diff --git a/container-stack/cerro-torre/Containerfile b/container-stack/cerro-torre/Containerfile index a78a54b..19712b8 100644 --- a/container-stack/cerro-torre/Containerfile +++ b/container-stack/cerro-torre/Containerfile @@ -33,11 +33,16 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ # embed the version (alr-X.Y.Z-bin-...), so a hardcoded version in the URL # silently breaks the moment a new Alire release ships. ARG ALIRE_VERSION=2.1.0 +# The release zip lays the binary out as `bin/alr` (not a bare `alr` at the +# archive root), so unzip into /tmp and install the located binary. This is +# robust to either layout and avoids the `chmod /usr/local/bin/alr: No such +# file or directory` failure that the naive `unzip -d /usr/local/bin` form hits. RUN curl -fsSL "https://github.com/alire-project/alire/releases/download/v${ALIRE_VERSION}/alr-${ALIRE_VERSION}-bin-x86_64-linux.zip" \ -o /tmp/alr.zip \ - && unzip /tmp/alr.zip -d /usr/local/bin \ - && rm /tmp/alr.zip \ - && chmod +x /usr/local/bin/alr + && unzip /tmp/alr.zip -d /tmp/alr-extract \ + && install -m 0755 "$(find /tmp/alr-extract -type f -name alr | head -n 1)" \ + /usr/local/bin/alr \ + && rm -rf /tmp/alr.zip /tmp/alr-extract # Install Rust toolchain (minimal, stable) RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs \ @@ -48,12 +53,19 @@ ENV PATH="/root/.cargo/bin:${PATH}" WORKDIR /build COPY alire.toml cerro_torre.gpr ./ COPY src/ src/ +# tests/ is a Source_Dir of cerro_torre.gpr for every Feature_Set (it holds +# the ct_test_* mains), so the project does not build without it. +COPY tests/ tests/ # config/ is intentionally NOT copied: Alire generates # config/cerro_torre_config.gpr (referenced by cerro_torre.gpr) during # `alr build`. The directory is gitignored and absent on a clean checkout, # so `COPY config/ config/` broke builds from a fresh clone (stapeln#17). -RUN alr build +# +# -n keeps the build non-interactive: with no prior settings Alire would +# otherwise prompt for a toolchain; -n auto-selects the default gnat_native +# + gprbuild and provisions them without blocking on stdin. +RUN alr -n build # Build the Rust signing utility COPY Cargo.toml Cargo.lock ./ diff --git a/container-stack/cerro-torre/alire.toml b/container-stack/cerro-torre/alire.toml index fcf36a8..eada8b1 100644 --- a/container-stack/cerro-torre/alire.toml +++ b/container-stack/cerro-torre/alire.toml @@ -17,23 +17,30 @@ tags = ["security", "supply-chain", "linux", "containers", "provenance"] # CLI binary is named "ct" (short for Cerro Torre) executables = ["ct"] -# Dependencies - start minimal, add as needed -# Pin to gnatcoll 25 due to project file resolution issue in 26 -[[depends-on]] -gnatcoll = "~25.0.0" - -# For TOML parsing (manifest files) -[[depends-on]] -ada_toml = "*" - -# For JSON handling (provenance, SBOM output) -[[depends-on]] -json = "*" +# Dependencies - start minimal, add as needed. +# +# gnatcoll / ada_toml / json are currently NOT referenced by any source +# (the code uses the in-tree CT_JSON package; nothing `with`s GNATCOLL, +# TOML or JSON). Resolving them dragged in libgpr/xmlada, which fail to +# compile against the build toolchain and broke the full container build +# (stapeln#17 canary). They are disabled until actually consumed; re-enable +# the relevant block when the corresponding `with` is introduced. +# +# [[depends-on]] +# gnatcoll = "~25.0.0" +# +# [[depends-on]] +# ada_toml = "*" +# +# [[depends-on]] +# json = "*" # For formally verified primitives (registry parsing, digest ops, HTTP utils) -# Version omitted - using local pin (see [[pins]] section below) -[[depends-on]] -proven = "*" +# Temporarily disabled: the upstream `proven` library is not yet vendored +# into this repo, all `with Proven.*` uses are commented out, and the local +# pin below pointed at a path absent from a clean checkout (stapeln#17 canary). +# [[depends-on]] +# proven = "*" # For HTTP client (source fetching, registry, transparency) - v0.2 # Temporarily disabled due to dependency conflicts with gnatcoll 25 @@ -51,6 +58,5 @@ CERRO_BUILD_MODE = ["Development", "Release", "Proof"] [gpr-set-externals] CERRO_BUILD_MODE = "Development" -# Pin proven to local path (formally verified primitives) -[[pins]] -proven = { path = "../proven/bindings/ada" } +# Pin for proven removed alongside the disabled dependency above; restore +# both together once the upstream `proven` library is vendored. diff --git a/container-stack/cerro-torre/src/cli/cerro_cli.adb b/container-stack/cerro-torre/src/cli/cerro_cli.adb index 2ee940b..83f6919 100644 --- a/container-stack/cerro-torre/src/cli/cerro_cli.adb +++ b/container-stack/cerro-torre/src/cli/cerro_cli.adb @@ -949,7 +949,10 @@ package body Cerro_CLI is -- available on PATH. declare use GNAT.OS_Lib; - CT_Sign_Path : String_Access := + -- Qualify String_Access: both GNAT.OS_Lib and the unit-level + -- use of Ada.Strings.Unbounded make it use-visible here, which + -- is an ambiguity error under GNAT 14/15. + CT_Sign_Path : GNAT.OS_Lib.String_Access := Locate_Exec_On_Path ("ct-sign"); begin if CT_Sign_Path /= null then diff --git a/container-stack/cerro-torre/src/exporters/oci/cerro_export_oci.adb b/container-stack/cerro-torre/src/exporters/oci/cerro_export_oci.adb index 52a8a80..d5ddd59 100644 --- a/container-stack/cerro-torre/src/exporters/oci/cerro_export_oci.adb +++ b/container-stack/cerro-torre/src/exporters/oci/cerro_export_oci.adb @@ -90,7 +90,7 @@ package body Cerro_Export_OCI is Config_Digest : Unbounded_String; function Execute_Command (Cmd : String; Args : Argument_List) return Boolean is - Exe_Path : String_Access := Locate_Exec_On_Path (Cmd); + Exe_Path : GNAT.OS_Lib.String_Access := Locate_Exec_On_Path (Cmd); Exit_Status : Integer; begin if Exe_Path = null then @@ -228,7 +228,7 @@ package body Cerro_Export_OCI is LF : constant Character := Character'Val (10); Manifest : Unbounded_String; Image_Name : constant String := To_String (M.Metadata.Name); - Image_Version : constant String := To_String (M.Metadata.Version); + Image_Version : constant String := To_String (M.Metadata.Version.Upstream); Config_File : constant String := To_String (Config_Digest) (8 .. Length (Config_Digest)) & ".json"; begin Append (Manifest, "[" & LF); @@ -293,7 +293,7 @@ package body Cerro_Export_OCI is -- Populate result Result.Status := Success; Result.Image_Ref := To_Unbounded_String ( - "cerro-torre/" & To_String (M.Metadata.Name) & ":" & To_String (M.Metadata.Version)); + "cerro-torre/" & To_String (M.Metadata.Name) & ":" & To_String (M.Metadata.Version.Upstream)); Result.Digest := Config_Digest; Result.Layers := 1; @@ -373,7 +373,8 @@ package body Cerro_Export_OCI is (Cmd : String; Args : GNAT.OS_Lib.Argument_List) return Boolean is use GNAT.OS_Lib; - Exe_Path : String_Access := Locate_Exec_On_Path (Cmd); + Exe_Path : GNAT.OS_Lib.String_Access := + Locate_Exec_On_Path (Cmd); Exit_Status : Integer; begin if Exe_Path = null then @@ -647,7 +648,7 @@ package body Cerro_Export_OCI is Create (Marker_File, Out_File, Marker_Path); Put_Line (Marker_File, "# Cerro Torre rootfs"); Put_Line (Marker_File, "# Package: " & To_String (M.Metadata.Name)); - Put_Line (Marker_File, "# Version: " & To_String (M.Metadata.Version)); + Put_Line (Marker_File, "# Version: " & To_String (M.Metadata.Version.Upstream)); Close (Marker_File); end; @@ -757,7 +758,9 @@ package body Cerro_Export_OCI is -- Extract source hash as hex string for the attestation Source_Digest_Hex : constant String := - Cerro_Crypto.Bytes_To_Hex (M.Provenance.Upstream_Hash.Digest); + To_String (M.Provenance.Upstream_Hash.Digest); + -- Upstream_Hash.Digest is stored already hex-encoded (see + -- Cerro_Manifest.Hash_Value); it is not a raw SHA256_Digest. -- Compute manifest content hash for the subject Manifest_Content : constant String := Cerro_Manifest.To_String (M); @@ -892,7 +895,9 @@ package body Cerro_Export_OCI is -- Upstream source hash Source_Hash_Hex : constant String := - Cerro_Crypto.Bytes_To_Hex (M.Provenance.Upstream_Hash.Digest); + To_String (M.Provenance.Upstream_Hash.Digest); + -- Upstream_Hash.Digest is stored already hex-encoded (see + -- Cerro_Manifest.Hash_Value); it is not a raw SHA256_Digest. File : File_Type; diff --git a/container-stack/cerro-torre/src/importers/debian/cerro_import_debian.adb b/container-stack/cerro-torre/src/importers/debian/cerro_import_debian.adb index 674e787..e05a910 100644 --- a/container-stack/cerro-torre/src/importers/debian/cerro_import_debian.adb +++ b/container-stack/cerro-torre/src/importers/debian/cerro_import_debian.adb @@ -183,7 +183,7 @@ package body Cerro_Import_Debian is -- Add to result if non-empty if Length (Pkg_Name) > 0 then - Result.Append (( + Result.Append (Dependency_Reference'( Name => Pkg_Name, Constraint => (Kind => Any))); end if; @@ -722,7 +722,8 @@ package body Cerro_Import_Debian is -- Decompress Sources.gz declare use GNAT.OS_Lib; - Gunzip : String_Access := Locate_Exec_On_Path ("gunzip"); + Gunzip : GNAT.OS_Lib.String_Access := + Locate_Exec_On_Path ("gunzip"); Args : Argument_List := (new String'("-f"), new String'(Sources_GZ)); Exit_Status : Integer; begin