empayre/fleet
14
0
Fork 0
mirror of https://github.com/empayre/fleet.git synced 2024-11-06 08:55:24 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
a9584dc32f
fleet/tools/fleetctl-docker
History
StepSecurity Bot fb152b9114
Pin image SHA in Dockerfiles (#10205) 
## Summary

This pull request is created by [Secure
Repo](https://app.stepsecurity.io/securerepo) at the request of @zwass.
Please merge the Pull Request to incorporate the requested changes.
Please tag @zwass on your message if you have any questions related to
the PR. You can also engage with the
[StepSecurity](https://github.com/step-security) team by tagging
@step-security-bot.

## Security Fixes

### Secure Dockerfiles

Pin image tags to digests in Dockerfiles. With the Docker v2 API
release, it became possible to use digests in place of tags when pulling
images or to use them in FROM lines in Dockerfiles.

- [The Open Source Security Foundation (OpenSSF) Security
Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies)


## Feedback
For bug reports, feature requests, and general feedback; please create
an issue in
[step-security/secure-repo](https://github.com/step-security/secure-repo).
To create such PRs, please visit https://app.stepsecurity.io/securerepo.


Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>

---------

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
Co-authored-by: Zach Wasserman <zach@fleetdm.com>
2023-03-01 11:37:00 -08:00
..
Dockerfile Pin image SHA in Dockerfiles (#10205) 2023-03-01 11:37:00 -08:00
README.md add support for notarization in fleetdm/fleetctl images (#6818) 2022-07-25 20:06:10 -03:00

README.md

fleetdm/fleetctl

This docker image allows to run fleetctl in a Linux environment that has all the necessary dependencies to package msi, pkg, deb and rpm packages.

Usage

docker run fleetdm/fleetctl command [flags]

Build artifacts are generated at /build. To get a package using this image:

docker run -v "$(pwd):/build" fleetdm/fleetctl package --type=msi

Building

This image needs to be built from the root of the repo in order for the build context to have access to the fleetctl binary. To build the image, run:

make fleetctl-docker

macOS signing + notarization

To sign and notarize a generated pkg you must have:

  1. A Developer ID certificate in PEM format
  2. An Apple Store Connect API key

Note: the Developer ID certificate must be in PEM format because this image can be run in automated enviroments where secrets are passed via environment variables, and thus they must be in plain text.

To convert a PKCS 12 certificate to PEM, you can run the following command:

openssl pkcs12 -in /path/to/cert.p12 -out signing-keypair.pem -nodes

Once you are set, you can build and notarize/staple your package with:

docker run -v "$(pwd):/build" fleetdm/fleetctl package --type=pkg   \
  --macos-devid-pem-content="$(cat /path/to/signing-keypair.pem)" \
  --notarize \
  --app-store-connect-api-key-id="A6DX865SKS" \
  --app-store-connect-api-key-issuer="68911d4c-110c-4172-b9f7-b7efa30f9680 " \
  --app-store-connect-api-key-content="$(cat /path/to/AuthKey_A6DX865SKS.p8)"

Publishing

There's a GitHub workflow to build and publish this image to Docker Hub, currently it has to be triggered manually.