERTIFICATE:+--fleet-tls-client-certificate=./tools/test-orbit-mtls/client.crt} \
${USE_FLEET_CLIENT_CERTIFICATE:+--fleet-tls-client-key=./tools/test-orbit-mtls/client.key} \
${USE_UPDATE_CLIENT_CERTIFICATE:+--update-tls-client-certificate=./tools/test-orbit-mtls/client.crt} \
${USE_UPDATE_CLIENT_CERTIFICATE:+--update-tls-client-key=./tools/test-orbit-mtls/client.key} \
${FLEET_DESKTOP_ALTERNATIVE_BROWSER_HOST:+--fleet-desktop-alternative-browser-host=$FLEET_DESKTOP_ALTERNATIVE_BROWSER_HOST} \
${ENABLE_SCRIPTS:+--enable-scripts} \
${FLEET_MANAGED_HOST_IDENTITY_CERTIFICATE:+--fleet-managed-host-identity-certificate} \
--update-url=$DEB_TUF_URL
fi
if [ -n "$GENERATE_DEB_ARM64" ]; then
echo "Generating deb (arm64)..."
./build/fleetctl package \
--type=deb \
--arch=arm64 \
${FLEET_DESKTOP:+--fleet-desktop} \
--fleet-url=$DEB_FLEET_URL \
--enroll-secret=$ENROLL_SECRET \
${USE_FLEET_SERVER_CERTIFICATE:+--fleet-certificate=./tools/osquery/fleet.crt} \
${USE_UPDATE_SERVER_CERTIFICATE:+--update-tls-certificate=./tools/osquery/fleet.crt} \
${INSECURE:+--insecure} \
${DEBUG:+--debug} \
--update-roots="$ROOT_KEYS" \
--update-interval=10s \
--disable-open-folder \
${USE_FLEET_CLIENT_CERTIFICATE:+--fleet-tls-client-certificate=./tools/test-orbit-mtls/client.crt} \
${USE_FLEET_CLIENT_CERTIFICATE:+--fleet-tls-client-key=./tools/test-orbit-mtls/client.key} \
${USE_UPDATE_CLIENT_CERTIFICATE:+--update-tls-client-certificate=./tools/test-orbit-mtls/client.crt} \
${USE_UPDATE_CLIENT_CERTIFICATE:+--update-tls-client-key=./tools/test-orbit-mtls/client.key} \
${FLEET_DESKTOP_ALTERNATIVE_BROWSER_HOST:+--fleet-desktop-alternative-browser-host=$FLEET_DESKTOP_ALTERNATIVE_BROWSER_HOST} \
${ENABLE_SCRIPTS:+--enable-scripts} \
${FLEET_MANAGED_HOST_IDENTITY_CERTIFICATE:+--fleet-managed-host-identity-certificate} \
--update-url=$DEB_TUF_URL
fi
if [ -n "$GENERATE_RPM" ]; then
echo "Generating rpm (amd64)..."
./build/fleetctl package \
--type=rpm \
--arch=amd64 \
${FLEET_DESKTOP:+--fleet-desktop} \
--fleet-url=$RPM_FLEET_URL \
--enroll-secret=$ENROLL_SECRET \
${USE_FLEET_SERVER_CERTIFICATE:+--fleet-certificate=./tools/osquery/fleet.crt} \
${USE_UPDATE_SERVER_CERTIFICATE:+--update-tls-certificate=./tools/osquery/fleet.crt} \
${INSECURE:+--insecure} \
${DEBUG:+--debug} \
--update-roots="$ROOT_KEYS" \
--update-interval=10s \
--disable-open-folder \
${USE_FLEET_CLIENT_CERTIFICATE:+--fleet-tls-client-certificate=./tools/test-orbit-mtls/client.crt} \
${USE_FLEET_CLIENT_CERTIFICATE:+--fleet-tls-client-key=./tools/test-orbit-mtls/client.key} \
${USE_UPDATE_CLIENT_CERTIFICATE:+--update-tls-client-certificate=./tools/test-orbit-mtls/client.crt} \
${USE_UPDATE_CLIENT_CERTIFICATE:+--update-tls-client-key=./tools/test-orbit-mtls/client.key} \
${FLEET_DESKTOP_ALTERNATIVE_BROWSER_HOST:+--fleet-desktop-alternative-browser-host=$FLEET_DESKTOP_ALTERNATIVE_BROWSER_HOST} \
${ENABLE_SCRIPTS:+--enable-scripts} \
${FLEET_MANAGED_HOST_IDENTITY_CERTIFICATE:+--fleet-managed-host-identity-certificate} \
--update-url=$RPM_TUF_URL
fi
if [ -n "$GENERATE_RPM_ARM64" ]; then
echo "Generating rpm (arm64)..."
./build/fleetctl package \
--type=rpm \
--arch=arm64 \
${FLEET_DESKTOP:+--fleet-desktop} \
--fleet-url=$RPM_FLEET_URL \
--enroll-secret=$ENROLL_SECRET \
${USE_FLEET_SERVER_CERTIFICATE:+--fleet-certificate=./tools/osquery/fleet.crt} \
${USE_UPDATE_SERVER_CERTIFICATE:+--update-tls-certificate=./tools/osquery/fleet.crt} \
${INSECURE:+--insecure} \
${DEBUG:+--debug} \
--update-roots="$ROOT_KEYS" \
--update-interval=10s \
--disable-open-folder \
${USE_FLEET_CLIENT_CERTIFICATE:+--fleet-tls-client-certificate=./tools/test-orbit-mtls/client.crt} \
${USE_FLEET_CLIENT_CERTIFICATE:+--fleet-tls-client-key=./tools/test-orbit-mtls/client.key} \
${USE_UPDATE_CLIENT_CERTIFICATE:+--update-tls-client-certificate=./tools/test-orbit-mtls/client.crt} \
${USE_UPDATE_CLIENT_CERTIFICATE:+--update-tls-client-key=./tools/test-orbit-mtls/client.key} \
${FLEET_DESKTOP_ALTERNATIVE_BROWSER_HOST:+--fleet-desktop-alternative-browser-host=$FLEET_DESKTOP_ALTERNATIVE_BROWSER_HOST} \
${ENABLE_SCRIPTS:+--enable-scripts} \
${FLEET_MANAGED_HOST_IDENTITY_CERTIFICATE:+--fleet-managed-host-identity-certificate} \
--update-url=$RPM_TUF_URL
fi
if [ -n "$GENERATE_PKG_TAR_ZST" ]; then
echo "Generating pkg.tar.zst (amd64)..."
./build/fleetctl package \
--type=pkg.tar.zst \
--arch=amd64 \
${FLEET_DESKTOP:+--fleet-desktop} \
--fleet-url=$PKG_TAR_ZST_FLEET_URL \
--enroll-secret=$ENROLL_SECRET \
${USE_FLEET_SERVER_CERTIFICATE:+--fleet-certificate=./tools/osquery/fleet.crt} \
${USE_UPDATE_SERVER_CERTIFICATE:+--update-tls-certificate=./tools/osquery/fleet.crt} \
${INSECURE:+--insecure} \
${DEBUG:+--debug} \
--update-roots="$ROOT_KEYS" \
--update-interval=10s \
--disable-open-folder \
${USE_FLEET_CLIENT_CERTIFICATE:+--fleet-tls-client-certificate=./tools/test-orbit-mtls/client.crt} \
${USE_FLEET_CLIENT_CERTIFICATE:+--fleet-tls-client-key=./tools/test-orbit-mtls/client.key} \
${USE_UPDATE_CLIENT_CERTIFICATE:+--update-tls-client-certificate=./tools/test-orbit-mtls/client.crt} \
${USE_UPDATE_CLIENT_CERTIFICATE:+--update-tls-client-key=./tools/test-orbit-mtls/client.key} \
${FLEET_DESKTOP_ALTERNATIVE_BROWSER_HOST:+--fleet-desktop-alternative-browser-host=$FLEET_DESKTOP_ALTERNATIVE_BROWSER_HOST} \
${ENABLE_SCRIPTS:+--enable-scripts} \
${FLEET_MANAGED_HOST_IDENTITY_CERTIFICATE:+--fleet-managed-host-identity-certificate} \
--update-url=$PKG_TAR_ZST_TUF_URL
fi
if [ -n "$GENERATE_PKG_TAR_ZST_ARM64" ]; then
echo "Generating pkg.tar.zst (arm64)..."
./build/fleetctl package \
--type=pkg.tar.zst \
--arch=arm64 \
${FLEET_DESKTOP:+--fleet-desktop} \
--fleet-url=$PKG_TAR_ZST_FLEET_URL \
--enroll-secret=$ENROLL_SECRET \
${USE_FLEET_SERVER_CERTIFICATE:+--fleet-certificate=./tools/osquery/fleet.crt} \
${USE_UPDATE_SERVER_CERTIFICATE:+--update-tls-certificate=./tools/osquery/fleet.crt} \
${INSECURE:+--insecure} \
${DEBUG:+--debug} \
--update-roots="$ROOT_KEYS" \
--update-interval=10s \
--disable-open-folder \
${USE_FLEET_CLIENT_CERTIFICATE:+--fleet-tls-client-certificate=./tools/test-orbit-mtls/client.crt} \
${USE_FLEET_CLIENT_CERTIFICATE:+--fleet-tls-client-key=./tools/test-orbit-mtls/client.key} \
${USE_UPDATE_CLIENT_CERTIFICATE:+--update-tls-client-certificate=./tools/test-orbit-mtls/client.crt} \
${USE_UPDATE_CLIENT_CERTIFICATE:+--update-tls-client-key=./tools/test-orbit-mtls/client.key} \
${FLEET_DESKTOP_ALTERNATIVE_BROWSER_HOST:+--fleet-desktop-alternative-browser-host=$FLEET_DESKTOP_ALTERNATIVE_BROWSER_HOST} \
${ENABLE_SCRIPTS:+--enable-scripts} \
${FLEET_MANAGED_HOST_IDENTITY_CERTIFICATE:+--fleet-managed-host-identity-certificate} \
--update-url=$PKG_TAR_ZST_TUF_URL
fi
if [ -n "$GENERATE_MSI" ]; then
echo "Generating msi..."
./build/fleetctl package \
--type=msi \
${FLEET_DESKTOP:+--fleet-desktop} \
--fleet-url=$MSI_FLEET_URL \
--enroll-secret=$ENROLL_SECRET \
${USE_FLEET_SERVER_CERTIFICATE:+--fleet-certificate=./tools/osquery/fleet.crt} \
${USE_UPDATE_SERVER_CERTIFICATE:+--update-tls-certificate=./tools/osquery/fleet.crt} \
${INSECURE:+--insecure} \
${DEBUG:+--debug} \
--update-roots="$ROOT_KEYS" \
--update-interval=10s \
--disable-open-folder \
${USE_FLEET_CLIENT_CERTIFICATE:+--fleet-tls-client-certificate=./tools/test-orbit-mtls/client.crt} \
${USE_FLEET_CLIENT_CERTIFICATE:+--fleet-tls-client-key=./tools/test-orbit-mtls/client.key} \
${USE_UPDATE_CLIENT_CERTIFICATE:+--update-tls-client-certificate=./tools/test-orbit-mtls/client.crt} \
${USE_UPDATE_CLIENT_CERTIFICATE:+--update-tls-client-key=./tools/test-orbit-mtls/client.key} \
${FLEET_DESKTOP_ALTERNATIVE_BROWSER_HOST:+--fleet-desktop-alternative-browser-host=$FLEET_DESKTOP_ALTERNATIVE_BROWSER_HOST} \
${ENABLE_SCRIPTS:+--enable-scripts} \
--update-url=$MSI_TUF_URL
fi
if [ -n "$GENERATE_MSI_ARM64" ]; then
echo "Generating msi (arm64)..."
./build/fleetctl package \
--type=msi \
--arch=arm64 \
${FLEET_DESKTOP:+--fleet-desktop} \
--fleet-url=$MSI_FLEET_URL \
--enroll-secret=$ENROLL_SECRET \
${USE_FLEET_SERVER_CERTIFICATE:+--fleet-certificate=./tools/osquery/fleet.crt} \
${USE_UPDATE_SERVER_CERTIFICATE:+--update-tls-certificate=./tools/osquery/fleet.crt} \
${INSECURE:+--insecure} \
${DEBUG:+--debug} \
--update-roots="$ROOT_KEYS" \
--update-interval=10s \
--disable-open-folder \
${USE_FLEET_CLIENT_CERTIFICATE:+--fleet-tls-client-certificate=./tools/test-orbit-mtls/client.crt} \
${USE_FLEET_CLIENT_CERTIFICATE:+--fleet-tls-client-key=./tools/test-orbit-mtls/client.key} \
${USE_UPDATE_CLIENT_CERTIFICATE:+--update-tls-client-certificate=./tools/test-orbit-mtls/client.crt} \
${USE_UPDATE_CLIENT_CERTIFICATE:+--update-tls-client-key=./tools/test-orbit-mtls/client.key} \
${FLEET_DESKTOP_ALTERNATIVE_BROWSER_HOST:+--fleet-desktop-alternative-browser-host=$FLEET_DESKTOP_ALTERNATIVE_BROWSER_HOST} \
${ENABLE_SCRIPTS:+--enable-scripts} \
--update-url=$MSI_TUF_URL
fi
echo "Packages generated."
if [[ $OSTYPE == 'darwin'* && -n "$INSTALL_PKG" ]]; then
sudo installer -pkg fleet-osquery.pkg -target /
fi
Reference in a new issue View git blame Copy permalink