This directory contains scripts, config templates, and other sources for a native deployment of Veraison on the system.
To build Veraison services, you will need a Go toolchain, at least v1.22. If Go is already installed, you can check the version:
go version
If not, the instructions for downloading and installing Go on your platform can be found here.
You will also need the protobuf compiler, protoc
, with plugins for Go. The
plugins may be installed via go install
:
go install google.golang.org/protobuf/cmd/[email protected]
go install google.golang.org/grpc/cmd/[email protected]
go install github.com/mitchellh/protoc-gen-go-json@latest
You will need GNU make
(at least version 3.81) to drive the build process.
The deployment script is written for bash
shell, and relies on envsubst
utility (which comes as part of gettext
package on most systems), as well as
some common UNIX utilities that are often already present on a system but may
sometimes need to be installed: find
, grep
, sed
.
Important
MacOSX users: To enable envsubst
and force it to link properly:
brew install gettext
brew link --force gettext
For a full deployment, the following tools will also be needed:
sqlite3
to initialize and manipulate the storesjq
to display the stores' contentsopenssl
(at least version 3.0) to generate the TLS certificates (not needed if you plan to use the included example certs).step
to generate the signing key (not needed if you plan to use the included example key).tmux
can optionally be used to run the deployment (not required).
All except step
should be available from package managers of most
distributions. For installing step
, please see its
documentation.
To simplify dependency installation, we have bootstrap scripts available for
Arch, Ubuntu, and MacOSX (using homebrew) (see bootstrap/
subdirectory). Running
git clone https://github.com/veraison/services.git
cd services/deployments/native
make bootstrap
will try to automatically select the appropriate script to run.
You can check whether the required dependencies are present by running
make check
This will report an error if a mandatory dependency is missing, or warnings if one or more optional dependencies are missing.
To get Veraison running quickly you can run
make quick-deploy
in this file's directory, or make native-deploy
in the repo's top-level
directory.
This will create a deployment under ~/veraison-deployment
using the included
example key and certificates.
The deployment is controlled via a CLI frontend script,
~/veraison-deployment/bin/veraison
. You can create an alias for it so that it
may be invoked simply as veraison
by sourcing the deployments env file:
source ~/veraison-deployment/env/env.bash
(the command above assumes you're using bash
shell; there is also an
equivalent file for zsh
).
You have three options for running the services:
# option 1
veraison start-term
Will spawn a virtual terminal for each service.
# option 2
export SESSION_NAME=veraison
veraison start-tmux $SESSION_NAME
will create a tmux session with the specified name (if no name is specified, the default is "veraison"), and will start services inside panes within that session. You can then attach to the session with
tmux attach -t $SESSION_NAME
Note that this requires that tmux
is installed on the system.
Finally
# option 3
veraison start-services
will install and start systemd/launchd services for the current user.
(Note: if you've deployed by running make native-deploy
at top level, that will
automatically try to start services via systemd/launchd on systems that use them.)
You can check that Veraison is running properly by running through the end-to-end flow.
There are multiple steps to creating a functioning Veraison deployment. make quick-deploy
described above executes these steps in sequence with default
options for minimal hassle.
This section describes how to create a deployment by executing each step
individually using the deployment.sh
script, and the options available for
each step.
The destination for the deployment is specified by VERAISON_ROOT
environment
variable. If the variable does not exist, it defaults to
~/veraison-deployment
(as seen above).
export VERAISON_ROOT=~/alternate-deployment
If the specified location does not exist, it will be created by the script.
Veraison services can be built with
./deployment.sh build
This is equivalent to running make COMBINED_PLUGINS=1
at the top level. Note
that COMBINED_PLUGINS
must be set, as the deployment will not use split
-handler
plugins.
./deployment.sh deploy
This create the deployment directory structure under VERAISON_ROOT
(including
the VERAISON_ROOT
itself if it doesn't already exist) and will copy the
service executables, (combined) plugins, the CLI frontend, and configuration
into the directory structure.
Alternatively, if you specify -s
option:
./deployment.sh -s deploy
then the service executables and plugins will be symbolically linked, rather than copied. This is useful for development, so that you don't have keep re-copying the executables after rebuilding them.
Veraison services communicate with clients and with each other over TLS. Each
service will use its own certificate and associated key that it will pick up
from ${VERAISON_ROOT}/certs/
based on its name (e.g. VTS service will use
${VERAISON_ROOT}/certs/vts.crt
.
These certificates can be generated for a deployment by providing a root certificate that will be used to sign them. The root certificate maybe obtained from a known Certificate Authority (such as Let's Encrypt), or created locally (in which case, it will be self-signed).
Certificate generation relies on openssl
which must be installed on the
system.
A root certificate may be created by running
./deployment.sh create-root-cert "/C=US/O=Acme Inc."
This will create ${VERAISON_ROOT}/certs/rootCA.crt
(and the associated
${VERAISON_ROOT}/certs/rootCA.key
) with the specified subject. The subject
may be omitted from the invocation, in which case /O=Veraison
will be used.
Once you have a root certificate (either generated in the sub-section above, or obtained via some other means), you can use it to generate certificates for the individual services.
In addition to the root certificate and key, you will also need to specify a comma-separated list of names that will be used to populate the Common Name field and Subject Alternative Name extension in the generated certificates.
./deployment.sh init-certificates $(cat /etc/hostname),localhost \
${VERAISON_ROOT}/certs/rootCA.crt ${VERAISON_ROOT}/certs/rootCA.key
If you only plan to use the services locally, it is sufficient to only provide "localhost" as the first argument.
The names in the list may contain the placeholder @@
that will be replaced
with the name of the service.
For example, if you specify the first argument as
@@.my-domain.com,@@-service.alt-domain.com,localhost
then the certificate generated for the VTS service will contain the Subject
/CN=vts.my-domain.com
and the SAN extension with
DNS:vts.my-domain.com, DNS:vts-service.alt-domain.com, DNS:localhost
Note
if you're using your own root certificate rather than generating one as in
sub-section above, you do not need to rename or copy it into
${VERAISON_ROOT}/certs/
-- this will be done as part of init-certificates
command (the root cert key will not be copied as it won't be needed after
service certificates are generated).
It is also possible to just use included example certificates rather then generating new ones for the deployment (these will, obviously, only work for local use, as they won't be configured with your host's name).
./deployment.sh -e init-certificates
When doing this, you do not need to create/provide a root certificate.
The signing key should be provided as ${VERAISON_ROOT}/signing/skey.jwk
. It
will be used by the verification service to sign attestation results. The key
must be in JWK format.
You can generate a new key for the deployment with
./deployment.sh init-signing-key
Signing key generation relies on step
which must be installed on the system
(see dependencies section above).
As with certificates, it is possible use the example key instead of generating a new one:
./deployment.sh -e init-signing-key
Veraison uses sqlite3 databases to store endorsements, trust anchors, and policies. When started, services will expect these database to be initialized with appropriate tables. This can be done by running
./deployment.sh init-stores
Veraison services can be interacted with via CLI applications, cocli
for
provisioning, evcli
for verification, and pocli
for policy management.
These clients can be installed, along with appropriate configuration with
./deployment.sh init-clients
If you already cocli
or other clients installed, you can use them, rather
than the ones bundled with the deployment. You can use --config
option
to point to the deployment's config file for the client, e.g.
cocli --config ${VERAISON_ROOT}/config/cocli/config.yaml OTHER_ARGS...
To avoid having to specify the config file each time, you can copy the
client-specific sub-directory into your XDG_CONFIG_HOME
(usually
~/.config/
)
cp -r ${VERAISON_ROOT}/config/cocli ~/.config/
cocli OTHER_ARGS...
(The examples above use cocli
but the same goes for evcli
and pocli
as
well.)
Once deployment has been created, ${VERAISON_ROOT}
has the following
structure
.
├── bin
├── certs
├── config
├── env
├── logs
├── plugins
├── signing
├── stores
└── systemd (or launchd)
This directory contains all executables associated with deployment, including the CLI frontend, services, and clients.
(note: if the deployment was created with -s
option, the service executables
will in fact be symlinks to their source locations.)
This directory has a number of sub-directories, one for the services, and one
for each client. Each subdirectory contains a config.yaml
with associated
configuration.
This directly contains env files that may be sourced by various shells in order to setup up the shell for use with the deployment (e.g. allowing the frontend to be invoked without specifying its full path).
Currently, only bash
and zsh
are supported.
This directory contains service logs.
This directly contains attestation scheme plugins.
(note: if the deployment was crated with -s
option, the plugins will in fact
be symlinks to their source locations.)
This directly contains skey.jwk
, the key that will be used by the
verification service to sign attestation results.
This directory contains sqlite3 database for the endorsements, trust anchors, and policies stores.
This directory contains systemd unit files for the Veraison services. It is
split into two sub-directories: system
and user
. The latter contains units
meant to be installed into the user-specific service manager (i.e. using
systemctl --user
).
This directory contains launchd user agent files for the Veraison services.
Authentication is disabled by default in the native deployment. To enable it, you first need to have the Keycloak authentication service running.
Note
Proper installation and setup of Keycloak is outside the scope of this README. Please refer to the Keycloak documentation for complete installation instructions. The instructions below show how to get something running with minimal effort for local development and testing only.
Keycloak requires OpenJDK 21. This is not part of Veraison dependencies and is not installed as part of bootstrap. If you don't already have it on your system, you will need to install it.
# On Arch
sudo pacman -S jdk21-openjdk
# On Ubuntu
sudo apt install openjdk-21-jdk
You will then need to make sure that JAVA_HOME
points to it:
export JAVA_HOME=/usr/lib/jvm/java-21-openjdk
Pick an install destination (must exist), and download and extract Keycloak into it:
export INSTALL_DEST=${HOME}
wget -O- https://github.com/keycloak/keycloak/releases/download/25.0.2/keycloak-25.0.2.tar.gz | \
tar xzf - -C ${INSTALL_DEST}
export KEYCLOAK_ROOT=${INSTALL_DEST}/keycloak-25.0.2
Setup the new install to work with the deployment:
./deployment.sh setup-keycloak ${KEYCLOAK_ROOT} localhost \
${VERAISON_ROOT}/certs/rootCA.{crt,key} 11111
The first argument to the setup-keycloak
command is the root directory of the
keycloak installation. The second argument is a comma-separated list of names
that will be used in the certificate (in the listing above it's just
"localhost"). The third and fourth arguments are the root certificate and its
key that will be used to sign Keycloak's cert. This must be the same root cert
that was used for the Veraison deployment (the listing above assumes that
you've generated the root with gen-root-cert
command as described above, if
not, then adjust the paths as appropriate). The final argument is the port
Keycloak will be listening on.
The setup command will also generate a new key for the server, and copy the example Veraison realm into its data path.
Finally, re-build, and start the server:
${KEYCLOAK_ROOT}/bin/kc.sh build
${KEYCLOAK_ROOT}/bin/kc.sh start --import-realm
The --import-realm
option will cause the server to import the example
veraison realm.
If you imported the example realm when running the server, you do not need to do this step.
- Veraison will expect the realm containing its configuration to be called "veraison".
- This realm must define "manager" and "provisioner" roles.
- There must be at least one user associated with each role.
- There must be at least one client setup with Authentication Flow capabilities "Standard Flow" and "Direct Access Grants" enabled.
Please refer to the Keycloak docs for how to go about setting up the above.
Finally, enable authentication in the config files for services, cocli, and pocli inside the deployment. This just means uncommenting the relevant config. If you have set up a new veraison realm instead of using the example one, the config values will also need to be updated.
By default, the deployment will use sqlite3
databases located under
${VERAISON_ROOT}/stores/
for key-value stores. It is possible to use either
MySQL/MariaDB or Postgres instead.
- Ensure the relevant DBMS is installed and running. Please refer to the DBMS' and/or your OS' documentation for instructions on how to set that up.
- Create a user and a database for the deployment, and initialize k-v store tables for endorsements, trust anchors, and policies. Subdirectory kvstore-backends contains scripts to automate this step.
- Edit
*-store
entires inside${VERAISON_ROOT}/config/services/config.yaml
to comment out thesqlite3
config, and uncommenting config for the relevant driver (pgx
for Postgres, andmysql
for MySQL/MariaDB). You may also need to edit the uncommented settings to match your set up in the previous steps.