* TUN-9776: Support signing Debian packages with two keys for rollover
Debian Trixie doesn't support the SHA-1 algo for GPG keys.
This commit leverages the ability of providing two keys in the reprepro configuration in order to have two signatures in InRelease and Release.gpg files.
This allows users that have the old key to continue fetching the binaries with the old key while allowing us to provide a new key that can be used in Trixie.
Unfortunately current versions of RPM (since 2002) don't support double signing, so we can't apply the same logic for RPM
Closes TUN-9776
## Summary
This commit removes configurations and references for Debian-based releases that are no longer supported in the build and packaging processes.
For Ubuntu versions for most of them only PRO users still have support, so we might decide remove some of them as well. Information available in:
- Debian Releases: https://wiki.debian.org/LTS (we no longer support bullseye at Cloudflare)
- Ubuntu Releases: https://ubuntu.com/about/release-cycle
Closes TUN-9542
## Summary
Update several moving parts of cloudflared build system:
* use goboring 1.24.2 in cfsetup
* update linter and fix lint issues
* update packages namely **quic-go and net**
* install script for macos
* update docker files to use go 1.24.1
* remove usage of cloudflare-go
* pin golang linter
Closes TUN-9016
## Summary
To improve our code, this commit adds a linter that will start
checking for issues from this commit onwards, also forcing
issues to be fixed on the file changed and not only on the changes
themselves. This should help improve our code quality overtime.
Closes TUN-8866
## Summary
The default-flavour of cfsetup changed from bullseye to bookworm and in the latter the createrepo package was renamed to createrepo_c.
Closes TUN-8795
## Summary
The previous changes regarding python's distribution which broke CI the installation of python packages.
Python packages in cfsetup are now installed via virtual environment. The dependency python3-venv was added as builddep to allow the creation of venv and the python packages installation was moved to the post-cache resulting in the removal of
* anchor build_release_pre_cache
* anchor component_test_pre_cache
Closes TUN-8789
- remove unused targets in Makefile
- order deps in cfsetup.yaml
- only build cloudflared not all linux targets
- rename stages to be more explicit
- adjust build deps of build-linux-release
- adjust build deps of build-linux-fips-release
- rename github_release_pkgs_pre_cache to build_release_pre_cache
- only build release release artifacts within build-linux-release
- only build release release artifacts within build-linux-fips-release
- remove github-release-macos
- remove github-release-windows
- adjust builddeps of test and test-fips
- create builddeps anchor for component-test and use it in component-test-fips
- remove wixl from build-linux-*
- rename release-pkgs-linux to r2-linux-release
- add github-release: artifacts uplooad and set release message
- clean build directory before build
- add step to package windows binaries
- refactor windows script
One of TeamCity changes is moving the artifacts to the built artifacts, hence, there is no need to cp files from artifacts to built_artifacts
- create anchor for release builds
- create anchor for tests stages
- remove reprepro and createrepo as they are only called by release_pkgs.py
## Summary
We have decided to no longer push cloudflared to cloudflare homebrew, and use
the automation from homebrew-core to update cloudflared on their repository.
Therefore, the scripts for homebrew and makefile targets are no longer necessary.
Also update golang.org/x/net and google.golang.org/grpc to fix vulnerabilities,
although cloudflared is using them in a way that is not exposed to those risks
cloudflared's Makefile uses `shell go env GOOS` to determine the
LOCAL_OS regardless of it being provided. We therefore need pinned_go as
a dependency to run docker-generate-versions.
Once we introduced multi arch docker images, pinning cloudflared
versions required suffixing -(arm64/amd64) to the cloudflared:version
image tag. This change should fix that by adding specific versions to
the cloudflare docker build cycle
This PR removes go-sumtype from cloudflared's build processes.
The value we see from analysing exhaustive match patterns in go is minimal (we can do this in code reviews) compared to using a tool that is unmaintained and (now broken) in Go 1.18.
We'd already been using the patched version here: https://github.com/sudarshan-reddy/go-sumtype because the original is broken for go tools > 1.16
This PR mostly raises exceptions so we are aware if release deb or
release pkgs fail. It also makes release_version optional if backup pkgs
are not needed.
We now keep the gpg key inputs configurable. This PR imports base64
encoded gpg details into the build environment and uses this information
to sign the linux builds.
This PR extends release_pkgs.py to now also support uploading rpm based
assets to R2. The packages are not signed yet and will be done in a
subsequent PR.
This PR
- Packs the .rpm assets into relevant directories
- Calls createrepo on them to make them yum repo ready
- Uploads them to R2
This way we will force the adoption of FIPS compliant cloudflared without having
to handle the transition for systems that already have it installed (since we
were previously using new artifacts with fips suffix) nor without having to
segregate the resulting binary name (since we were always generating a binary
just called cloudflared from the unpacked debian archive to avoid having to change
any automation that assumes the binary to be called just that).
João "Pisco" Fernandes
Gonçalo Garcia
Luis Neto
Chung-Ting Huang
Joe Groocock
Devin Carr
Sudarsan Reddy
Nuno Diegues
Opeyemi Onikute
Igor Postelnik
Piper McCorkle