Improve quality of packages built through docker (#5)

keldonin · web-flow · commit 86bafecb94b0 · 2025-03-14T13:52:44.000+01:00
* improve packaging quality
* removed debug instruction from script
diff --git a/.gitignore b/.gitignore
@@ -43,4 +43,9 @@ pkcs11rc
 # emacs
 TAGS
 *~
+
+# debugging stuff
+pkcs11.txt
+cert9.db
+key4.db
  
diff --git a/Makefile.am b/Makefile.am
@@ -29,4 +29,5 @@ EXTRA_DIST = 	include/cryptoki.h \
 		README.md \
 		CHANGELOG.md
 
-
+install-exec-hook:
+	chmod 644 $(DESTDIR)$(libdir)/libpkcs11shim.so.*
diff --git a/buildx.sh b/buildx.sh
@@ -57,6 +57,7 @@ function usage() {
     echo "Options:"
     echo "  --repo URL, -r URL         Specify the repository URL (default: $GITHUB_REPO)"
     echo "  --commit COMMIT, -c COMMIT Specify the commit hash, tag or branch to build (default: $GITHUB_REPO_COMMIT)"
+    echo "  --skip-git-sslverify, -k   Skip SSL verification for git clone"
     echo "  --verbose, -v              Increase verbosity (can be specified multiple times)"
     echo "  --max-procs N, -j N        Specify the maximum number of processes"
     exit 1
@@ -112,6 +113,7 @@ function create_build() {
     local verbose="$3"
     local repo_url="$4"
     local repo_commit="$5"
+    local repo_sslverify="$6"
 
     local verbosearg="--quiet"
 
@@ -132,14 +134,15 @@ function create_build() {
     
     local containername=$(gen_random_container_name)
     docker buildx build $verbosearg \
-        --platform linux/$platformarch \
+        --platform linux/$arch \
         --build-arg REPO_URL=$repo_url \
         --build-arg REPO_COMMIT_OR_TAG=$repo_commit \
+        --build-arg REPO_SSLVERIFY=$repo_sslverify \
         -t libpkcs11shim-build-$distro-$arch \
         -f $(get_script_dir)/buildx/Dockerfile.$distro \
         $(get_script_dir)/buildx
     
-    local artifacts=$(docker run --platform linux/$platformarch --name $containername libpkcs11shim-build-$distro-$arch)
+    local artifacts=$(docker run --platform linux/$arch --name $containername libpkcs11shim-build-$distro-$arch)
     for artifact in $artifacts; do
         docker cp --quiet $containername:$artifact $(get_current_dir)/
     done
@@ -158,6 +161,7 @@ function create_build() {
 function parse_and_build() {
     local repo_url="$GITHUB_REPO"
     local repo_commit="HEAD"
+    local repo_sslverify="true"
     local verbose=0
     local args=()
     local numprocs=$(nproc)
@@ -173,6 +177,9 @@ function parse_and_build() {
                 shift
                 repo_commit="$1"
                 ;;
+            --skip-git-sslverify|-k)
+                repo_sslverify="false"
+                ;;
             --verbose|-v)
                 if [ "$verbose" -lt 2 ]; then
                     verbose=$(($verbose + 1))
@@ -209,31 +216,31 @@ function parse_and_build() {
         if [[ "$arg" == "all/all" ]]; then
             for distro in $SUPPORTED_DISTROS; do
                 for arch in $SUPPORTED_ARCHS; do
-                    build_args+=("$distro $arch $verbose $repo_url $repo_commit")
+                    build_args+=("$distro $arch $verbose $repo_url $repo_commit $repo_sslverify")
                 done
             done
         elif [[ "$arg" == "all" ]]; then
             local host_arch=$(uname -m)
             for distro in $SUPPORTED_DISTROS; do
-                build_args+=("$distro $host_arch $verbose $repo_url $repo_commit")
+                build_args+=("$distro $host_arch $verbose $repo_url $repo_commit $repo_sslverify")
             done
         elif [[ "$arg" == */* ]]; then
             IFS='/' read -r distro arch_list <<< "$arg"
             if [[ "$arch_list" == "all" ]]; then
                 for arch in $SUPPORTED_ARCHS; do
-                    build_args+=("$distro $arch $verbose $repo_url $repo_commit")
+                    build_args+=("$distro $arch $verbose $repo_url $repo_commit $repo_sslverify")
                 done
             else
                 IFS=',' read -ra archs <<< "$arch_list"
                 for arch in "${archs[@]}"; do
-                    build_args+=("$distro $arch $verbose $repo_url $repo_commit")
+                    build_args+=("$distro $arch $verbose $repo_url $repo_commit $repo_sslverify")
                 done
             fi
         else
             IFS=',' read -ra distros <<< "$arg"
             local host_arch=${rev_arch_map[$(uname -m)]:-$(uname -m)}
             for distro in "${distros[@]}"; do
-                build_args+=("$distro $host_arch $verbose $repo_url $repo_commit")
+                build_args+=("$distro $host_arch $verbose $repo_url $repo_commit $repo_sslverify")
             done
         fi
     done
diff --git a/buildx/Dockerfile.alpine321 b/buildx/Dockerfile.alpine321
@@ -23,6 +23,7 @@
 
 ARG REPO_URL="https://github.com/Mastercard/libpkcs11shim"
 ARG REPO_COMMIT_OR_TAG="HEAD"
+ARG REPO_SSLVERIFY="true"
 ARG DISTRO_NAME="alpine"
 ARG DISTRO_VERSION="3.21"
 ARG DISTRO_SHORT_NAME="alpine321"
@@ -57,13 +58,15 @@ RUN apk add --no-cache \
 FROM base AS gitcloned
 ARG REPO_URL
 ARG REPO_COMMIT_OR_TAG
+ARG REPO_SSLVERIFY
 
 # The meta directory is used to store the version and maintainer information
 # for the RPM package
 RUN mkdir -p /meta
 
 # Clone the repository
 WORKDIR /src
+RUN if [ "$REPO_SSLVERIFY" != "true" ]; then git config --global http.sslVerify false; fi
 RUN git clone $REPO_URL .
 RUN git checkout $REPO_COMMIT_OR_TAG
 
@@ -100,11 +103,11 @@ FROM gitcloned AS builder
 RUN ./bootstrap.sh \
     && ./configure --prefix=/usr \
     && make -j $(nproc) \
-    && make install DESTDIR=/build
+    && make install-strip DESTDIR=/build
 
 # Install documentation
 RUN mkdir -p /build/usr/share/doc/libpkcs11shim \
-    && install -m 444 -t /build/usr/share/doc/libpkcs11shim README.md CHANGELOG.md COPYING
+    && install -m 644 -t /build/usr/share/doc/libpkcs11shim README.md CHANGELOG.md COPYING
 
 
 # Final stage
diff --git a/buildx/Dockerfile.amzn2023 b/buildx/Dockerfile.amzn2023
@@ -22,6 +22,7 @@
 
 ARG REPO_URL="https://github.com/Mastercard/libpkcs11shim"
 ARG REPO_COMMIT_OR_TAG="HEAD"
+ARG REPO_SSLVERIFY="true"
 ARG DISTRO_NAME="amazonlinux"
 ARG DISTRO_VERSION="2023"
 ARG DISTRO_SHORT_NAME="amzn2023"
@@ -52,13 +53,15 @@ RUN DISTROARCH=$(arch | sed 's/aarch64/arm64/;s/x86_64/amd64/') \
 FROM base AS gitcloned
 ARG REPO_URL
 ARG REPO_COMMIT_OR_TAG
+ARG REPO_SSLVERIFY
 
 # The meta directory is used to store the version and maintainer information
 # for the RPM package
 RUN mkdir -p /meta
 
 # Clone the repository
 WORKDIR /src
+RUN if [ "$REPO_SSLVERIFY" != "true" ]; then git config --global http.sslVerify false; fi
 RUN git clone $REPO_URL .
 RUN git checkout $REPO_COMMIT_OR_TAG
 
@@ -104,21 +107,21 @@ FROM gitcloned AS builder
 RUN ./bootstrap.sh \
     && ./configure \
     && make -j $(nproc) \
-    && make install DESTDIR=/tar_build
+    && make install-strip DESTDIR=/tar_build
 
 # Install documentation
 RUN mkdir -p /tar_build/usr/local/share/doc/libpkcs11shim \
-    && install -m 444 -t /tar_build/usr/local/share/doc/libpkcs11shim README.md CHANGELOG.md COPYING
+    && install -m 644 -t /tar_build/usr/local/share/doc/libpkcs11shim README.md CHANGELOG.md COPYING
 
 # Build again the project for deb package (/usr)
 RUN make distclean \
     && ./configure --prefix=/usr \
     && make -j $(nproc) \
-    && make install DESTDIR=/rpm_build
+    && make install-strip DESTDIR=/rpm_build
 
 # Install documentation
 RUN mkdir -p /rpm_build/usr/share/doc/libpkcs11shim \
-    && install -m 444 -t /rpm_build/usr/share/doc/libpkcs11shim README.md CHANGELOG.md COPYING
+    && install -m 644 -t /rpm_build/usr/share/doc/libpkcs11shim README.md CHANGELOG.md COPYING
 
 
 # Final stage
diff --git a/buildx/Dockerfile.deb12 b/buildx/Dockerfile.deb12
@@ -22,6 +22,7 @@
 
 ARG REPO_URL="https://github.com/Mastercard/libpkcs11shim"
 ARG REPO_COMMIT_OR_TAG="HEAD"
+ARG REPO_SSLVERIFY="true"
 ARG DISTRO_NAME="debian"
 ARG DISTRO_VERSION="12"
 ARG DISTRO_SHORT_NAME="deb12"
@@ -47,13 +48,15 @@ RUN apt-get update && apt-get install -y \
 FROM base AS gitcloned
 ARG REPO_URL
 ARG REPO_COMMIT_OR_TAG
+ARG REPO_SSLVERIFY
 
 # The meta directory is used to store the version and maintainer information
 # for the DEB package
 RUN mkdir -p /meta
 
 # Clone the repository
 WORKDIR /src
+RUN if [ "$REPO_SSLVERIFY" != "true" ]; then git config --global http.sslVerify false; fi
 RUN git clone $REPO_URL .
 RUN git checkout $REPO_COMMIT_OR_TAG
 
@@ -91,31 +94,29 @@ RUN PKG_DESCRIPTION=$(cat README.md \
     | sed '1!s/^/ /')\
     && echo "PKG_DESCRIPTION=\"$PKG_DESCRIPTION\"" >> /meta/env
 
-
 RUN echo "export PKG_GITSUFFIX PKG_VERSION PKG_RELEASE PKG_GITCOMMIT PKG_MAINTAINER PKG_ARCH" >> /meta/env
 
-
 FROM gitcloned AS builder
 
 # Build the project for tar package (/usr/local)
 RUN ./bootstrap.sh \
     && ./configure \
     && make -j $(nproc)\
-    && make install DESTDIR=/tar_build
+    && make install-strip DESTDIR=/tar_build
 
 # Install documentation
 RUN mkdir -p /tar_build/usr/local/share/doc/libpkcs11shim \
-    && install -m 444 -t /tar_build/usr/local/share/doc/libpkcs11shim README.md CHANGELOG.md COPYING
+    && install -m 644 -t /tar_build/usr/local/share/doc/libpkcs11shim README.md CHANGELOG.md COPYING
 
 # Build again the project for deb package (/usr)
 RUN make distclean \
     && ./configure --prefix=/usr --libdir=/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH) \
     && make -j $(nproc) \
-    && make install DESTDIR=/deb_build
+    && make install-strip DESTDIR=/deb_build
 
 # Install documentation
 RUN mkdir -p /deb_build/usr/share/doc/libpkcs11shim \
-    && install -m 444 -t /deb_build/usr/share/doc/libpkcs11shim README.md CHANGELOG.md COPYING
+    && install -m 644 -t /deb_build/usr/share/doc/libpkcs11shim README.md CHANGELOG.md COPYING
 
 
 # Final stage
diff --git a/buildx/Dockerfile.ol7 b/buildx/Dockerfile.ol7
@@ -22,6 +22,7 @@
 
 ARG REPO_URL="https://github.com/Mastercard/libpkcs11shim"
 ARG REPO_COMMIT_OR_TAG="HEAD"
+ARG REPO_SSLVERIFY="true"
 ARG DISTRO_NAME="oraclelinux"
 ARG DISTRO_VERSION="7"
 ARG DISTRO_SHORT_NAME="ol7"
@@ -57,13 +58,15 @@ RUN DISTROARCH=$(arch | sed 's/aarch64/arm64/;s/x86_64/amd64/') \
 FROM base AS gitcloned
 ARG REPO_URL
 ARG REPO_COMMIT_OR_TAG
+ARG REPO_SSLVERIFY
 
 # The meta directory is used to store the version and maintainer information
 # for the RPM package
 RUN mkdir -p /meta
 
 # Clone the repository
 WORKDIR /src
+RUN if [ "$REPO_SSLVERIFY" != "true" ]; then git config --global http.sslVerify false; fi
 RUN git clone $REPO_URL .
 RUN git checkout $REPO_COMMIT_OR_TAG
 
@@ -110,11 +113,11 @@ RUN scl enable devtoolset-10 \
     './bootstrap.sh \
     && ./configure \
     && make -j $(nproc) \
-    && make install DESTDIR=/tar_build'
+    && make install-strip DESTDIR=/tar_build'
 
 # install documentation
 RUN mkdir -p /tar_build/usr/local/share/doc/libpkcs11shim \
-    && install -m 444 -t /tar_build/usr/local/share/doc/libpkcs11shim README.md CHANGELOG.md COPYING
+    && install -m 644 -t /tar_build/usr/local/share/doc/libpkcs11shim README.md CHANGELOG.md COPYING
 
 # Build again the project for deb package (/usr)
 # Note: oraclelinux:7-slim is strict on the library path. We need extra logic
@@ -126,11 +129,11 @@ RUN scl enable devtoolset-10 \
 
 RUN scl enable devtoolset-10 \
     "make -j $(nproc) \
-    && make install DESTDIR=/rpm_build"
+    && make install-strip DESTDIR=/rpm_build"
 
 # Install documentation
 RUN mkdir -p /rpm_build/usr/share/doc/libpkcs11shim \
-    && install -m 444 -t /rpm_build/usr/share/doc/libpkcs11shim README.md CHANGELOG.md COPYING
+    && install -m 644 -t /rpm_build/usr/share/doc/libpkcs11shim README.md CHANGELOG.md COPYING
 
 RUN find /rpm_build
 
diff --git a/buildx/Dockerfile.ol8 b/buildx/Dockerfile.ol8
@@ -22,6 +22,7 @@
 
 ARG REPO_URL="https://github.com/Mastercard/libpkcs11shim"
 ARG REPO_COMMIT_OR_TAG="HEAD"
+ARG REPO_SSLVERIFY="true"
 ARG DISTRO_NAME="oraclelinux"
 ARG DISTRO_VERSION="8"
 ARG DISTRO_SHORT_NAME="ol8"
@@ -58,13 +59,15 @@ RUN DISTROARCH=$(arch | sed 's/aarch64/arm64/;s/x86_64/amd64/') \
 FROM base AS gitcloned
 ARG REPO_URL
 ARG REPO_COMMIT_OR_TAG
+ARG REPO_SSLVERIFY
 
 # The meta directory is used to store the version and maintainer information
 # for the RPM package
 RUN mkdir -p /meta
 
 # Clone the repository
 WORKDIR /src
+RUN if [ "$REPO_SSLVERIFY" != "true" ]; then git config --global http.sslVerify false; fi
 RUN git clone $REPO_URL .
 RUN git checkout $REPO_COMMIT_OR_TAG
 
@@ -110,21 +113,21 @@ FROM gitcloned AS builder
 RUN ./bootstrap.sh \
     && ./configure \
     && make -j $(nproc) \
-    && make install DESTDIR=/tar_build
+    && make install-strip DESTDIR=/tar_build
 
 # install documentation
 RUN mkdir -p /tar_build/usr/local/share/doc/libpkcs11shim \
-    && install -m 444 -t /tar_build/usr/local/share/doc/libpkcs11shim README.md CHANGELOG.md COPYING
+    && install -m 644 -t /tar_build/usr/local/share/doc/libpkcs11shim README.md CHANGELOG.md COPYING
 
 # Build again the project for deb package (/usr)
 RUN make distclean \
     && ./configure --prefix=/usr \
     && make -j $(nproc) \
-    && make install DESTDIR=/rpm_build
+    && make install-strip DESTDIR=/rpm_build
 
 # Install documentation
 RUN mkdir -p /rpm_build/usr/share/doc/libpkcs11shim \
-    && install -m 444 -t /rpm_build/usr/share/doc/libpkcs11shim README.md CHANGELOG.md COPYING
+    && install -m 644 -t /rpm_build/usr/share/doc/libpkcs11shim README.md CHANGELOG.md COPYING
 
 
 # Final stage
diff --git a/buildx/Dockerfile.ol9 b/buildx/Dockerfile.ol9
diff --git a/buildx/Dockerfile.ubuntu2204 b/buildx/Dockerfile.ubuntu2204
diff --git a/buildx/Dockerfile.ubuntu2404 b/buildx/Dockerfile.ubuntu2404
