From 0bf33ea4b5f180106ae40dca7e8f88905a305ff2 Mon Sep 17 00:00:00 2001
From: Rafid Bin Mostofa <rafid.mostofa@canonical.com>
Date: Fri, 12 Jan 2024 16:45:07 +0600
Subject: [PATCH 1/5] feat(20.04): add ubuntu archive signing key 2018 (#77)

* feat(20.04): add ubuntu archive signing key 2018

This commit adds the Ubuntu Archive Automatic Signing Key (2018) as a
"public-key" in the chisel.yaml. The armored data was obtained by
executing the following commands on a Ubuntu 22.04 machine:

    $ gpg --keyserver keyserver.ubuntu.com --receive-keys 871920D1991BC93C
    $ gpg --armor --export 871920D1991BC93C

BREAKING CHANGE: This commit introduces the new chisel yaml format
"chisel-v2", in which ``public-keys`` (top-level) and
``archive.<name>.public-keys`` fields are introduced. This changes is
related to the addition of integrity checks in chisel. [1]

[1] https://github.com/canonical/chisel/pull/106

* fix(20.04): revert chisel.yaml format to chisel-v1

* fix: rename public-keys to v1-public-keys
---
 chisel.yaml | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/chisel.yaml b/chisel.yaml
index 1b8008d5a..ad4cd27c8 100644
--- a/chisel.yaml
+++ b/chisel.yaml
@@ -5,3 +5,40 @@ archives:
         version: 20.04
         components: [main, universe]
         suites: [focal, focal-security, focal-updates]
+        v1-public-keys: [ubuntu-archive-key-2018]
+
+v1-public-keys:
+    # Ubuntu Archive Automatic Signing Key (2018) <ftpmaster@ubuntu.com>
+    # rsa4096/f6ecb3762474eda9d21b7022871920d1991bc93c 2018-09-17T15:01:46Z
+    ubuntu-archive-key-2018:
+        id: "871920D1991BC93C"
+        armor: |
+            -----BEGIN PGP PUBLIC KEY BLOCK-----
+
+            mQINBFufwdoBEADv/Gxytx/LcSXYuM0MwKojbBye81s0G1nEx+lz6VAUpIUZnbkq
+            dXBHC+dwrGS/CeeLuAjPRLU8AoxE/jjvZVp8xFGEWHYdklqXGZ/gJfP5d3fIUBtZ
+            HZEJl8B8m9pMHf/AQQdsC+YzizSG5t5Mhnotw044LXtdEEkx2t6Jz0OGrh+5Ioxq
+            X7pZiq6Cv19BohaUioKMdp7ES6RYfN7ol6HSLFlrMXtVfh/ijpN9j3ZhVGVeRC8k
+            KHQsJ5PkIbmvxBiUh7SJmfZUx0IQhNMaDHXfdZAGNtnhzzNReb1FqNLSVkrS/Pns
+            AQzMhG1BDm2VOSF64jebKXffFqM5LXRQTeqTLsjUbbrqR6s/GCO8UF7jfUj6I7ta
+            LygmsHO/JD4jpKRC0gbpUBfaiJyLvuepx3kWoqL3sN0LhlMI80+fA7GTvoOx4tpq
+            VlzlE6TajYu+jfW3QpOFS5ewEMdL26hzxsZg/geZvTbArcP+OsJKRmhv4kNo6Ayd
+            yHQ/3ZV/f3X9mT3/SPLbJaumkgp3Yzd6t5PeBu+ZQk/mN5WNNuaihNEV7llb1Zhv
+            Y0Fxu9BVd/BNl0rzuxp3rIinB2TX2SCg7wE5xXkwXuQ/2eTDE0v0HlGntkuZjGow
+            DZkxHZQSxZVOzdZCRVaX/WEFLpKa2AQpw5RJrQ4oZ/OfifXyJzP27o03wQARAQAB
+            tEJVYnVudHUgQXJjaGl2ZSBBdXRvbWF0aWMgU2lnbmluZyBLZXkgKDIwMTgpIDxm
+            dHBtYXN0ZXJAdWJ1bnR1LmNvbT6JAjgEEwEKACIFAlufwdoCGwMGCwkIBwMCBhUI
+            AgkKCwQWAgMBAh4BAheAAAoJEIcZINGZG8k8LHMQAKS2cnxz/5WaoCOWArf5g6UH
+            beOCgc5DBm0hCuFDZWWv427aGei3CPuLw0DGLCXZdyc5dqE8mvjMlOmmAKKlj1uG
+            g3TYCbQWjWPeMnBPZbkFgkZoXJ7/6CB7bWRht1sHzpt1LTZ+SYDwOwJ68QRp7DRa
+            Zl9Y6QiUbeuhq2DUcTofVbBxbhrckN4ZteLvm+/nG9m/ciopc66LwRdkxqfJ32Cy
+            q+1TS5VaIJDG7DWziG+Kbu6qCDM4QNlg3LH7p14CrRxAbc4lvohRgsV4eQqsIcdF
+            kuVY5HPPj2K8TqpY6STe8Gh0aprG1RV8ZKay3KSMpnyV1fAKn4fM9byiLzQAovC0
+            LZ9MMMsrAS/45AvC3IEKSShjLFn1X1dRCiO6/7jmZEoZtAp53hkf8SMBsi78hVNr
+            BumZwfIdBA1v22+LY4xQK8q4XCoRcA9G+pvzU9YVW7cRnDZZGl0uwOw7z9PkQBF5
+            KFKjWDz4fCk+K6+YtGpovGKekGBb8I7EA6UpvPgqA/QdI0t1IBP0N06RQcs1fUaA
+            QEtz6DGy5zkRhR4pGSZn+dFET7PdAjEK84y7BdY4t+U1jcSIvBj0F2B7LwRL7xGp
+            SpIKi/ekAXLs117bvFHaCvmUYN7JVp1GMmVFxhIdx6CFm3fxG8QjNb5tere/YqK+
+            uOgcXny1UlwtCUzlrSaP
+            =9AdM
+            -----END PGP PUBLIC KEY BLOCK-----

From 0a01a4c6338e69c09b8cb3e268ec4ee5c00f2386 Mon Sep 17 00:00:00 2001
From: Rafid Bin Mostofa <rafid.mostofa@canonical.com>
Date: Mon, 29 Jan 2024 14:04:49 +0600
Subject: [PATCH 2/5] fix(20.04): add missing path in openssl_config (#100)

* fix(20.04): add missing path in openssl_config

/usr/lib/ssl/certs is a symlink to /etc/ssl/certs. But the latter was
not included in the slice, resulting in a broken symlink in the rootfs
if the ca-certificates slices were not installed.

This commit adds the missing /etc/ssl/certs path.

* fix: add missing '/' after dir path
---
 slices/openssl.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/slices/openssl.yaml b/slices/openssl.yaml
index dfc2c9b40..38f00f7b8 100644
--- a/slices/openssl.yaml
+++ b/slices/openssl.yaml
@@ -13,8 +13,9 @@ slices:
 
   config:
     contents:
-      /etc/ssl/private/:
+      /etc/ssl/certs/:
       /etc/ssl/openssl.cnf:
+      /etc/ssl/private/:
       /usr/lib/ssl/certs:
       /usr/lib/ssl/openssl.cnf:
       /usr/lib/ssl/private:

From b051ff18bb5639033bb53c95d2c47ff35001315a Mon Sep 17 00:00:00 2001
From: Rafid Bin Mostofa <rafid.mostofa@canonical.com>
Date: Mon, 29 Jan 2024 23:21:58 +0600
Subject: [PATCH 3/5] feat(20.04): add slices for bash and coreutils (#103)

---
 slices/bash.yaml      |  21 ++++++++
 slices/coreutils.yaml | 122 ++++++++++++++++++++++++++++++++++++++++++
 slices/libacl1.yaml   |   8 +++
 slices/libattr1.yaml  |  13 +++++
 4 files changed, 164 insertions(+)
 create mode 100644 slices/bash.yaml
 create mode 100644 slices/coreutils.yaml
 create mode 100644 slices/libacl1.yaml
 create mode 100644 slices/libattr1.yaml

diff --git a/slices/bash.yaml b/slices/bash.yaml
new file mode 100644
index 000000000..e0f3b4aac
--- /dev/null
+++ b/slices/bash.yaml
@@ -0,0 +1,21 @@
+package: bash
+
+slices:
+  config:
+    contents:
+      /etc/bash.bashrc:
+      /etc/skel/.bash_logout:
+      /etc/skel/.bashrc:
+      /etc/skel/.profile:
+
+  bins:
+    essential:
+      - bash_config
+      - libc6_libs
+      - libtinfo6_libs
+    contents:
+      # user should manually link /bin/sh to /bin/bash
+      /bin/bash:
+      /bin/rbash:
+      /usr/bin/clear_console:
+      /usr/bin/bashbug:
diff --git a/slices/coreutils.yaml b/slices/coreutils.yaml
new file mode 100644
index 000000000..764ffdc17
--- /dev/null
+++ b/slices/coreutils.yaml
@@ -0,0 +1,122 @@
+package: coreutils
+
+slices:
+  libs:
+    essential:
+      - libc6_libs
+    contents:
+      /usr/lib/*-linux-*/coreutils/libstdbuf.so:
+
+  bins:
+    essential:
+      - coreutils_libs
+      - libacl1_libs
+      - libattr1_libs
+      - libc6_libs
+      - libselinux1_libs
+    contents:
+      /bin/cat:
+      /bin/chgrp:
+      /bin/chmod:
+      /bin/chown:
+      /bin/cp:
+      /bin/date:
+      /bin/dd:
+      /bin/df:
+      /bin/dir:
+      /bin/echo:
+      /bin/false:
+      /bin/ln:
+      /bin/ls:
+      /bin/mkdir:
+      /bin/mknod:
+      /bin/mktemp:
+      /bin/mv:
+      /bin/pwd:
+      /bin/readlink:
+      /bin/rm:
+      /bin/rmdir:
+      /bin/sleep:
+      /bin/stty:
+      /bin/sync:
+      /bin/touch:
+      /bin/true:
+      /bin/uname:
+      /bin/vdir:
+      /usr/bin/[:
+      /usr/bin/arch:
+      /usr/bin/b2sum:
+      /usr/bin/base32:
+      /usr/bin/base64:
+      /usr/bin/basename:
+      /usr/bin/chcon:
+      /usr/bin/cksum:
+      /usr/bin/comm:
+      /usr/bin/csplit:
+      /usr/bin/cut:
+      /usr/bin/dircolors:
+      /usr/bin/dirname:
+      /usr/bin/du:
+      /usr/bin/env:
+      /usr/bin/expand:
+      /usr/bin/expr:
+      /usr/bin/factor:
+      /usr/bin/fmt:
+      /usr/bin/fold:
+      /usr/bin/groups:
+      /usr/bin/head:
+      /usr/bin/hostid:
+      /usr/bin/id:
+      /usr/bin/install:
+      /usr/bin/join:
+      /usr/bin/link:
+      /usr/bin/logname:
+      /usr/bin/md5sum:
+      /usr/bin/md5sum.textutils:
+      /usr/bin/mkfifo:
+      /usr/bin/nice:
+      /usr/bin/nl:
+      /usr/bin/nohup:
+      /usr/bin/nproc:
+      /usr/bin/numfmt:
+      /usr/bin/od:
+      /usr/bin/paste:
+      /usr/bin/pathchk:
+      /usr/bin/pinky:
+      /usr/bin/pr:
+      /usr/bin/printenv:
+      /usr/bin/printf:
+      /usr/bin/ptx:
+      /usr/bin/realpath:
+      /usr/bin/runcon:
+      /usr/bin/seq:
+      /usr/bin/sha1sum:
+      /usr/bin/sha224sum:
+      /usr/bin/sha256sum:
+      /usr/bin/sha384sum:
+      /usr/bin/sha512sum:
+      /usr/bin/shred:
+      /usr/bin/shuf:
+      /usr/bin/sort:
+      /usr/bin/split:
+      /usr/bin/stat:
+      /usr/bin/stdbuf:
+      /usr/bin/sum:
+      /usr/bin/tac:
+      /usr/bin/tail:
+      /usr/bin/tee:
+      /usr/bin/test:
+      /usr/bin/timeout:
+      /usr/bin/tr:
+      /usr/bin/truncate:
+      /usr/bin/tsort:
+      /usr/bin/tty:
+      /usr/bin/unexpand:
+      /usr/bin/uniq:
+      /usr/bin/unlink:
+      /usr/bin/users:
+      /usr/bin/wc:
+      /usr/bin/who:
+      /usr/bin/whoami:
+      /usr/bin/yes:
+      /usr/sbin/chroot:
diff --git a/slices/libacl1.yaml b/slices/libacl1.yaml
new file mode 100644
index 000000000..aac661f2d
--- /dev/null
+++ b/slices/libacl1.yaml
@@ -0,0 +1,8 @@
+package: libacl1
+
+slices:
+  libs:
+    essential:
+      - libc6_libs
+    contents:
+      /usr/lib/*-linux-*/libacl.so.1*:
diff --git a/slices/libattr1.yaml b/slices/libattr1.yaml
new file mode 100644
index 000000000..227ad375b
--- /dev/null
+++ b/slices/libattr1.yaml
@@ -0,0 +1,13 @@
+package: libattr1
+
+slices:
+  config:
+    contents:
+      /etc/xattr.conf:
+
+  libs:
+    essential:
+      - libattr1_config
+      - libc6_libs
+    contents:
+      /usr/lib/*-linux-*/libattr.so.1*:

From 3272179109ea13bd7de74c77881574ca7868cacb Mon Sep 17 00:00:00 2001
From: Cristovao Cordeiro <cristovao.cordeiro@canonical.com>
Date: Wed, 28 Feb 2024 15:31:56 +0000
Subject: [PATCH 4/5] fix(20.04): fix arch specific paths for openjdk-8 (#150)

* fix(20.04): fix arch specific paths for openjdk-8

* chore(openjdk-8-jre-headless): unfold long lines
---
 slices/openjdk-8-jre-headless.yaml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/slices/openjdk-8-jre-headless.yaml b/slices/openjdk-8-jre-headless.yaml
index da856aaad..317d2d7e9 100644
--- a/slices/openjdk-8-jre-headless.yaml
+++ b/slices/openjdk-8-jre-headless.yaml
@@ -27,8 +27,18 @@ slices:
       /usr/lib/jvm/java-8-openjdk-*/jre/lib/*/libverify.so:
       /usr/lib/jvm/java-8-openjdk-*/jre/lib/*/libzip.so:
       /usr/lib/jvm/java-8-openjdk-*/jre/lib/*/libjsig.so:
+      /usr/lib/jvm/java-8-openjdk-*/jre/lib/*/client/libjsig.so: {arch: armhf}
+      /usr/lib/jvm/java-8-openjdk-*/jre/lib/*/client/libjvm.so: {arch: armhf}
       /usr/lib/jvm/java-8-openjdk-*/jre/lib/*/server/libjsig.so:
+        arch:
+          - amd64
+          - arm64
+          - ppc64el
       /usr/lib/jvm/java-8-openjdk-*/jre/lib/*/server/libjvm.so:
+        arch:
+          - amd64
+          - arm64
+          - ppc64el
       /usr/lib/jvm/java-8-openjdk-*/jre/lib/hijrah-config-umalqura.properties:
       /usr/lib/jvm/java-8-openjdk-*/jre/lib/calendars.properties:
       /usr/lib/jvm/java-8-openjdk-*/jre/lib/content-types.properties:
@@ -121,6 +131,11 @@ slices:
       - openjdk-8-jre-headless_core
     contents:
       /usr/lib/jvm/java-8-openjdk-*/jre/lib/jfr.jar:
+        arch:
+         - amd64
+         - arm64
+         - armhf
+         - ppc64el
 
   # Shared libraries for supporting heap profilling.
   hprof:

From 4adcac27ad58e9a6e6010f4e6e85c3d06bedad5c Mon Sep 17 00:00:00 2001
From: Rafid Bin Mostofa <rafid.mostofa@canonical.com>
Date: Wed, 28 Feb 2024 22:14:59 +0600
Subject: [PATCH 5/5] chore(20.04): add workflow to test slices (#141)

This commit adds a workflow to test installing changed or all slices,
based on the files changed.

Co-authored-by: Cristovao Cordeiro <cristovao.cordeiro@canonical.com>
---
 .github/workflows/ci.yaml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 .github/workflows/ci.yaml

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
new file mode 100644
index 000000000..32876353b
--- /dev/null
+++ b/.github/workflows/ci.yaml
@@ -0,0 +1,15 @@
+name: CI
+run-name: CI for ${{ github.ref }}
+
+on:
+  push:
+    branches:
+      - "ubuntu-*"
+  pull_request:
+    branches:
+      - "ubuntu-*"
+
+jobs:
+  installability-tests:
+    name: Installability tests
+    uses: canonical/chisel-releases/.github/workflows/install-slices.yaml@main