summaryrefslogtreecommitdiffhomepage
path: root/cmd/dist
AgeCommit message (Collapse)AuthorFilesLines
2025-08-15{cmd/dist,release/dist}: add support for intermediary QNAP signing certificatesPercy Wegmann1-9/+11
Updates #23528 Signed-off-by: Percy Wegmann <percy@tailscale.com>
2025-04-17cmd/dist,release/dist: sign QNAP builds with a Google Cloud hosted keyPercy Wegmann1-8/+17
QNAP now requires builds to be signed with an HSM. This removes support for signing with a local keypair. This adds support for signing with a Google Cloud hosted key. The key should be an RSA key with protection level `HSM` and that uses PSS padding and a SHA256 digest. The GCloud project, keyring and key name are passed in as command-line arguments. The GCloud credentials and the PEM signing certificate are passed in as Base64-encoded command-line arguments. Updates tailscale/corp#23528 Signed-off-by: Percy Wegmann <percy@tailscale.com>
2024-04-22release/dist/qnap: add qnap target builderSonia Appasamy1-1/+12
Creates new QNAP builder target, which builds go binaries then uses docker to build into QNAP packages. Much of the docker/script code here is pulled over from https://github.com/tailscale/tailscale-qpkg, with adaptation into our builder structures. The qnap/Tailscale folder contains static resources needed to build Tailscale qpkg packages, and is an exact copy of the existing folder in the tailscale-qpkg repo. Builds can be run with: ``` sudo ./tool/go run ./cmd/dist build qnap ``` Updates tailscale/tailscale-qpkg#135 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
2024-02-08cmd/dist: update logs for synology buildsSonia Appasamy1-0/+3
Update logs for synology builds to more clearly callout which variant is being built. The two existing variants are: 1. Sideloaded (can be manual installed on a device by anyone) 2. Package center distribution (by the tailscale team) Updates #cleanup Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
2023-08-24cmd/dist,release/dist: add distsign signing hooks (#9070)Andrew Lytvynov1-3/+3
Add `dist.Signer` hook which can arbitrarily sign linux/synology artifacts. Plumb it through in `cmd/dist` and remove existing tarball signing key. Distsign signing will happen on a remote machine, not using a local key. Updates #755 Updates #8760 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
2023-08-03cmd/dist,release/dist: expose RPM signing hook (#8789)Andrew Lytvynov1-3/+2
Plumb a signing callback function to `unixpkgs.rpmTarget` to allow signing RPMs. This callback is optional and RPMs will build unsigned if not set, just as before. Updates https://github.com/tailscale/tailscale/issues/1882 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
2023-07-31cmd/dist,release/dist: sign release tarballs with an ECDSA key (#8759)Andrew Lytvynov1-2/+3
Pass an optional PEM-encoded ECDSA key to `cmd/dist` to sign all built tarballs. The signature is stored next to the tarball with a `.sig` extension. Tested this with an `openssl`-generated key pair and verified the resulting signature. Updates #8760 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
2023-05-29release/dist/synology: build synology packages with cmd/distDavid Anderson1-1/+24
Updates #8217 Signed-off-by: David Anderson <danderson@tailscale.com>
2023-02-24release/dist: add forgotten license headersDavid Anderson1-0/+3
Signed-off-by: David Anderson <danderson@tailscale.com>
2023-02-24release/dist/cli: factor out the CLI boilerplace from cmd/distDavid Anderson1-116/+7
Signed-off-by: David Anderson <danderson@tailscale.com>
2023-02-24release: open-source release build logic for unix packagesDavid Anderson1-0/+134
Updates tailscale/corp#9221 Signed-off-by: David Anderson <danderson@tailscale.com>
Copyright © 2025 - 2026 Wayne Cole. WTFPL. Attribution appreciated. No warranty. Not liable for bodily damages.