harald/nixsgx
1
0
Fork 0
mirror of https://github.com/matter-labs/nixsgx.git synced 2025-07-21 07:33:55 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #49 from matter-labs/repro_func

Browse source 
fix: make containers reproducible again
This commit is contained in:
Harald Hoyer 2024-07-02 11:22:56 +02:00 committed by GitHub
commit 3897de057d
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 21 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

24
overlays/nixsgxLib/default.nix
View file

@ -8,11 +8,13 @@ final: _:
(
{ lib
, pkgs
, writeClosure
, coreutils
, curl
, nixsgx
, openssl
, packages
, rsync
, entrypoint
, name
, tag ? null
@ -191,6 +193,16 @@ final: _:
appImage = pkgs.dockerTools.buildLayeredImage { name = "${name}-app"; inherit contents; };
addGramineManifest = fromImage:
let
mkNixStore = contents:
let
contentsList = if builtins.isList contents then contents else [ contents ];
in
''
${rsync}/bin/rsync -ar --files-from=${writeClosure contentsList} / ./
'';
in
pkgs.dockerTools.buildLayeredImage
{
name = "${name}-manifest-${appName}";
@ -200,16 +212,22 @@ final: _:
includeStorePaths = false;
enableFakechroot = true;
fakeRootCommands = ''
extraCommands = (mkNixStore contents) + ''
(
set -e
cd ${appDir}
HOME=${appDir} ${nixsgx.gramine}/bin/gramine-manifest ${manifestFile} ${appName}.manifest;
CHROOT=$(pwd)
appDir="${appDir}"
cd "''${appDir#/}"
HOME="''${appDir#/}" ${nixsgx.gramine}/bin/gramine-manifest ${manifestFile} ${appName}.manifest;
${nixsgx.gramine}/bin/gramine-sgx-sign \
--chroot "$CHROOT" \
--manifest ${appName}.manifest \
--output ${appName}.manifest.sgx \
--key ${keyfile};
eval "${extraChrootCommands}"
cd "$CHROOT"
chmod u+wx -R nix
rm -fr nix
)
'';
};