Merge branch 'main' of github.com:kapilvgit/contract-ledger into main

kapilvgit · Sep 23, 2023 · 93fb5c2 · 93fb5c2
2 parents 5a31a8b + 95c4a1f
commit 93fb5c2
Show file tree

Hide file tree

Showing 11 changed files with 395 additions and 19 deletions.
diff --git a/.github/workflows/build-test-virtual.yml b/.github/workflows/build-test-virtual.yml
@@ -1,7 +1,6 @@
 name: "Build/test (virtual)"
 on: 
   workflow_dispatch:
-  push:
 jobs:
   build-test:
     runs-on: ubuntu-20.04

diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml
@@ -0,0 +1,42 @@
+# This workflow will upload a Python Package using Twine when a release is created
+# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python#publishing-to-package-registries
+
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: Upload Python Package
+
+on:
+  release:
+    types: [published]
+
+permissions:
+  contents: read
+
+jobs:
+  deploy:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v3
+    - name: Set up Python
+      uses: actions/setup-python@v3
+      with:
+        python-version: '3.x'
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install build
+    - name: Build package
+      run: | 
+        cd pyscitt 
+        python3 -m build
+    - name: Publish package distributions to PyPI
+      uses: pypa/gh-action-pypi-publish@release/v1
+      with:
+        user: __token__
+        password: ${{ secrets.PYPI_API_TOKEN }}
+        packages-dir: pyscitt/dist
diff --git a/.gitignore b/.gitignore
@@ -8,3 +8,8 @@ workspace/
 *.egg-info/
 .vscode/settings.json
 perf.json
+**/*.pem
+**/*.pid
+.mypy_cache/
+**/*.cose
+**/*.cbor
diff --git a/README.md b/README.md
@@ -35,6 +35,10 @@ See the `demo/contract` folder on how to interact with the application.
 
 See [DEVELOPMENT.md](DEVELOPMENT.md) for instructions on building, running, and testing contract-ledger without Docker.
 
+### Reproducing builds
+
+See [reproducibility.md](./docs/reproducibility.md) for instructions.
+
 ## Contributing
 
 This project welcomes contributions and suggestions. Please see the [Contribution guidelines](CONTRIBUTING.md).
diff --git a/demo/github/1-scitt-setup.sh b/demo/github/1-scitt-setup.sh
@@ -20,6 +20,7 @@ scitt governance propose_ca_certs \
 echo '{ "authentication": { "allow_unauthenticated": true } }' > tmp/configuration.json
 scitt governance propose_configuration \
     --configuration tmp/configuration.json \
+    --url "$SCITT_URL" \
     --member-key workspace/member0_privk.pem \
     --member-cert workspace/member0_cert.pem \
     --development

diff --git a/docs/reproducibility.md b/docs/reproducibility.md
@@ -0,0 +1,45 @@
+# Reproducibility
+
+The assumption here is that the original build was done using a Docker build. The
+goal is to reproduce the same MRENCLAVE value. 
+
+You need a couple pieces of information to begin:
+
+- The source MRENCLAVE value, get it from `https://<LEDGER-URL>/node/quotes/self` (replace <LEDGER-URL> with the URL of your ledger), e.g.:
+
+    ```json
+    {
+        "endorsements": "AQAAAAIAAADZL...UMTI6NTU6MTFaAA==",
+        "format": "OE_SGX_v1",
+        "mrenclave": "fb2c496416fbab20837fedda0ba6db58d819fa5f5c1b3916062eb2fb9d889966",
+        "node_id": "247f1df23e22256cc5bc5e8822183117bc5967da41a257d307f9b1153a4f1853",
+        "raw": "AwACAAAAAAAIAA...ViynsClboLw="
+    }
+    ```
+- Git commit id that built this version. This is something that has no specifc mapping at the moment. You would need to check the build logs of the SGX Docker image to understand which commit produced the candidate value. e.g., `fb2c496416fbab20837fedda0ba6db58d819fa5f5c1b3916062eb2fb9d889966` was built from `fd77c0c69ee890bdc2fcf6ef0c9dddb7b211e164`.
+
+To reproduce the same MRENCLAVE value which would be deployed to CCF 
+do a docker build locally but inside of the development version of CCF image:
+
+- Clone the repository and check out the tag or commit id that built the binary which had specific MRENCLAVE.
+- Identify the expected CCF version by inspecting the [Dockerfile](docker/enclave.Dockerfile).
+- Run a build inside of the CCF docker image:
+
+    ```
+    CCF_VERSION="3.0.12"
+    docker run -it --rm \
+        -w /__w/1/s -v $(pwd):/__w/1/s \
+        -v /var/run/docker.sock:/var/run/docker.sock \
+        --env PLATFORM=sgx \
+        --env CXXFLAGS="-ferror-limit=0" \
+        --env NINJA_FLAGS="-k 0" \
+        mcr.microsoft.com/ccf/app/dev:"$CCF_VERSION"-sgx git config --global --add safe.directory "*" && ./docker/build.sh
+    ```
+- The build will print the value of MRENCLAVE in the log, similar to:
+
+    ```
+    <...>
+    mrenclave.txt
+    fb2c496416fbab20837fedda0ba6db58d819fa5f5c1b3916062eb2fb9d889966
+    ```
+