Take update root keys as a packaging flag (#8)

This allows specifying the root key metadata which was the remaining requirement to allow working with a self-hosted update server.
2024-11-06 08:55:24 +00:00 · 2021-03-22 17:38:32 -07:00 · 2021-03-22 17:38:32 -07:00 · de5b4f7a6a
commit de5b4f7a6a
parent adcae02409
5 changed files with 16 additions and 2 deletions
--- a/README.md
+++ b/README.md
@ -99,7 +99,8 @@ Orbit, like standalone osquery, is typically deployed via OS-specific packages.

 ### Packaging support

- **macOS** - `.pkg` package generation with (optional) [Notarization](https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution) - Persistence via `launchd`.
+- **macOS** - `.pkg` package generation with (optional) [Notarization](https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution) and codesigning.
+- Persistence via `launchd`.

 - **Linux** - `.deb` (Debian, Ubuntu, etc.) & `.rpm` (RHEL, CentOS, etc.) package generation - Persistence via `systemd`.

--- a/cmd/package/package.go
+++ b/cmd/package/package.go
@ -68,7 +68,7 @@ func main() {
 		},
 		&cli.StringFlag{
 			Name:        "sign-identity",
-			Usage:       "Identity to use for codesigning",
+			Usage:       "Identity to use for macOS codesigning",
 			Destination: &opt.SignIdentity,
 		},
 		&cli.BoolFlag{
@ -94,6 +94,11 @@ func main() {
 			Value:       "https://tuf.fleetctl.com",
 			Destination: &opt.UpdateURL,
 		},
+		&cli.StringFlag{
+			Name:        "update-roots",
+			Usage:       "Root key JSON metadata for update server (from fleetctl updates roots)",
+			Destination: &opt.UpdateRoots,
+		},
 		&cli.BoolFlag{
 			Name:        "debug",
 			Usage:       "Enable debug logging",
--- a/pkg/packaging/linux_shared.go
+++ b/pkg/packaging/linux_shared.go
@ -42,6 +42,9 @@ func buildNFPM(opt Options, pkger nfpm.Packager) error {
 	updateOpt.OrbitChannel = opt.OrbitChannel
 	updateOpt.OsquerydChannel = opt.OsquerydChannel
 	updateOpt.ServerURL = opt.UpdateURL
+	if opt.UpdateRoots != "" {
+		updateOpt.RootKeys = opt.UpdateRoots
+	}

 	if err := initializeUpdates(updateOpt); err != nil {
 		return errors.Wrap(err, "initialize updates")
--- a/pkg/packaging/macos.go
+++ b/pkg/packaging/macos.go
@ -46,6 +46,9 @@ func BuildPkg(opt Options) error {
 	updateOpt.OrbitChannel = opt.OrbitChannel
 	updateOpt.OsquerydChannel = opt.OsquerydChannel
 	updateOpt.ServerURL = opt.UpdateURL
+	if opt.UpdateRoots != "" {
+		updateOpt.RootKeys = opt.UpdateRoots
+	}

 	if err := initializeUpdates(updateOpt); err != nil {
 		return errors.Wrap(err, "initialize updates")
--- a/pkg/packaging/packaging.go
+++ b/pkg/packaging/packaging.go
@ -40,6 +40,8 @@ type Options struct {
 	OsquerydChannel string
 	// UpdateURL is the base URL of the update server (TUF repository).
 	UpdateURL string
+	// UpdateRoots is the root JSON metadata for update server (TUF repository).
+	UpdateRoots string
 	// Debug determines whether to enable debug logging for the agent.
 	Debug bool
 }