Skip to content

[WIP] Linux packages: rpm, deb, apk #98

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
tudor-timcu wants to merge 10 commits into
base: main
Choose a base branch
from
Open

[WIP] Linux packages: rpm, deb, apk #98

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
1f4c620
Enhance Linux build support and RPM packaging
tudor-timcu Feb 9, 2026
683a3bf
Add Linux platform support with proxy management and logging
tudor-timcu Feb 9, 2026
7a77d11
Enhance packaging support for SafeChain Ultimate
tudor-timcu Feb 9, 2026
82a7004
Add Linux GUI dependencies installation to build workflow
tudor-timcu Feb 9, 2026
2d086a8
Refactor RPM to APK conversion process in build workflow
tudor-timcu Feb 10, 2026
989ef3b
Add Docker support for multiple Linux distributions in development en…
tudor-timcu Feb 10, 2026
466987f
Update CentOS Dockerfile to include cmake and clang-devel in the buil…
tudor-timcu Feb 10, 2026
d88869b
Enhance Linux package management in Makefile and RPM scripts
tudor-timcu Feb 10, 2026
f99efb7
Add ClearProxyKeyring function to manage keyring entries
tudor-timcu Feb 10, 2026
b1e6a3d
Update Dockerfiles to include Node.js and Python package managers
tudor-timcu Feb 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 27 additions & 0 deletions .devcontainer/alpine/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
FROM golang:1.25-alpine AS go-builder

FROM alpine:3.21

COPY --from=go-builder /usr/local/go /usr/local/go
ENV PATH="/usr/local/go/bin:/root/go/bin:/root/.cargo/bin:${PATH}"
ENV GOPATH="/root/go"

RUN apk add --no-cache \
build-base git make curl sudo pkgconf \
rpm \
ruby ruby-dev \
nodejs npm py3-pip \
wayland-dev libx11-dev libxkbcommon-dev mesa-dev libxcursor-dev vulkan-loader-dev libffi-dev \
perl dpkg dpkg-dev xz wget

RUN gem install fpm --no-document

RUN cd /tmp && \
wget -q "https://deb.debian.org/debian/pool/main/a/alien/alien_8.95.8.tar.xz" && \
tar xf alien_8.95.8.tar.xz && \
cd alien && perl Makefile.PL && make && make install && \
cd / && rm -rf /tmp/alien*

RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
Copy link
Copy Markdown
Contributor

@aikido-pr-checks aikido-pr-checks Bot Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Binary, code or archive is pulled from a remote source without integrity verification - medium severity
A Docker container was built using an artifact from a remote source without any integrity verification. If the remote artifact were silently replaced with a malicious version (for example, through a supply chain attack), the integrity and confidentiality of the environment in which the container is deployed could be compromised.

Remediation: Validate the artifact against a trusted SHA-512 checksum in the CI/CD pipeline using sha512sum in check mode. Store the expected checksum in a file (e.g., artifact.sha512), then verify it with: sha512sum -c artifact.sha512. Enable strict error handling (for example, set -e in shell scripts) so the pipeline fails if verification fails or outputs errors.
View details in Aikido Security


WORKDIR /workspace
7 changes: 7 additions & 0 deletions .devcontainer/alpine/devcontainer.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
{
"name": "SafeChain Ultimate - Alpine",
"build": {
"dockerfile": "Dockerfile"
},
"remoteUser": "root"
}
31 changes: 31 additions & 0 deletions .devcontainer/centos/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
FROM golang:1.25 AS go-builder

FROM quay.io/centos/centos:stream10

COPY --from=go-builder /usr/local/go /usr/local/go
ENV PATH="/usr/local/go/bin:/root/go/bin:/root/.cargo/bin:${PATH}"
ENV GOPATH="/root/go"

RUN dnf install -y epel-release && \
dnf config-manager --set-enabled crb && \
dnf install -y \
gcc gcc-c++ git make cmake curl sudo pkgconf clang-devel procps-ng \
rpm-build \
dpkg \
ruby ruby-devel \
nodejs npm python3-pip \
perl wget xz \
wayland-devel libX11-devel libxkbcommon-devel libxkbcommon-x11-devel \
mesa-libGLES-devel mesa-libEGL-devel libffi-devel libXcursor-devel vulkan-loader-devel \
&& gem install fpm --no-document \
&& dnf clean all

RUN cd /tmp && \
wget -q "https://deb.debian.org/debian/pool/main/a/alien/alien_8.95.8.tar.xz" && \
tar xf alien_8.95.8.tar.xz && \
cd alien && perl Makefile.PL && make && make install && \
cd / && rm -rf /tmp/alien*

RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
Copy link
Copy Markdown
Contributor

@aikido-pr-checks aikido-pr-checks Bot Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Binary, code or archive is pulled from a remote source without integrity verification - medium severity
A Docker container was built using an artifact from a remote source without any integrity verification. If the remote artifact were silently replaced with a malicious version (for example, through a supply chain attack), the integrity and confidentiality of the environment in which the container is deployed could be compromised.

Remediation: Validate the artifact against a trusted SHA-512 checksum in the CI/CD pipeline using sha512sum in check mode. Store the expected checksum in a file (e.g., artifact.sha512), then verify it with: sha512sum -c artifact.sha512. Enable strict error handling (for example, set -e in shell scripts) so the pipeline fails if verification fails or outputs errors.
View details in Aikido Security


WORKDIR /workspace
7 changes: 7 additions & 0 deletions .devcontainer/centos/devcontainer.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
{
"name": "SafeChain Ultimate - CentOS Stream 10",
"build": {
"dockerfile": "Dockerfile"
},
"remoteUser": "root"
}
21 changes: 21 additions & 0 deletions .devcontainer/debian/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
FROM golang:1.25 AS go-builder

FROM debian:12

COPY --from=go-builder /usr/local/go /usr/local/go
ENV PATH="/usr/local/go/bin:/root/go/bin:/root/.cargo/bin:${PATH}"
ENV GOPATH="/root/go"

RUN apt-get update && apt-get install -y \
build-essential git make curl sudo pkg-config \
rpm alien \
ruby ruby-dev \
nodejs npm python3-pip \
libwayland-dev libx11-dev libx11-xcb-dev libxkbcommon-x11-dev \
libgles2-mesa-dev libegl1-mesa-dev libffi-dev libxcursor-dev libvulkan-dev \
&& gem install fpm --no-document \
&& rm -rf /var/lib/apt/lists/*

RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
Copy link
Copy Markdown
Contributor

@aikido-pr-checks aikido-pr-checks Bot Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Binary, code or archive is pulled from a remote source without integrity verification - medium severity
A Docker container was built using an artifact from a remote source without any integrity verification. If the remote artifact were silently replaced with a malicious version (for example, through a supply chain attack), the integrity and confidentiality of the environment in which the container is deployed could be compromised.

Remediation: Validate the artifact against a trusted SHA-512 checksum in the CI/CD pipeline using sha512sum in check mode. Store the expected checksum in a file (e.g., artifact.sha512), then verify it with: sha512sum -c artifact.sha512. Enable strict error handling (for example, set -e in shell scripts) so the pipeline fails if verification fails or outputs errors.
View details in Aikido Security


WORKDIR /workspace
7 changes: 7 additions & 0 deletions .devcontainer/debian/devcontainer.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
{
"name": "SafeChain Ultimate - Debian",
"build": {
"dockerfile": "Dockerfile"
},
"remoteUser": "root"
}
21 changes: 21 additions & 0 deletions .devcontainer/ubuntu/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
FROM golang:1.25 AS go-builder

FROM ubuntu:24.04

COPY --from=go-builder /usr/local/go /usr/local/go
ENV PATH="/usr/local/go/bin:/root/go/bin:/root/.cargo/bin:${PATH}"
ENV GOPATH="/root/go"

RUN apt-get update && apt-get install -y \
build-essential git make curl sudo pkg-config \
rpm alien \
ruby ruby-dev \
nodejs npm python3-pip \
libwayland-dev libx11-dev libx11-xcb-dev libxkbcommon-x11-dev \
libgles2-mesa-dev libegl1-mesa-dev libffi-dev libxcursor-dev libvulkan-dev \
&& gem install fpm --no-document \
&& rm -rf /var/lib/apt/lists/*

RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
Copy link
Copy Markdown
Contributor

@aikido-pr-checks aikido-pr-checks Bot Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Binary, code or archive is pulled from a remote source without integrity verification - medium severity
A Docker container was built using an artifact from a remote source without any integrity verification. If the remote artifact were silently replaced with a malicious version (for example, through a supply chain attack), the integrity and confidentiality of the environment in which the container is deployed could be compromised.

Remediation: Validate the artifact against a trusted SHA-512 checksum in the CI/CD pipeline using sha512sum in check mode. Store the expected checksum in a file (e.g., artifact.sha512), then verify it with: sha512sum -c artifact.sha512. Enable strict error handling (for example, set -e in shell scripts) so the pipeline fails if verification fails or outputs errors.
View details in Aikido Security


WORKDIR /workspace
7 changes: 7 additions & 0 deletions .devcontainer/ubuntu/devcontainer.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
{
"name": "SafeChain Ultimate - Ubuntu",
"build": {
"dockerfile": "Dockerfile"
},
"remoteUser": "root"
}
103 changes: 103 additions & 0 deletions .github/workflows/build-linux.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,103 @@
name: Build Linux Packages

on:
push:
branches:
- main
pull_request:
branches:
- main
workflow_call:
inputs:
version:
required: true
type: string

jobs:
build-unix:
uses: ./.github/workflows/build-unix.yml
with:
version: ${{ inputs.version || 'dev' }}

build-rpm:
needs: build-unix
strategy:
matrix:
include:
- arch: amd64
runner: ubuntu-latest
- arch: arm64
runner: ubuntu-24.04-arm

runs-on: ${{ matrix.runner }}
steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Download agent artifact
uses: actions/download-artifact@v4
with:
name: safechain-ultimate-linux-${{ matrix.arch }}
path: bin

- name: Download agent ui artifact
uses: actions/download-artifact@v4
with:
name: safechain-ultimate-ui-linux-${{ matrix.arch }}
path: bin

- name: Download proxy artifact
uses: actions/download-artifact@v4
with:
name: safechain-proxy-linux-${{ matrix.arch }}
path: bin

- name: Verify binaries exist
run: |
ls -lh bin/
ls -lh bin/safechain-ultimate-linux-${{ matrix.arch }}
ls -lh bin/safechain-ultimate-ui-linux-${{ matrix.arch }}
ls -lh bin/safechain-proxy-linux-${{ matrix.arch }}

- name: Install packaging tools
run: |
sudo apt-get update && sudo apt-get install -y rpm alien ruby ruby-dev
sudo gem install fpm --no-document

- name: Build RPM
run: |
cd packaging/rpm
./build-rpm.sh -v "${{ inputs.version || 'dev' }}" -a "${{ matrix.arch }}" -b "../../bin" -o "../../dist"

- name: Convert RPM to DEB using alien
run: |
cd dist
sudo alien --to-deb --keep-version SafeChainUltimate-${{ inputs.version || 'dev' }}-${{ matrix.arch }}.rpm

- name: Convert RPM to APK using fpm
run: |
cd dist
fpm -s rpm -t apk -p SafeChainUltimate-${{ matrix.arch }}.apk SafeChainUltimate-${{ inputs.version || 'dev' }}-${{ matrix.arch }}.rpm

- name: Rename packages
run: |
mv dist/SafeChainUltimate-${{ inputs.version || 'dev' }}-${{ matrix.arch }}.rpm dist/SafeChainUltimate-${{ matrix.arch }}.rpm
mv dist/safechain-ultimate_*.deb dist/SafeChainUltimate-${{ matrix.arch }}.deb

- name: Upload RPM artifact
uses: actions/upload-artifact@v4
with:
name: SafeChainUltimate-${{ matrix.arch }}.rpm
path: dist/SafeChainUltimate-${{ matrix.arch }}.rpm

- name: Upload DEB artifact
uses: actions/upload-artifact@v4
with:
name: SafeChainUltimate-${{ matrix.arch }}.deb
path: dist/SafeChainUltimate-${{ matrix.arch }}.deb

- name: Upload APK artifact
uses: actions/upload-artifact@v4
with:
name: SafeChainUltimate-${{ matrix.arch }}.apk
path: dist/SafeChainUltimate-${{ matrix.arch }}.apk
34 changes: 24 additions & 10 deletions .github/workflows/build-unix.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,10 +18,18 @@ jobs:
strategy:
matrix:
include:
- arch: amd64
- os: darwin
arch: amd64
runner: macos-14
- arch: arm64
- os: darwin
arch: arm64
runner: macos-14
- os: linux
arch: amd64
runner: ubuntu-latest
- os: linux
arch: arm64
runner: ubuntu-24.04-arm

runs-on: ${{ matrix.runner }}
steps:
Expand All @@ -33,29 +41,35 @@ jobs:
with:
go-version: "1.25"

- name: Install Linux GUI dependencies
if: matrix.os == 'linux'
run: |
sudo apt-get update
sudo apt-get install -y libwayland-dev libx11-dev libx11-xcb-dev libxkbcommon-x11-dev libgles2-mesa-dev libegl1-mesa-dev libffi-dev libxcursor-dev libvulkan-dev

- name: Run tests
run: make test

- name: Build binaries for darwin/${{ matrix.arch }}
run: make build-darwin-${{ matrix.arch }} VERSION="${{ inputs.version || 'dev' }}"
- name: Build binaries for ${{ matrix.os }}/${{ matrix.arch }}
run: make build-${{ matrix.os }}-${{ matrix.arch }} VERSION="${{ inputs.version || 'dev' }}"

- name: Prepare artifacts
run: |
mv bin/safechain-ultimate-darwin-${{ matrix.arch }} safechain-ultimate-darwin-${{ matrix.arch }}
mv bin/safechain-ultimate-ui-darwin-${{ matrix.arch }} safechain-ultimate-ui-darwin-${{ matrix.arch }}
mv bin/safechain-ultimate-${{ matrix.os }}-${{ matrix.arch }} safechain-ultimate-${{ matrix.os }}-${{ matrix.arch }}
mv bin/safechain-ultimate-ui-${{ matrix.os }}-${{ matrix.arch }} safechain-ultimate-ui-${{ matrix.os }}-${{ matrix.arch }}

- name: Upload safechain-ultimate artifact
uses: actions/upload-artifact@v4
with:
name: safechain-ultimate-darwin-${{ matrix.arch }}
name: safechain-ultimate-${{ matrix.os }}-${{ matrix.arch }}
path: |
safechain-ultimate-darwin-${{ matrix.arch }}
safechain-ultimate-${{ matrix.os }}-${{ matrix.arch }}
- name: Upload safechain-ultimate-ui artifact
uses: actions/upload-artifact@v4
with:
name: safechain-ultimate-ui-darwin-${{ matrix.arch }}
name: safechain-ultimate-ui-${{ matrix.os }}-${{ matrix.arch }}
path: |
safechain-ultimate-ui-darwin-${{ matrix.arch }}
safechain-ultimate-ui-${{ matrix.os }}-${{ matrix.arch }}

build-unix-proxy:
strategy:
Expand Down
Loading