From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id EDD6B1B782; Wed, 19 Nov 2025 08:21:40 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 993) id 58DE41B67A; Wed, 19 Nov 2025 08:21:32 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-0.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DMARC_PASS,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1 Received: from mail-yw1-x1134.google.com (mail-yw1-x1134.google.com [IPv6:2607:f8b0:4864:20::1134]) by atuin.qyliss.net (Postfix) with ESMTPS id 58CBC1B5AC for ; Wed, 19 Nov 2025 08:21:23 +0000 (UTC) Received: by mail-yw1-x1134.google.com with SMTP id 00721157ae682-786d1658793so58427157b3.1 for ; Wed, 19 Nov 2025 00:21:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1763540481; x=1764145281; darn=spectrum-os.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=BWuhQ76NszhY8oa86EGi7xCPc218X2YBBLAknXwSV+M=; b=FJrRXWsXx6c9poM3GMQUhDpQ+tx+Chb0sN+WexQbyCaDFOv8HW8rgG3MQXgbiuZ67w WMfZ14OpstvxR4h1lN/J7z7I/5Ro4G/7FT3Yl/cJbfgv9+Mi5jpWpNEoWD+IEJ0YKYjj VejysGrzKzyReVLf60f1UR1mt0TtYPQXHcmx2tpVDNvWKLg9LEyLULR3Ukot5N4CMGYl g9Hnz7aT2chTPHypgdiMucOmqaJBnJRiIsjuq8BllfVicxybvngXTJEgFHpdfdjXgT+1 4umZC6iSAq4m1Ssq6VxyqAIEcES4EKUAtN/X4//QFsGYp5gWbld1lmQbbQY6XKwtkYsI n2sg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763540481; x=1764145281; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=BWuhQ76NszhY8oa86EGi7xCPc218X2YBBLAknXwSV+M=; b=hWcmgHjWr3RrybTlldchggllW68suce6vE68XAc5lmZbon8UvD3XAkygmazK5tRhey PyUQIkg+hd8p5vELEEqxrFhNtYcHkpNMwScGGZbq68YYhUhBAdifRUtycfmPB09B8iE/ sOt0NyO/qrjG4f6v/Gi9sqqgVUqC6BZJaaIyohuFC8vjlavAVqd9LqloJjgdrzZ4zaEh DozERaP85NnBvafBQcHi9F1E2QloynTNQAGp1UY2JBdOe1rQgv4nfMjBTdGqOmczHHMq EsHt8JYYG8toshrVPlkBf0HceqdEpBKvPOnvncmCiTwl+Mr+pxod8F1tM8t1YVwVUeRM xNig== X-Gm-Message-State: AOJu0YxakwzKEx52zTp/rn9qVX78ChmbY1vxIsiQVOVo5S+w4HLX/F8A WyUsQzU0FE7KrvhNqniuwNpzUFIr8+Z2is7mZ4tma8psTJojXRl2za5KwwV4yA== X-Gm-Gg: ASbGncuPaC8p9kJGDsQ/c+0cyqy3eZc1HgDDIO1vY7afshqqpWJnOPSDbsdJTQbLMzP ScA4saZJqw/PAs+C0/N/OS39BN/x4CaOt/qYzsScuxZGGdKGYIksGKzzlIyQsKgfbqL2RgCQSax gBvbHjm7WBHEyz0JkrJdoHNgmLb+YjWwFAN4KLlTdRD3CispSu/2SJDx0pC6M9yC2m/xoJJPSmm oeO/WH1G+OGWP2jRbx+geM8OqSwVepvfBmBh7Cf4wd8J02j8Vze0lNfas2lUhiTc48Ncq4aBTJ9 oCddjqZSAKnR9OWu0q6ZwJgtZUOMGhmq9xKWfPrgjmzMpB+DxfQSDw2JjcfjjOTrKsCEZpfUgwR 6DkPCnanLtC+1k3Tv81Id8v6fEhk12ZqPirgjR/3Z6a1c1R98Am+xVVgPZwos5hk+9Y86FtmC4C yPpHLIDgRCCP/jvp8vo20MkLyeBjLHKQqYXy27DQr1aoCEcQF9oT9DJ3SJ7+nmivxyi5QaoFlW5 A3fNCVH1ilKA07nSpkRGdhlES8dmD0cCvtvU4RR9qDD6w== X-Google-Smtp-Source: AGHT+IGXd49R6AkZswNzCOIlnJOtfP+0cRM2Olzzgz+dXiZNo8lhawHACsPfv5xIr7+2MZG/hKp6cA== X-Received: by 2002:a05:690c:c3f1:b0:787:bf86:a161 with SMTP id 00721157ae682-78929e4ec6amr267954777b3.30.1763540481394; Wed, 19 Nov 2025 00:21:21 -0800 (PST) Received: from localhost.localdomain (h96-60-249-169.cncrtn.broadband.dynamic.tds.net. [96.60.249.169]) by smtp.gmail.com with UTF8SMTPSA id 956f58d0204a3-6410ead4005sm6677360d50.22.2025.11.19.00.21.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 19 Nov 2025 00:21:20 -0800 (PST) From: Demi Marie Obenour Date: Wed, 19 Nov 2025 03:18:34 -0500 Subject: [PATCH v3 11/14] release: Create directory with system update MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: <20251119-updates-v3-11-b88a99915509@gmail.com> References: <20251119-updates-v3-0-b88a99915509@gmail.com> In-Reply-To: <20251119-updates-v3-0-b88a99915509@gmail.com> To: Spectrum OS Development X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1763540303; l=2565; i=demiobenour@gmail.com; s=20250729; h=from:subject:message-id; bh=Y9XgbzZuMdzZbqFMy+luoqvuMd2MxJaxF0mF0LoJWvs=; b=gK21nfbvxwunenCYf/Z0TVDQDU/H/3n07qiO81cOX4l5clftHFNLtYdVBBulD+BfXAGO6Wfa9 2g0r2k4G+soAO+FzKKFdbsM/k/VX6+qpEe7A8+QOXrP5+jdXBFQIX4I X-Developer-Key: i=demiobenour@gmail.com; a=ed25519; pk=X57Q4/YQDj9t4SBeKaDwvXYKB6quZJVx/DE2Ly2out0= Message-ID-Hash: 7TRSNSP6FFRQ2DNGUEE36BHEKXQROILB X-Message-ID-Hash: 7TRSNSP6FFRQ2DNGUEE36BHEKXQROILB X-MailFrom: demiobenour@gmail.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1; header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3; header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Demi Marie Obenour , Alyssa Ross X-Mailman-Version: 3.3.9 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Whenever a release is made, create a directory with the release files to be used for an update. After its SHA256SSUMS file is signed, the file is ready to be uploaded to a server for users to update from. Signed-off-by: Demi Marie Obenour --- Changes since v2: - Use UUIDs to name the rootfs and verity superblock. This will allow systemd-sysupdate to set the correct UUIDs on the rootfs and verity partitions, avoiding the need to use labels to find these partitions. --- release.nix | 2 ++ release/update.nix | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 35 insertions(+) diff --git a/release.nix b/release.nix index a4fe66ee5925aeee3a1f5f1fac249c595cee0885..704abb39a3d01152eac3dfe313066834c3cd0a66 100644 --- a/release.nix +++ b/release.nix @@ -8,5 +8,7 @@ import lib/call-package.nix ({ callSpectrumPackage }: { checks = callSpectrumPackage release/checks {}; + updates = callSpectrumPackage release/update.nix {}; + combined = callSpectrumPackage release/combined/run-vm.nix {}; }) (_: {}) diff --git a/release/update.nix b/release/update.nix new file mode 100644 index 0000000000000000000000000000000000000000..77eb5fc422baa7d13e8e3ccb823c2fe69d2c39cc --- /dev/null +++ b/release/update.nix @@ -0,0 +1,33 @@ +# SPDX-License-Identifier: MIT +# SPDX-FileCopyrightText: 2021-2024 Alyssa Ross +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour + +import ../lib/call-package.nix ( +{ callSpectrumPackage, config, runCommand, stdenv }: + +let + efi = import ../host/efi.nix {}; +in +runCommand "spectrum-update-directory" { + __structuredAttrs = true; + unsafeDiscardReferences = { out = true; }; + dontFixup = true; + env = { VERSION = config.version; }; +} '' + # One would expect that this is enabled already but it is not. + set -euo pipefail + mkdir -- "$out" + cd -- "$out" + read -r roothash < ${efi.rootfs}/rootfs.verity.roothash + if ! [[ "$roothash" =~ ^[0-9a-f]{64}$ ]]; then + printf 'Internal error: bad root hash %q\n' "$roothash" + exit 1 + fi + cp -- ${efi} "Spectrum_$VERSION.efi" + cp -- ${efi.rootfs}/rootfs.verity.superblock "Spectrum_''${VERSION}_''${roothash:32:32}.verity" + cp -- ${efi.rootfs}/rootfs "Spectrum_''${VERSION}_''${roothash:0:32}.root" + sha256sum -b "Spectrum_$VERSION.efi" \ + "Spectrum_''${VERSION}_''${roothash:32:32}.verity" \ + "Spectrum_''${VERSION}_''${roothash:0:32}.root" > SHA256SUMS + '' +) (_: {}) -- 2.52.0