From 7db5ebece1e1a7e7cfc612b753478845a6f367ee Mon Sep 17 00:00:00 2001
From: Andrew Cady <d@jerkface.net>
Date: Thu, 28 May 2020 10:38:46 -0400
Subject: makefile: add VERITY and VERITY_SIGN

---
 .gitignore         |  5 +++++
 Makefile           | 13 +++++++++++--
 build-deps.control |  1 +
 3 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/.gitignore b/.gitignore
index 34734ec..64eecd0 100644
--- a/.gitignore
+++ b/.gitignore
@@ -48,3 +48,8 @@ rootfs/samizdat.patch.btrfs
 rootfs/samizdat.seed.btrfs
 rootfs/seed.iso
 apt-get-update-stamp
+*.btrfs
+*.btrfs.verity
+*.btrfs.verity.log
+*.btrfs.verity.log.asc
+*.btrfs.verity.log.sig
diff --git a/Makefile b/Makefile
index f507be0..54658af 100644
--- a/Makefile
+++ b/Makefile
@@ -174,6 +174,14 @@ get_loop_dev="$$(sudo losetup -n -O name -j $@~tmp)"
 get_backing_file="$$(sudo losetup -n -O back-file -j $@~tmp)"
 get_min_size="$$(btrfs inspect-internal min-dev-size --id 1 $@.mnt | (read b _; echo $$b))"
 
+%.btrfs.verity: %.btrfs
+	sudo veritysetup format $< $@ > $@.log
+	sudo chmod 644 $@
+	h=$$(sed -ne 's/^Root hash:[ \t]*//p' $@.log) && [ "$$h" ]
+
+%.btrfs.verity.log.asc: %.btrfs.verity.log
+	sudo gpg --armor --detach-sign $^
+
 rootfs/samizdat.seed.btrfs: rootfs/samizdat.btrfs
 ifneq ($(shell id -u),0)
 	$(SUDO_MAKE) $@
@@ -282,7 +290,8 @@ gold.iso: rootfs/seed.iso reused-child
 		--protective-msdos-label
 	mv $@~tmp $@
 
-rootfs/seed.iso: rootfs/samizdat.seed.btrfs
+rootfs/seed.iso: $(addprefix rootfs/samizdat.seed.btrf, s \
+                  $(if $(VERITY), s.verity s.verity.log $(if $(VERITY_SIGN), s.verity.log.asc)))
 	rm -f $@~tmp
 	touch $@~tmp
 	fallocate -n -l 10G $@~tmp
@@ -293,7 +302,7 @@ rootfs/seed.iso: rootfs/samizdat.seed.btrfs
 		-volid SamizdatLive \
 		-pathspecs on \
 		-follow link \
-		-add /rootfs/samizdat.btrfs=$< -- \
+		-add $^ -- \
 		-follow default
 	mv $@~tmp $@
 
diff --git a/build-deps.control b/build-deps.control
index fc3eaeb..a946554 100644
--- a/build-deps.control
+++ b/build-deps.control
@@ -1,6 +1,7 @@
 Source: sami
 Build-Depends: bridge-utils,
                build-essential,
+               cryptsetup,
                devscripts,
                libbz2-dev,
                libncurses-dev,
-- 
cgit v1.2.3