Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Encrypt balenaOS artifacts at rest in GitHub #410

Merged
merged 8 commits into from
Oct 1, 2024
Merged

Encrypt balenaOS artifacts at rest in GitHub #410

Changes from 1 commit
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
116d81b
Encrypt balenaOS artifacts at rest in GitHub
ab77 Sep 12, 2024
de74469
actionlint/shellcheck
ab77 Sep 12, 2024
1d49530
conditionally entrypt/decrypt
ab77 Sep 12, 2024
f673834
Fix check for private repositories
klutchell Sep 20, 2024
c098541
Prevent duplicate artifact upload
klutchell Sep 20, 2024
505cabc
Add openssl verbosity and avoid piping find to xargs
klutchell Sep 20, 2024
e1f1a2f
Fetch full depth in order to checkout custom meta-balena-refs
klutchell Sep 20, 2024
c3d6770
Only attempt to decrypt if we have encrypted in the build step
rcooke-warwick Oct 1, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .github/workflows/yocto-build-deploy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1138,6 +1138,9 @@ jobs:
path: ${{ env.WORKSPACE }}

- name: Decrypt artifacts
if: |
github.event.repository.private != true &&
(inputs.sign-image == true || needs.build.outputs.is_private == 'true')
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rcooke-warwick I asked Anton to remove this so we had one fewer place where conditions were used to decide between encryption and decryption. Like if we changed the conditions for encryption and forgot to update the decryption conditions, it might take a while to notice we broke it.

Was it not correctly detecting the lack of *.enc files?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thats right,

Run for artifact in *.enc **/*.enc; do
+ for artifact in *.enc **/*.enc
+ openssl enc -v -d -aes-256-cbc -k *** -pbkdf2 -iter 310000 -md sha256 -salt -in '*.enc' -out '*'
bufsize=8192
Can't open "*.enc" for reading, No such file or directory
40D756EFD17F0000:error:80000002:system library:BIO_new_file:No such file or directory:../crypto/bio/bss_file.c:67:calling fopen(*.enc, rb)
40D756EFD17F0000:error:10000080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:75:

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we're too lenient about the logic in this step passing, we risk scenarios like:

  • we break the encryption step
  • we break the decryption step
  • we change the logic to .enc files get written to a different place, or are called something else

And then trying to flash the DUT with whatever, or getting as far as the tests, which will then fail - but its harder to ID where the failure happened if it gets that far. Just to keep in mind

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ack, sounds good

working-directory: ${{ env.WORKSPACE }}
run: |
for artifact in *.enc **/*.enc; do
Expand Down
Loading