Use deterministic umask during build

cmd/rofl/build/artifacts.go

@@ -305,6 +305,22 @@ func createSquashFs(buildEnv env.ExecEnv, fn, dir string) (int64, error) {
 	return fi.Size(), nil
 }
 
+// sha256File computes a SHA-256 digest of the file with the given filename and returns a
+// hex-encoded hash.
+func sha256File(fn string) (string, error) {
+	f, err := os.Open(fn)
+	if err != nil {
+		return "", fmt.Errorf("failed to open filesystem file: %w", err)
+	}
+	defer f.Close()
+
+	h := sha256.New()
+	if _, err = io.Copy(h, f); err != nil {
+		return "", fmt.Errorf("failed to read filesystem file: %w", err)
+	}
+	return hex.EncodeToString(h.Sum([]byte{})), nil
+}
+
 // createVerityHashTree creates the verity Merkle hash tree and returns the root hash.
 func createVerityHashTree(buildEnv env.ExecEnv, fsFn, hashFn string) (string, error) {
 	// Print a nicer error message in case veritysetup is missing.
@@ -314,16 +330,10 @@ func createVerityHashTree(buildEnv env.ExecEnv, fsFn, hashFn string) (string, er
 	}
 
 	// Generate a deterministic salt by hashing the filesystem.
-	f, err := os.Open(fsFn)
+	salt, err := sha256File(fsFn)
 	if err != nil {
-		return "", fmt.Errorf("failed to open filesystem file: %w", err)
-	}
-	defer f.Close()
-	h := sha256.New()
-	if _, err = io.Copy(h, f); err != nil {
-		return "", fmt.Errorf("failed to read filesystem file: %w", err)
+		return "", err
 	}
-	salt := h.Sum([]byte{})
 
 	rootHashFn := hashFn + ".roothash"
 
@@ -332,7 +342,7 @@ func createVerityHashTree(buildEnv env.ExecEnv, fsFn, hashFn string) (string, er
 		"--data-block-size=4096",
 		"--hash-block-size=4096",
 		"--uuid=00000000-0000-0000-0000-000000000000",
-		"--salt="+hex.EncodeToString(salt),
+		"--salt="+salt,
 		"--root-hash-file="+rootHashFn,
 		fsFn,
 		hashFn,

cmd/rofl/build/artifacts_other.go

@@ -15,3 +15,6 @@ func extractHandleSpecialNode(path string, header *tar.Header) error {
 func extractChtimes(path string, atime, mtime time.Time) error {
 	return os.Chtimes(path, atime, mtime)
 }
+
+func setUmask(mask int) {
+}

cmd/rofl/build/artifacts_unix.go

@@ -28,3 +28,7 @@ func extractChtimes(path string, atime, mtime time.Time) error {
 	mtv := unix.NsecToTimeval(mtime.UnixNano())
 	return unix.Lutimes(path, []unix.Timeval{atv, mtv})
 }
+
+func setUmask(mask int) {
+	unix.Umask(mask)
+}

cmd/rofl/build/build.go

@@ -43,7 +43,8 @@ var (
 		Use:   "build",
 		Short: "Build a ROFL application",
 		Args:  cobra.NoArgs,
-		RunE: func(_ *cobra.Command, _ []string) error {
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			cmd.SilenceUsage = true
 			cfg := cliConfig.Global()
 			npa := common.GetNPASelection(cfg)
 			manifest, deployment := roflCommon.LoadManifestAndSetNPA(cfg, npa, deploymentName, &roflCommon.ManifestOptions{
@@ -76,6 +77,9 @@ var (
 			}
 			defer os.RemoveAll(tmpDir)
 
+			// Ensure deterministic umask for builds.
+			setUmask(0o002)
+
 			var buildEnv env.ExecEnv
 			switch {
 			case manifest.Artifacts.Builder == "" || noDocker:

cmd/rofl/build/tdx.go

@@ -148,6 +148,13 @@ func tdxPrepareStage2(
 
 	// Add runtime as init.
 	fmt.Println("Adding runtime as init...")
+
+	initHash, err := sha256File(initPath)
+	if err != nil {
+		return nil, err
+	}
+	fmt.Printf("Runtime hash: %s\n", initHash)
+
 	if err := copyFile(initPath, filepath.Join(rootfsDir, "init"), 0o755); err != nil {
 		return nil, err
 	}

main.go

@@ -1,7 +1,13 @@
 package main
 
-import "github.com/oasisprotocol/cli/cmd"
+import (
+	"os"
+
+	"github.com/oasisprotocol/cli/cmd"
+)
 
 func main() {
-	_ = cmd.Execute()
+	if err := cmd.Execute(); err != nil {
+		os.Exit(1)
+	}
 }