From 310ebc295ad683add193f62ba7254b42e8a39fce Mon Sep 17 00:00:00 2001 From: Michael Heller <21163552+mdheller@users.noreply.github.com> Date: Tue, 16 Jun 2026 14:39:51 -0400 Subject: [PATCH] =?UTF-8?q?fix:=20fourth=20audit=20=E2=80=94=20nix=20build?= =?UTF-8?q?=20log,=20signing=20key=20validation,=20idempotent=20publish,?= =?UTF-8?q?=20hw-config=20tmp=20cleanup?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- scripts/enroll.sh | 16 +++++++++++----- scripts/katello-sourceos-setup.sh | 27 ++++++++++++++++++++------- 2 files changed, 31 insertions(+), 12 deletions(-) diff --git a/scripts/enroll.sh b/scripts/enroll.sh index a9cd216..b665642 100755 --- a/scripts/enroll.sh +++ b/scripts/enroll.sh @@ -145,6 +145,8 @@ ok "Preflight passed ($(elapsed))" step 1 "Hardware configuration" +rm -f "${HW_CONFIG}.tmp" # clean up any stale temp from a previous interrupted run + if [[ -f "${HW_CONFIG}" ]]; then ok "hardware-configuration.nix already present" else @@ -354,6 +356,9 @@ else fi SIGNING_PUBKEY=$(grep -v '^untrusted comment' "${MINISIGN_PUB}" | head -1) +[[ -n "${SIGNING_PUBKEY}" ]] || \ + die "minisign public key file is empty or malformed: ${MINISIGN_PUB} + Delete and re-run: rm -f ${MINISIGN_PUB} ${MINISIGN_SEC} && sudo bash scripts/enroll.sh" info "Signing public key: ${SIGNING_PUBKEY}" # Write nix-cache-info and sign it. nginx serves the .minisig file alongside @@ -380,13 +385,14 @@ ok "enroll.nix written — no Nix file patching needed ($(elapsed))" step 10 "Build NixOS closure + push to harmonia cache" info "Building builder-aarch64 system closure..." +BUILD_LOG="/tmp/sourceos-enroll-nix-build-$(date +%s).log" CLOSURE=$(nix build "${REPO_ROOT}#nixosConfigurations.${HOST}.config.system.build.toplevel" \ - --no-link --print-out-paths 2>/dev/null) -# nix build returns empty stdout on failure (errors go to stderr). Verify both that -# CLOSURE is non-empty and that the path actually exists in the Nix store. + --no-link --print-out-paths 2>"${BUILD_LOG}") +# nix build emits errors only to stderr (captured to BUILD_LOG above). +# Verify stdout produced a non-empty, existing store path. [[ -n "${CLOSURE}" && -e "${CLOSURE}" ]] || \ - die "nix build failed — retry with: - nix build ${REPO_ROOT}#nixosConfigurations.${HOST}.config.system.build.toplevel --no-link --show-trace" + die "nix build failed. Build log: ${BUILD_LOG} + For full trace: nix build ${REPO_ROOT}#nixosConfigurations.${HOST}.config.system.build.toplevel --no-link --show-trace" ok "Built: ${CLOSURE}" # Harmonia must be running before we can push (it starts after pass-2 rebuild). diff --git a/scripts/katello-sourceos-setup.sh b/scripts/katello-sourceos-setup.sh index 947a983..99fc7f4 100755 --- a/scripts/katello-sourceos-setup.sh +++ b/scripts/katello-sourceos-setup.sh @@ -78,13 +78,26 @@ $HAMMER content-view add-repository --organization "${ORG}" \ --repository "sourceos-closures-aarch64" \ 2>/dev/null || echo " sourceos-closures-aarch64 already in view" -# Publish version 1.0 to Library -echo "--- publishing content view (this may take a minute)" -$HAMMER content-view publish --organization "${ORG}" \ - --name "sourceos-builder-aarch64" \ - --description "Initial publish — dev channel bootstrap" - -# Promote to dev lifecycle environment +# Publish version 1.0 to Library — skip if any version already exists. +# Re-running katello-sourceos-setup.sh (e.g. during enroll.sh retry) must not +# create a new CV version: publishing is slow (1-2 min) and the extra versions +# are noise that complicates CV_VERSION selection in subsequent steps. +echo "--- checking content view publish state" +EXISTING_CV_VERSIONS=$($HAMMER --output json content-view version list \ + --organization "${ORG}" \ + --content-view "sourceos-builder-aarch64" 2>/dev/null | \ + python3 -c "import json,sys; print(len(json.load(sys.stdin)))" 2>/dev/null || echo "0") + +if [[ "${EXISTING_CV_VERSIONS}" -eq 0 ]]; then + echo "--- publishing content view (this may take a minute)" + $HAMMER content-view publish --organization "${ORG}" \ + --name "sourceos-builder-aarch64" \ + --description "Initial publish — dev channel bootstrap" +else + echo " content view already has ${EXISTING_CV_VERSIONS} version(s) — skipping publish" +fi + +# Promote to dev lifecycle environment (idempotent — hammer returns 0 if already promoted) echo "--- promoting to dev" CV_VERSION=$($HAMMER --output json content-view version list \ --organization "${ORG}" \