Skip to content

Commit

Permalink
Merge branch 'live' into bluebuildsigning
Browse files Browse the repository at this point in the history
  • Loading branch information
@RoyalOughtness
RoyalOughtness authored Jan 11, 2025
2 parents f4ce2ba + d8e40e4 commit 03039a6
Show file tree
Hide file tree
Showing 3 changed files with 29 additions and 3 deletions.
26 changes: 26 additions & 0 deletions .github/workflows/checksum.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
name: installer-checksum
on:
pull_request:
branches:
- live
jobs:
verify-installer-checksum:
name: Linkspector
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- name: Verify checksum
shell: bash
env:
INSTALL_SCRIPT: files/system/usr/share/secureblue/install_secureblue.sh
EXAMPLE_BUTANE: docs/example.butane
run: |
INSTALLER_CHECKSUM=$(sha256sum $INSTALL_SCRIPT | awk '{ print $1 }')
BUTANE_CHECKSUM=$(grep -oP 'sha256-\K[a-f0-9]{64}' $EXAMPLE_BUTANE)
if [ "$INSTALLER_CHECKSUM" != "$BUTANE_CHECKSUM" ]; then
echo "Checksum mismatch."
echo "Installer checksum: $INSTALLER_CHECKSUM"
echo "Butane checksum: $BUTANE_CHECKSUM"
exit 1
fi
4 changes: 2 additions & 2 deletions docs/example.butane
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ storage:
contents:
source: https://raw.githubusercontent.com/secureblue/secureblue/refs/heads/live/files/system/usr/share/secureblue/install_secureblue.sh
verification:
hash: sha256-d4ba5bfb556e9d1e3789a02fab2ab2f871033cc6b1712945cdfb9ce4375eafe5
hash: sha256-1f2f8ac822614eb20c82547aabdd18fbded3906115db8ecd4efcf3a80e19bd7d
mode: 0755
- path: /opt/run_install_secureblue.sh
contents:
Expand All @@ -40,4 +40,4 @@ storage:
overwrite: false
append:
- inline: |
/opt/run_install_secureblue.sh
/opt/run_install_secureblue.sh
2 changes: 1 addition & 1 deletion files/justfiles/hardening.just
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ flatpak-permissions-lockdown:
kFeaturePermissions=("per-app-dev-shm" "canbus" "bluetooth" "multiarch" "devel")
kFilesystemPermissions=("home" "host-etc" "host")
kDangerousFilesystemPermissions=("~/.bashrc" "~/.bash_profile" "/home" "/var/home" "/var" "/media" "/run/media" "/run" "/mnt")
kKnownSessionBusNames=("org.gnome.Settings" "org.gnome.SettingsDaemon.MediaKeys" "org.gnome.SessionManager" "org.kde.kiod5" "org.kde.JobViewServer" "org.gtk.vfs.*" "org.freedesktop.secrets" "org.kde.kconfig.notify" "org.kde.kpasswdserver" "org.kde.*" "org.kde.StatusNotifierWatcher" "org.kde.kded6" "org.kde.kpasswdserver6" "org.kde.kiod6" "com.canonical.Unity" "org.freedesktop.Notifications" "org.freedesktop.FileManager1" "org.freedesktop.impl.portal.PermissionStore" "org.freedesktop.Flatpak" "com.canonical.AppMenu.Registrar" "org.kde.KGlobalSettings" "org.kde.kded5" "com.canonical.Unity.LauncherEntry" "org.kde.kwalletd5" "org.gnome.SettingsDaemon" "org.a11y.Bus" "com.canonical.indicator.application" "org.freedesktop.ScreenSaver" "ca.desrt.dconf" "org.freedesktop.PowerManagement" "org.gnome.Software" "org.freedesktop.Tracker3.Writeback" "io.missioncenter.MissionCenter.Gatherer")
kKnownSessionBusNames=("org.gnome.Settings" "org.gnome.SettingsDaemon.MediaKeys" "org.gnome.SessionManager" "org.gnome.Shell.Screenshot" "org.kde.kiod5" "org.kde.kwin.Screenshot" "org.kde.JobViewServer" "org.gtk.vfs.*" "org.freedesktop.secrets" "org.kde.kconfig.notify" "org.kde.kpasswdserver" "org.kde.*" "org.kde.StatusNotifierWatcher" "org.kde.kded6" "org.kde.kpasswdserver6" "org.kde.kiod6" "com.canonical.Unity" "org.freedesktop.Notifications" "org.freedesktop.FileManager1" "org.freedesktop.impl.portal.PermissionStore" "org.freedesktop.Flatpak" "com.canonical.AppMenu.Registrar" "org.kde.KGlobalSettings" "org.kde.kded5" "com.canonical.Unity.LauncherEntry" "org.kde.kwalletd5" "org.gnome.SettingsDaemon" "org.a11y.Bus" "com.canonical.indicator.application" "org.freedesktop.ScreenSaver" "ca.desrt.dconf" "org.freedesktop.PowerManagement" "org.gnome.Software" "org.freedesktop.Tracker3.Writeback" "io.missioncenter.MissionCenter.Gatherer")
kKnownSystemBusNames=("org.freedesktop.systemd1" "org.freedesktop.Avahi.*" "org.freedesktop.login1" "org.freedesktop.NetworkManager" "org.freedesktop.UPower" "org.freedesktop.UDisks2" "org.freedesktop.fwupd")
kFlatsealNameAccess=("org.gnome.Software" "org.freedesktop.impl.portal.PermissionStore")

Expand Down

0 comments on commit 03039a6

Please sign in to comment.