From 5f7a4e0a91af10d66bb49d0228d8cdef68b06786 Mon Sep 17 00:00:00 2001 From: Amaury Chamayou Date: Tue, 20 Jul 2021 16:08:06 +0100 Subject: [PATCH] Upgrade base images and playbooks to Ubuntu 20.04 (focal) (#2819) --- .azure-pipelines-gh-pages.yml | 4 +- .azure-pipelines-templates/matrix.yml | 2 +- .azure-pipelines.yml | 4 +- .daily.yml | 4 +- .github/workflows/ci-checks.yml | 4 +- .github/workflows/codeql-analysis.yml | 2 +- .multi-thread.yml | 2 +- .stress.yml | 2 +- CHANGELOG.md | 1 + doc/build_apps/install_bin.rst | 2 +- docker/app_ci | 9 ++-- docker/app_run | 9 ++-- docker/ccf_ci | 11 +++-- getting_started/setup_vm/ccf-dev.yml | 3 -- .../roles/ccf_build/tasks/install.yml | 46 ++----------------- .../setup_vm/roles/ccf_build/vars/common.yml | 19 ++++---- .../setup_vm/roles/intel/vars/common.yml | 4 +- .../openenclave/tasks/binary_install.yml | 4 +- .../roles/openenclave/vars/common.yml | 4 +- getting_started/setup_vm/run.sh | 5 -- python/utils/verify_quote.sh | 2 +- scripts/ci-checks.sh | 2 +- tests/jwt_test.py | 19 +++++++- tests/sandbox/sandbox.sh | 2 +- tests/test_install.sh | 2 +- tests/test_install_build.sh | 2 +- 26 files changed, 76 insertions(+), 94 deletions(-) diff --git a/.azure-pipelines-gh-pages.yml b/.azure-pipelines-gh-pages.yml index 6764a17ebb..570608a26e 100644 --- a/.azure-pipelines-gh-pages.yml +++ b/.azure-pipelines-gh-pages.yml @@ -7,9 +7,9 @@ trigger: jobs: - job: build_and_publish_docs - container: ccfciteam/ccf-ci:oe0.17.1 + container: ccfciteam/ccf-ci:oe0.17.1-focal pool: - vmImage: ubuntu-18.04 + vmImage: ubuntu-20.04 steps: - checkout: self diff --git a/.azure-pipelines-templates/matrix.yml b/.azure-pipelines-templates/matrix.yml index 2cca5810eb..4912c2d981 100644 --- a/.azure-pipelines-templates/matrix.yml +++ b/.azure-pipelines-templates/matrix.yml @@ -5,7 +5,7 @@ parameters: Hosted: container: nosgx pool: - vmImage: ubuntu-18.04 + vmImage: ubuntu-20.04 NoSGX: container: nosgx pool: Ubuntu-1804-D8s_v3 diff --git a/.azure-pipelines.yml b/.azure-pipelines.yml index a56646f83e..2de563df2f 100644 --- a/.azure-pipelines.yml +++ b/.azure-pipelines.yml @@ -27,11 +27,11 @@ schedules: resources: containers: - container: nosgx - image: ccfciteam/ccf-ci:oe0.17.1 + image: ccfciteam/ccf-ci:oe0.17.1-focal options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_PTRACE -v /dev/shm:/tmp/ccache -v /lib/modules:/lib/modules:ro - container: sgx - image: ccfciteam/ccf-ci:oe0.17.1 + image: ccfciteam/ccf-ci:oe0.17.1-focal options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --device /dev/sgx:/dev/sgx -v /dev/shm:/tmp/ccache -v /lib/modules:/lib/modules:ro variables: diff --git a/.daily.yml b/.daily.yml index 27f873cd4e..81c361e8cb 100644 --- a/.daily.yml +++ b/.daily.yml @@ -23,11 +23,11 @@ schedules: resources: containers: - container: nosgx - image: ccfciteam/ccf-ci:oe0.17.1 + image: ccfciteam/ccf-ci:oe0.17.1-focal options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_PTRACE -v /dev/shm:/tmp/ccache - container: sgx - image: ccfciteam/ccf-ci:oe0.17.1 + image: ccfciteam/ccf-ci:oe0.17.1-focal options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --device /dev/sgx:/dev/sgx -v /dev/shm:/tmp/ccache jobs: diff --git a/.github/workflows/ci-checks.yml b/.github/workflows/ci-checks.yml index ab8d09f558..440d4b2384 100644 --- a/.github/workflows/ci-checks.yml +++ b/.github/workflows/ci-checks.yml @@ -8,8 +8,8 @@ on: jobs: checks: - runs-on: ubuntu-18.04 - container: ccfciteam/ccf-ci:oe0.17.1 + runs-on: ubuntu-20.04 + container: ccfciteam/ccf-ci:oe0.17.1-focal steps: - name: Checkout repository diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index fa3a1333db..7f34806a75 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -12,7 +12,7 @@ on: jobs: analyze: name: Analyze - runs-on: ubuntu-18.04 + runs-on: ubuntu-20.04 strategy: fail-fast: false diff --git a/.multi-thread.yml b/.multi-thread.yml index 6b9022764a..7f588ac314 100644 --- a/.multi-thread.yml +++ b/.multi-thread.yml @@ -16,7 +16,7 @@ pr: resources: containers: - container: sgx - image: ccfciteam/ccf-ci:oe0.17.1 + image: ccfciteam/ccf-ci:oe0.17.1-focal options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --device /dev/sgx:/dev/sgx -v /dev/shm:/tmp/ccache jobs: diff --git a/.stress.yml b/.stress.yml index 3b972d5c9c..0619effd04 100644 --- a/.stress.yml +++ b/.stress.yml @@ -21,7 +21,7 @@ schedules: resources: containers: - container: sgx - image: ccfciteam/ccf-ci:oe0.17.1 + image: ccfciteam/ccf-ci:oe0.17.1-focal options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --device /dev/sgx:/dev/sgx -v /dev/shm:/tmp/ccache jobs: diff --git a/CHANGELOG.md b/CHANGELOG.md index 972ea24f1f..c655584bc7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. - Upgrade OpenEnclave from 0.17.0 to 0.17.1. - `get_state_at()` now returns receipts for signature transactions (#2785), see [documentation](https://microsoft.github.io/CCF/main/use_apps/verify_tx.html#transaction-receipts) for details. +- Upgrade playbooks and base CI image to Ubuntu 20.04 ### Removed diff --git a/doc/build_apps/install_bin.rst b/doc/build_apps/install_bin.rst index aae42f1c6c..057a3b3a5b 100644 --- a/doc/build_apps/install_bin.rst +++ b/doc/build_apps/install_bin.rst @@ -4,7 +4,7 @@ Install CCF Requirements ------------ -CCF builds and runs on Linux. It is primarily developed and tested on Ubuntu 18.04, with Clang 8. +CCF builds and runs on Linux. It is primarily developed and tested on Ubuntu 20.04, with Clang 8. Running CCF with full security guarantees requires :term:`SGX` hardware with :term:`FLC`. .. note:: diff --git a/docker/app_ci b/docker/app_ci index a79c623d24..8033ff2a6f 100644 --- a/docker/app_ci +++ b/docker/app_ci @@ -1,7 +1,7 @@ # Application Continuous Integration image # Contains a CCF release, compile toolchain and Azure CLI tooling -FROM ubuntu:18.04 +FROM ubuntu:20.04 ARG extra_vars @@ -10,6 +10,7 @@ RUN echo "APT::Acquire::Retries \"5\";" | tee /etc/apt/apt.conf.d/80-retries # Work-around for https://github.com/intel/linux-sgx/issues/395 RUN mkdir -p /etc/init +ENV UBUNTU=focal ENV PSW_VERSION=2.13.103 RUN if [ -z "$PSW_VERSION" ]; then echo "Please set PSW_VERSION (e.g. 2.11)." >&2; exit 1; fi ENV DCAP_CLIENT_VERSION=1.10 @@ -20,9 +21,9 @@ RUN apt-get update && apt-get install -y wget gnupg # Use the APT preference file to pin sgx packages to specific versions # Reference https://manpages.debian.org/buster/apt/apt_preferences.5.en.html # Download the pref file from https://download.01.org/intel-sgx/sgx_repo/ubuntu/apt_preference_files/ -# Assuming file name to follow *sgx__bionic_custom_version.cfg convention -RUN ["/bin/bash", "-c", "wget -r -l1 --no-parent -nd -A *sgx_$(echo ${PSW_VERSION//./_})_bionic_custom_version.cfg https://download.01.org/intel-sgx/sgx_repo/ubuntu/apt_preference_files/"] -RUN ["/bin/bash", "-c", "mv *sgx_$(echo ${PSW_VERSION//./_})_bionic_custom_version.cfg /etc/apt/preferences.d/intel-sgx.pref"] +# Assuming file name to follow *sgx__${UBUNTU}_custom_version.cfg convention +RUN ["/bin/bash", "-c", "wget -r -l1 --no-parent -nd -A *sgx_$(echo ${PSW_VERSION//./_})_${UBUNTU}_custom_version.cfg https://download.01.org/intel-sgx/sgx_repo/ubuntu/apt_preference_files/"] +RUN ["/bin/bash", "-c", "mv *sgx_$(echo ${PSW_VERSION//./_})_${UBUNTU}_custom_version.cfg /etc/apt/preferences.d/intel-sgx.pref"] COPY getting_started/setup_vm/ /setup_vm/ RUN apt update \ diff --git a/docker/app_run b/docker/app_run index 43dcf89505..46276a0947 100644 --- a/docker/app_run +++ b/docker/app_run @@ -1,7 +1,7 @@ # Application Runtime image # Contains the cchost binary and its runtime dependencies -FROM ubuntu:18.04 +FROM ubuntu:20.04 ARG extra_vars @@ -10,6 +10,7 @@ RUN echo "APT::Acquire::Retries \"5\";" | tee /etc/apt/apt.conf.d/80-retries # Work-around for https://github.com/intel/linux-sgx/issues/395 RUN mkdir -p /etc/init +ENV UBUNTU=focal ENV PSW_VERSION=2.13.103 RUN if [ -z "$PSW_VERSION" ]; then echo "Please set PSW_VERSION (e.g. 2.11)." >&2; exit 1; fi ENV DCAP_CLIENT_VERSION=1.10 @@ -20,9 +21,9 @@ RUN apt-get update && apt-get install -y wget gnupg # Use the APT preference file to pin sgx packages to specific versions # Reference https://manpages.debian.org/buster/apt/apt_preferences.5.en.html # Download the pref file from https://download.01.org/intel-sgx/sgx_repo/ubuntu/apt_preference_files/ -# Assuming file name to follow *sgx__bionic_custom_version.cfg convention -RUN ["/bin/bash", "-c", "wget -r -l1 --no-parent -nd -A *sgx_$(echo ${PSW_VERSION//./_})_bionic_custom_version.cfg https://download.01.org/intel-sgx/sgx_repo/ubuntu/apt_preference_files/"] -RUN ["/bin/bash", "-c", "mv *sgx_$(echo ${PSW_VERSION//./_})_bionic_custom_version.cfg /etc/apt/preferences.d/intel-sgx.pref"] +# Assuming file name to follow *sgx__${UBUNTU}_custom_version.cfg convention +RUN ["/bin/bash", "-c", "wget -r -l1 --no-parent -nd -A *sgx_$(echo ${PSW_VERSION//./_})_${UBUNTU}_custom_version.cfg https://download.01.org/intel-sgx/sgx_repo/ubuntu/apt_preference_files/"] +RUN ["/bin/bash", "-c", "mv *sgx_$(echo ${PSW_VERSION//./_})_${UBUNTU}_custom_version.cfg /etc/apt/preferences.d/intel-sgx.pref"] COPY getting_started/setup_vm/ /setup_vm/ RUN apt update \ diff --git a/docker/ccf_ci b/docker/ccf_ci index 66c51b8159..c29fc3ca76 100644 --- a/docker/ccf_ci +++ b/docker/ccf_ci @@ -1,13 +1,16 @@ # CCF Continuous Integration image # Contains CCF build dependencies, compile toolchain and Azure CLI tooling -FROM ubuntu:18.04 +FROM ubuntu:20.04 + +ARG extra_vars RUN echo "APT::Acquire::Retries \"5\";" | tee /etc/apt/apt.conf.d/80-retries # Work-around for https://github.com/intel/linux-sgx/issues/395 RUN mkdir -p /etc/init +ENV UBUNTU=focal ENV PSW_VERSION=2.13.103 RUN if [ -z "$PSW_VERSION" ]; then echo "Please set PSW_VERSION (e.g. 2.11)." >&2; exit 1; fi ENV DCAP_CLIENT_VERSION=1.10 @@ -18,9 +21,9 @@ RUN apt-get update && apt-get install -y wget gnupg # Use the APT preference file to pin sgx packages to specific versions # Reference https://manpages.debian.org/buster/apt/apt_preferences.5.en.html # Download the pref file from https://download.01.org/intel-sgx/sgx_repo/ubuntu/apt_preference_files/ -# Assuming file name to follow *sgx__bionic_custom_version.cfg convention -RUN ["/bin/bash", "-c", "wget -r -l1 --no-parent -nd -A *sgx_$(echo ${PSW_VERSION//./_})_bionic_custom_version.cfg https://download.01.org/intel-sgx/sgx_repo/ubuntu/apt_preference_files/"] -RUN ["/bin/bash", "-c", "mv *sgx_$(echo ${PSW_VERSION//./_})_bionic_custom_version.cfg /etc/apt/preferences.d/intel-sgx.pref"] +# Assuming file name to follow *sgx__${UBUNTU}_custom_version.cfg convention +RUN ["/bin/bash", "-c", "wget -r -l1 --no-parent -nd -A *sgx_$(echo ${PSW_VERSION//./_})_${UBUNTU}_custom_version.cfg https://download.01.org/intel-sgx/sgx_repo/ubuntu/apt_preference_files/"] +RUN ["/bin/bash", "-c", "mv *sgx_$(echo ${PSW_VERSION//./_})_${UBUNTU}_custom_version.cfg /etc/apt/preferences.d/intel-sgx.pref"] COPY getting_started/setup_vm/ /setup_vm/ RUN apt update \ diff --git a/getting_started/setup_vm/ccf-dev.yml b/getting_started/setup_vm/ccf-dev.yml index 93aa2a8a21..3b92004b1b 100644 --- a/getting_started/setup_vm/ccf-dev.yml +++ b/getting_started/setup_vm/ccf-dev.yml @@ -9,9 +9,6 @@ - import_role: name: openenclave tasks_from: binary_install.yml - - import_role: - name: llvm_repo - tasks_from: install.yml - import_role: name: nodejs tasks_from: install.yml diff --git a/getting_started/setup_vm/roles/ccf_build/tasks/install.yml b/getting_started/setup_vm/roles/ccf_build/tasks/install.yml index ea281638a1..4e1e5fbd7b 100644 --- a/getting_started/setup_vm/roles/ccf_build/tasks/install.yml +++ b/getting_started/setup_vm/roles/ccf_build/tasks/install.yml @@ -1,24 +1,6 @@ - name: Include vars include_vars: common.yml -- name: Add Python PPA - apt_repository: - repo: ppa:deadsnakes/ppa - become: true - -- name: Add CMake repository key - apt_key: - url: "https://apt.kitware.com/keys/kitware-archive-latest.asc" - state: present - become: yes - -- name: Add CMake repository - apt_repository: - repo: "deb https://apt.kitware.com/ubuntu/ {{ ansible_distribution_release }} main" - state: present - update_cache: yes - become: yes - - name: Install debs apt: name: "{{ debs }}" @@ -69,36 +51,18 @@ - name: Download doxygen get_url: - url: https://github.com/doxygen/doxygen/archive/Release_{{ doxygen_src }} - dest: "{{ workspace }}/{{ doxygen_src }}" - become: true - -- name: Remove existing doxygen checkout - file: - path: "{{ workspace }}/doxygen-{{ doxygen_dir }}" - state: absent + url: "{{ doxygen_url }}" + dest: "{{ workspace }}/{{ doxygen_bin }}" - name: Expand doxygen unarchive: - src: "{{ workspace }}/{{ doxygen_src }}" + src: "{{ workspace }}/{{ doxygen_bin }}" dest: "{{ workspace }}" copy: no - creates: "{{ workspace }}/doxygen-{{ doxygen_dir }}/CMakeLists.txt" - -- name: Make doxygen build dir - file: - path: "{{ workspace }}/doxygen-{{ doxygen_dir }}/build" - state: directory - -- name: Build doxygen - shell: | - CC=$(which clang-8) CXX=$(which clang++-8) cmake -DCMAKE_BUILD_TYPE=Release .. - make - args: - chdir: "{{ workspace }}/doxygen-{{ doxygen_dir }}/build" + creates: "{{ workspace }}/doxygen-{{ doxygen_ver }}/Makefile" - name: Install doxygen command: make install args: - chdir: "{{ workspace }}/doxygen-{{ doxygen_dir }}/build" + chdir: "{{ workspace }}/doxygen-{{ doxygen_ver }}" become: true diff --git a/getting_started/setup_vm/roles/ccf_build/vars/common.yml b/getting_started/setup_vm/roles/ccf_build/vars/common.yml index ecc1a0a061..b4ed5dd83a 100644 --- a/getting_started/setup_vm/roles/ccf_build/vars/common.yml +++ b/getting_started/setup_vm/roles/ccf_build/vars/common.yml @@ -11,17 +11,20 @@ debs: - clang-8 - clang-format-8 - clang-tools-8 + - build-essential - expect - git - ccache - - kmod + - kmod # modinfo for sgxinfo.sh - cmake - libssl-dev - - jq + - jq # operation scripts - sudo - - curl - - shellcheck - - iptables + - curl # client test infra + - shellcheck # bash lint + - iptables # partition test infra + - libclang1-9 # required by doxygen + - libclang-cpp9 # required by doxygen - flex # required to build doxygen - bison # required to build doxygen @@ -29,6 +32,6 @@ mbedtls_ver: "2.16.10" mbedtls_dir: "mbedtls-{{ mbedtls_ver }}" mbedtls_src: "{{ mbedtls_dir }}.tar.gz" -doxygen_ver: "1_9_1" -doxygen_dir: "Release_{{ doxygen_ver }}" -doxygen_src: "{{ doxygen_ver }}.tar.gz" +doxygen_ver: "1.9.1" +doxygen_bin: "doxygen-{{ doxygen_ver }}.linux.bin.tar.gz" +doxygen_url: "https://doxygen.nl/files/{{ doxygen_bin }}" diff --git a/getting_started/setup_vm/roles/intel/vars/common.yml b/getting_started/setup_vm/roles/intel/vars/common.yml index 9da7e4062b..c995e2ec6e 100644 --- a/getting_started/setup_vm/roles/intel/vars/common.yml +++ b/getting_started/setup_vm/roles/intel/vars/common.yml @@ -3,8 +3,8 @@ --- flc_enabled: true -intel_sgx_w_flc_driver_url: "https://download.01.org/intel-sgx/sgx-dcap/1.7/linux/distro/ubuntu18.04-server/sgx_linux_x64_driver_1.35.bin" -intel_sgx1_driver_url: "https://download.01.org/intel-sgx/sgx-linux/2.13/distro/ubuntu18.04-server/sgx_linux_x64_driver_2.11.0_0373e2e.bin" +intel_sgx_w_flc_driver_url: "https://download.01.org/intel-sgx/sgx-dcap/1.7/linux/distro/ubuntu20.04-server/sgx_linux_x64_driver_1.41.bin" +intel_sgx1_driver_url: "https://download.01.org/intel-sgx/sgx-linux/2.13/distro/ubuntu20.04-server/sgx_linux_x64_driver_2.11.0_2d2b795.bin" intel_sgx_packages: - "libsgx-enclave-common" diff --git a/getting_started/setup_vm/roles/openenclave/tasks/binary_install.yml b/getting_started/setup_vm/roles/openenclave/tasks/binary_install.yml index 779813c31f..eaea563042 100644 --- a/getting_started/setup_vm/roles/openenclave/tasks/binary_install.yml +++ b/getting_started/setup_vm/roles/openenclave/tasks/binary_install.yml @@ -70,7 +70,7 @@ - name: Copy Intel LVI as copy: remote_src: yes - src: "{{ workspace }}/external/toolset/ubuntu18.04/as" + src: "{{ workspace }}/external/toolset/ubuntu20.04/as" dest: "{{ oe_lvi_bin_dir }}/as" mode: "0775" become: yes @@ -78,7 +78,7 @@ - name: Copy Intel LVI ld copy: remote_src: yes - src: "{{ workspace }}/external/toolset/ubuntu18.04/ld" + src: "{{ workspace }}/external/toolset/ubuntu20.04/ld" dest: "{{ oe_lvi_bin_dir }}/ld" mode: "0775" become: yes diff --git a/getting_started/setup_vm/roles/openenclave/vars/common.yml b/getting_started/setup_vm/roles/openenclave/vars/common.yml index 32c3cbcebc..ce659874ab 100644 --- a/getting_started/setup_vm/roles/openenclave/vars/common.yml +++ b/getting_started/setup_vm/roles/openenclave/vars/common.yml @@ -11,7 +11,7 @@ oe_playbook: scripts/ansible/oe-contributors-acc-setup-no-driver.yml oe_build_opts: "" # Binary install -oe_deb: "https://github.com/openenclave/openenclave/releases/download/v{{ oe_ver }}/Ubuntu_1804_open-enclave_{{ oe_ver_ }}_amd64.deb" +oe_deb: "https://github.com/openenclave/openenclave/releases/download/v{{ oe_ver }}/Ubuntu_2004_open-enclave_{{ oe_ver_ }}_amd64.deb" # LVI mitigations oe_lvi_scripts_dir: "{{ oe_prefix }}/bin/scripts/lvi-mitigation" @@ -19,4 +19,4 @@ oe_lvi_clang_version: "clang-8" oe_lvi_clangpp_version: "clang++-8" oe_lvi_bin_dir: /opt/oe_lvi oe_lvi_toolset_name: "as.ld.objdump.gold.r3.tar.gz" -oe_lvi_intel_bin_url: "https://download.01.org/intel-sgx/sgx-linux/2.13.3/{{ oe_lvi_toolset_name }}" +oe_lvi_intel_bin_url: "https://download.01.org/intel-sgx/sgx-linux/2.14/{{ oe_lvi_toolset_name }}" diff --git a/getting_started/setup_vm/run.sh b/getting_started/setup_vm/run.sh index 75dc370e06..8470c36ff7 100755 --- a/getting_started/setup_vm/run.sh +++ b/getting_started/setup_vm/run.sh @@ -4,11 +4,6 @@ set -ex -# Bionic/18.04 ships ansible 2.5, which does not support some of -# the features our playbooks need like apt_repository. Once we -# upgrade to 20.4, the following two lines can be removed. -sudo add-apt-repository ppa:ansible/ansible -y sudo apt-get update - sudo apt install ansible -y ansible-playbook "$@" diff --git a/python/utils/verify_quote.sh b/python/utils/verify_quote.sh index 82f637477a..066b527b1f 100755 --- a/python/utils/verify_quote.sh +++ b/python/utils/verify_quote.sh @@ -50,7 +50,7 @@ if [ ${#trusted_mrenclaves[@]} -eq 0 ]; then for code_id in $(curl -sS --fail -X GET "${node_address}"/node/code "${@}" | jq .versions | jq -c ".[]"); do code_status=$(echo "${code_id}" | jq -r .status) if [ "${code_status}" = "AllowedToJoin" ]; then - trusted_mrenclaves+=($(echo "${code_id}" | jq -r .digest)) + trusted_mrenclaves+=("$(echo "${code_id}" | jq -r .digest)") fi done echo "Retrieved ${#trusted_mrenclaves[@]} accepted code versions from CCF service." diff --git a/scripts/ci-checks.sh b/scripts/ci-checks.sh index c6edfa90f5..b37b9bb85c 100755 --- a/scripts/ci-checks.sh +++ b/scripts/ci-checks.sh @@ -57,7 +57,7 @@ if [ ! -f "scripts/env/bin/activate" ] fi source scripts/env/bin/activate -pip --disable-pip-version-check install -U black pylint mypy 1>/dev/null +pip --disable-pip-version-check install -U wheel black pylint mypy 1>/dev/null echo "Python format" if [ $FIX -ne 0 ]; then diff --git a/tests/jwt_test.py b/tests/jwt_test.py index b90c8912d3..c0bb62dc44 100644 --- a/tests/jwt_test.py +++ b/tests/jwt_test.py @@ -142,9 +142,26 @@ def test_jwt_with_sgx_key_policy(network, args): kid = "my_kid" issuer = infra.jwt_issuer.JwtIssuer("my_issuer", oe_cert_pem) + oesign = os.path.join(args.oe_binary, "oesign") + oeutil_enc = os.path.join(args.oe_binary, "oeutil_enc.signed") + sc = infra.proc.ccall( + oesign, + "dump", + "-e", + oeutil_enc, + ) + sc.check_returncode() + lines = sc.stdout.decode().split() + for line in lines: + if line.startswith("mrsigner="): + mrsigner = line.strip().split("=")[1] + break + else: + assert False, f"Could not find mrsigner in {lines}" + matching_key_policy = { "sgx_claims": { - "signer_id": "c03633124785becb6b1b007e45e4ba8f07aea3000c9a500e91e00bdd5a232d46", + "signer_id": mrsigner, "attributes": "0300000000000000", } } diff --git a/tests/sandbox/sandbox.sh b/tests/sandbox/sandbox.sh index 1b160a0865..f9859ad220 100755 --- a/tests/sandbox/sandbox.sh +++ b/tests/sandbox/sandbox.sh @@ -55,7 +55,7 @@ if [ -f "${VERSION_FILE}" ]; then extra_args+=(--package "${PATH_HERE}/../lib/libjs_generic") extra_args+=(--js-app-bundle "${PATH_HERE}/../samples/logging/js") fi - if [ ! -z "${PYTHON_PACKAGE_PATH}" ]; then + if [ -n "${PYTHON_PACKAGE_PATH}" ]; then # With an install tree, the python package can be specified, e.g. when testing # an install just before it is released echo "Using python package: ${PYTHON_PACKAGE_PATH}" diff --git a/tests/test_install.sh b/tests/test_install.sh index 904a85c670..9249fed551 100755 --- a/tests/test_install.sh +++ b/tests/test_install.sh @@ -40,7 +40,7 @@ fi # Setup env INSTALL_PREFIX="$1" -if [ ! -z "$PYTHON_PACKAGE_PATH" ]; then +if [ -n "$PYTHON_PACKAGE_PATH" ]; then PYTHON_PACKAGE_PATH=$(realpath -s "${PYTHON_PACKAGE_PATH}") fi working_dir="nested/run" diff --git a/tests/test_install_build.sh b/tests/test_install_build.sh index 47887a4087..67416d6926 100755 --- a/tests/test_install_build.sh +++ b/tests/test_install_build.sh @@ -5,5 +5,5 @@ set -ex mkdir -p build_against_install cd build_against_install -CC=$(which clang-8) CXX=$(which clang++-8) cmake -GNinja ../samples/apps/logging/ +CC=$(command -v clang-8) CXX=$(command -v clang++-8) cmake -GNinja ../samples/apps/logging/ ninja \ No newline at end of file