authelia/.buildkite/hooks/pre-artifact
Amir Zarrinkafsh bd6a8e3ea2
feat: hardened authelia binaries (#2410)
* feat: hardened authelia binaries

This change ensures that all Authelia binaries which are compiled and distributed are hardened with the following standards:

* RELRO
* Stack canary
* NX
* PIE/ASLR
* Stripped RPATH AND RUNPATH
* Stripped Symbols
* Fortify

The musl variants currently [do not support Fortify](https://wiki.musl-libc.org/future-ideas.html#Fortify).

* refactor: docker pull for authelia/crossbuild in background
2021-09-26 12:08:47 +10:00

36 lines
1.5 KiB
Bash
Executable File

#!/usr/bin/env bash
set +u
declare -A BUILDS=(["linux"]="amd64 arm arm64 amd64-musl arm-musl arm64-musl" ["freebsd"]="amd64")
DOCKER_IMAGE=authelia/authelia
if [[ "${BUILDKITE_LABEL}" == ":hammer_and_wrench: Unit Test" ]]; then
echo "--- :docker: Saving artifacts for :buildkite: :docker: :github: releases"
for OS in "${!BUILDS[@]}"; do
for ARCH in ${BUILDS[$OS]}; do
tar -czf "authelia-${OS}-${ARCH}.tar.gz" "authelia-${OS}-${ARCH}" authelia.service config.template.yml
sha256sum "authelia-${OS}-${ARCH}.tar.gz" > "authelia-${OS}-${ARCH}.tar.gz.sha256"
done
done
tar -czf authelia-public_html.tar.gz -C dist public_html
sha256sum authelia-public_html.tar.gz > authelia-public_html.tar.gz.sha256
fi
if [[ "${BUILDKITE_LABEL}" == ":docker: Build Image [coverage]" ]]; then
# Saving image for docker push
docker save "${DOCKER_IMAGE}" | zstdmt -T0 -12 > "authelia-image-coverage.tar.zst"
fi
if [[ "${BUILDKITE_LABEL}" =~ ":debian: Build Package" ]]; then
if [[ "${BUILDKITE_TAG}" != "" ]]; then
echo "--- :debian: Saving artifacts for :github: release"
for f in *.deb; do mv "$f" "$(echo "$f" | sed s/${BUILDKITE_TAG//v}-1_//)"; done
else
echo "--- :debian: Saving artifacts for :buildkite: release"
VERSION=$(git describe --long --tags | sed 's/^v//;s/\([^-]*-g\)/r\1/;s/-/./g')
for f in *.deb; do mv "$f" "$(echo "$f" | sed s/${VERSION}-1_//)"; done
fi
sha256sum "authelia_${PACKAGE}.deb" > "authelia_${PACKAGE}.deb.sha256"
fi