harald/nixsgx
1
0
Fork 0
mirror of https://github.com/matter-labs/nixsgx.git synced 2025-07-21 23:43:56 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix: make containers reproducible again

Browse source 
by providing the `--chroot` argument to `gramine-sgx-sign` and with
a careful assembled `nix` directory, containing no build root artifacts.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
This commit is contained in:
Harald Hoyer 2024-07-02 11:13:10 +02:00
parent 07ae787761
commit 4a6aff1d2e
Signed by: harald
GPG key ID: F519A1143B3FBE32
1 changed files with 21 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

24
overlays/nixsgxLib/default.nix
View file

@ -8,11 +8,13 @@ final: _:
(
{ lib
, pkgs
, writeClosure
, coreutils
, curl
, nixsgx
, openssl
, packages
, rsync
, entrypoint
, name
, tag ? null
@ -191,6 +193,16 @@ final: _:
appImage = pkgs.dockerTools.buildLayeredImage { name = "${name}-app"; inherit contents; };
addGramineManifest = fromImage:
let
mkNixStore = contents:
let
contentsList = if builtins.isList contents then contents else [ contents ];
in
''
${rsync}/bin/rsync -ar --files-from=${writeClosure contentsList} / ./
'';
in
pkgs.dockerTools.buildLayeredImage
{
name = "${name}-manifest-${appName}";
@ -200,16 +212,22 @@ final: _:
includeStorePaths = false;
enableFakechroot = true;
fakeRootCommands = ''
extraCommands = (mkNixStore contents) + ''
(
set -e
cd ${appDir}
HOME=${appDir} ${nixsgx.gramine}/bin/gramine-manifest ${manifestFile} ${appName}.manifest;
CHROOT=$(pwd)
appDir="${appDir}"
cd "''${appDir#/}"
HOME="''${appDir#/}" ${nixsgx.gramine}/bin/gramine-manifest ${manifestFile} ${appName}.manifest;
${nixsgx.gramine}/bin/gramine-sgx-sign \
--chroot "$CHROOT" \
--manifest ${appName}.manifest \
--output ${appName}.manifest.sgx \
--key ${keyfile};
eval "${extraChrootCommands}"
cd "$CHROOT"
chmod u+wx -R nix
rm -fr nix
)
'';
};