Skip to content

rofl build: macos with docker gets enclave identity verification failed #458

New issue
New issue
Closed
Closed
rofl build: macos with docker gets enclave identity verification failed#458
@federava

Description

@federava
federava
opened on May 10, 2025

oasis rofl build --verify in docker in macos is giving an error in spite of having the correct rofl.yaml file.

Command

docker run --platform linux/amd64 --volume .:/src -it ghcr.io/oasisprotocol/rofl-dev:main oasis rofl build --verify

Full response

Building a ROFL application...
Deployment: default
Network:    testnet
ParaTime:   sapphire
Debug:      false
App ID:     rofl1qqa9yh0mxv0urct88dt6h6uxt7sjy0fcf5kyevlw
Name:       rofl
Version:    0.1.0
TEE:        tdx
Kind:       container
Building a container-based TDX ROFL application...
Downloading firmware artifact...
  URI: https://github.com/oasisprotocol/oasis-boot/releases/download/v0.4.1/ovmf.tdx.fd#db47100a7d6a0c1f6983be224137c3f8d7cb09b63bb1c7a5ee7829d8e994a42f
  Hash: db47100a7d6a0c1f6983be224137c3f8d7cb09b63bb1c7a5ee7829d8e994a42f
Downloading kernel artifact...
  URI: https://github.com/oasisprotocol/oasis-boot/releases/download/v0.4.1/stage1.bin#06e12cba9b2423b4dd5916f4d84bf9c043f30041ab03aa74006f46ef9c129d22
  Hash: 06e12cba9b2423b4dd5916f4d84bf9c043f30041ab03aa74006f46ef9c129d22
Downloading stage 2 template artifact...
  URI: https://github.com/oasisprotocol/oasis-boot/releases/download/v0.4.1/stage2-podman.tar.bz2#6f2487aa064460384309a58c858ffea9316e739331b5c36789bb2f61117869d6
  Hash: 6f2487aa064460384309a58c858ffea9316e739331b5c36789bb2f61117869d6
Downloading rofl-container runtime artifact...
  URI: https://github.com/oasisprotocol/oasis-sdk/releases/download/rofl-containers%2Fv0.5.0/rofl-containers#800be74e543f1d10d12ef6fadce89dd0a0ce7bc798dbab4f8d7aa012d82fbff1
  Hash: 800be74e543f1d10d12ef6fadce89dd0a0ce7bc798dbab4f8d7aa012d82fbff1
Downloading compose.yaml artifact...
  URI: compose.yaml
Validating compose file...
Preparing stage 2 root filesystem...
Unpacking template...
Adding runtime as init...
Adding extra files...
Creating squashfs filesystem...
Creating dm-verity hash tree...
Creating ORC bundle...
ROFL app built and bundle written to 'rofl.default.orc'.
Computing enclave identity...
Built enclave identities DIFFER from manifest enclave identities!
Built enclave identities:
  - dqLzZtCn3xNFnBRy51ZOXx78MmCE7Vg3NtxRUJfJpNAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
  - 25bODD27y8v2neQcRquD0SQPDp91bd5JBac1OLurBAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
Manifest enclave identities:
  - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
Error: enclave identity verification failed

rofl.yaml file

name: rofl
version: 0.1.0
tee: tdx
kind: container
resources:
  memory: 512
  cpus: 1
  storage:
    kind: disk-persistent
    size: 512
artifacts:
  firmware: https://github.com/oasisprotocol/oasis-boot/releases/download/v0.4.1/ovmf.tdx.fd#db47100a7d6a0c1f6983be224137c3f8d7cb09b63bb1c7a5ee7829d8e994a42f
  kernel: https://github.com/oasisprotocol/oasis-boot/releases/download/v0.4.1/stage1.bin#06e12cba9b2423b4dd5916f4d84bf9c043f30041ab03aa74006f46ef9c129d22
  stage2: https://github.com/oasisprotocol/oasis-boot/releases/download/v0.4.1/stage2-podman.tar.bz2#6f2487aa064460384309a58c858ffea9316e739331b5c36789bb2f61117869d6
  container:
    runtime: https://github.com/oasisprotocol/oasis-sdk/releases/download/rofl-containers%2Fv0.5.0/rofl-containers#800be74e543f1d10d12ef6fadce89dd0a0ce7bc798dbab4f8d7aa012d82fbff1
    compose: compose.yaml
deployments:
  default:
    app_id: rofl1qqa9yh0mxv0urct88dt6h6uxt7sjy0fcf5kyevlw
    network: testnet
    paratime: sapphire
    admin: rofldeployer
    oci_repository: rofl.sh/6d298fd0-6dab-4730-8700-278b7318a38a:1746879147
    trust_root:
      height: 26532290
      hash: b00bcea983201970c9873af64a8133623f8b24f2c4a975600428b169b780da39
    policy:
      quotes:
        pcs:
          tcb_validity_period: 30
          min_tcb_evaluation_data_number: 18
          tdx: {}
      enclaves:
        - id: dqLzZtCn3xNFnBRy51ZOXx78MmCE7Vg3NtxRUJfJpNAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
        - id: 25bODD27y8v2neQcRquD0SQPDp91bd5JBac1OLurBAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
      endorsements:
        - any: {}
      fees: endorsing_node
      max_expiration: 3
    secrets:
      - name: PORT
        value: pGJwa1ggSvTBiSk3tdHu64Q2d9FRhwVuKLvSURmU1hWCD/2M2kNkbmFtZVS7fD0Ynj3zv765s3s062NWhp5ogWVub25jZU/nYSugh2Oyxd15R2cYq4NldmFsdWVUkHHSK4l+MIaxJBMVXwHI51XAhbA=
      - name: RPC_URL
        value: pGJwa1gg1ctUdu25ZRBdsyiDxMF3E6orznxAmf3SqVnTaEHoGBtkbmFtZVe32lAp3RvPUJscWI77MDOYW1nUdW+fJmVub25jZU/3UQ6iz7WEnqrHCjFM6xNldmFsdWVYMaRQHqc5m/aqkg358yyo0b2B5FENd0Iz0xSi+MeMkzDZ7l9H+cINDJAfkmQYnQmxvas=
      - name: PRIVATE_KEY
        value: pGJwa1ggaMvcO6gE5mo1dvIuCYIDkWmLeqRLgeRBzrZ9YuyuBTBkbmFtZVgbuShdmzjXtKVP8XimLIv6z/DDBDe4tZwTuH9hZW5vbmNlT47/7Hs1mV0wvxyqCDsvOGV2YWx1ZVhSwaPHfO575FdU3OiyKuY37U9TCN2Eqti/6pQmaxTAej60B8+UAUF5OndgiAXIvKlzAJdnlAUSVQT93a9FJqtUdjFXu4n7aBiaAswTzvq8EPBbKw==
      - name: CONTRACT_ADDRESS
        value: pGJwa1ggmkOp7uRb/KRIY5Yoz/dvX4j6QbMyuWwx76ptnC7DDTFkbmFtZVggwKfu+gS6uvVFtHbqaiYE3DEKNPOmvUzQR8zT64sb8yFlbm9uY2VPpF0R6Z9bIGA+UnogEBi7ZXZhbHVlWDoVpoMz/hpBmCN2j5pB94e5DXWqKkK/Al0N7L6V+cDWUIt1MOknmNGf/O4V8PrvZNXGFOnTpni3yh/B
    machines:
      default:
        provider: oasis1qp2ens0hsp7gh23wajxa4hpetkdek3swyyulyrmz
        offer: playground_short
        id: "0000000000000036"

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions