ci: disable build-win32-package

Chocolatey registries are currently unavailable, and this is blocking
the release process. Disable the win32 build in CI, in the release
branch, to allow to move forward.

Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>

.github/workflows/reusable_build_packages.yaml

@@ -344,44 +344,6 @@ jobs:
           path: |
             ${{ github.workspace }}/build/falco-${{ inputs.version }}-wasm.tar.gz
 
-  build-win32-package:
-    if: ${{ inputs.arch == 'x86_64' }}
-    runs-on: windows-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
-        with:
-          fetch-depth: 0
-
-      - name: Install NSIS
-        run: choco install nsis -y
-
-      # NOTE: Backslash doesn't work as line continuation on Windows.
-      - name: Prepare project
-        run: |
-          cmake -B build -S . -DCMAKE_BUILD_TYPE=Release -DMINIMAL_BUILD=On -DUSE_BUNDLED_DEPS=On -DBUILD_FALCO_UNIT_TESTS=On -DFALCO_VERSION=${{ inputs.version }}
-
-      - name: Build project
-        run: |
-          cmake --build build --target package --config Release
-
-      - name: Run unit Tests
-        run: |
-          build/unit_tests/Release/falco_unit_tests.exe
-
-      - name: Upload Falco win32 installer
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
-        with:
-          name: falco-installer-Release-win32.exe
-          path: build/falco-*.exe
-
-      - name: Upload Falco win32 package
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
-        with:
-          name: falco-Release-win32.exe
-          path: |
-            ${{ github.workspace }}/build/userspace/falco/Release/falco.exe
-
   build-macos-package:
     if: ${{ inputs.arch == 'x86_64' }}
     runs-on: macos-latest

.github/workflows/reusable_publish_packages.yaml

@@ -82,11 +82,6 @@ jobs:
           GPG_KEY: ${{ secrets.GPG_KEY }}
         run: printenv GPG_KEY | gpg --import -
 
-      - name: Sign rpms
-        run: |
-          rpmsign --define '_gpg_name Falcosecurity Package Signing' --addsign /tmp/falco-build-rpm/falco-*.rpm
-          rpm -qp --qf '%|DSAHEADER?{%{DSAHEADER:pgpsig}}:{%|RSAHEADER?{%{RSAHEADER:pgpsig}}:{(none)}|}|\n' /tmp/falco-build-rpm/falco-*.rpm
-
       - name: Publish wasm
         run: |
           ./scripts/publish-wasm -f /tmp/falco-wasm/falco-${{ inputs.version }}-wasm.tar.gz

CMakeLists.txt

@@ -288,11 +288,11 @@ if(NOT WIN32
    AND NOT MUSL_OPTIMIZED_BUILD
 )
 	include(falcoctl)
-	set(CONTAINER_VERSION "0.6.0")
+	set(CONTAINER_VERSION "0.6.1")
 	if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
-		set(CONTAINER_HASH "f9c322dc2aa4cbda492a5e6258532f771e960db45509a53bc1a528a01f4b6168")
+		set(CONTAINER_HASH "008989992ed1f31b3ffb94ba6b64ca5a8e2f91611a10c9d6213c5c0a499d0679")
 	else() # arm64
-		set(CONTAINER_HASH "f2015a5c758b5eb79869ec1593352adf5c955990e58e08047b4c1344c6b07676")
+		set(CONTAINER_HASH "f90a700b4c2b411b23e7cc461b61a316b242994aad853c3e6baf12481fb6f6c9")
 	endif()
 	include(container_plugin)
 

cmake/modules/falcoctl.cmake

@@ -20,16 +20,16 @@ option(ADD_FALCOCTL_DEPENDENCY "Add falcoctl dependency while building falco" ON
 if(ADD_FALCOCTL_DEPENDENCY)
 	string(TOLOWER ${CMAKE_HOST_SYSTEM_NAME} FALCOCTL_SYSTEM_NAME)
 
-	set(FALCOCTL_VERSION "0.11.4")
+	set(FALCOCTL_VERSION "0.12.1")
 
 	message(STATUS "Building with falcoctl: ${FALCOCTL_VERSION}")
 
 	if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
 		set(FALCOCTL_SYSTEM_PROC_GO "amd64")
-		set(FALCOCTL_HASH "8015cadcb4328abcbf140c3ca88031cd46426f7f3279d2802f0937ab1e41d66c")
+		set(FALCOCTL_HASH "dca157ce150dff084479cfcebf2b4cee455a7d2c6473e189f3b159c74251f982")
 	else() # aarch64
 		set(FALCOCTL_SYSTEM_PROC_GO "arm64")
-		set(FALCOCTL_HASH "246874f1168abb7a8463509c6191ede460e5a2b8a39058ef5c4a17b67cb86c85")
+		set(FALCOCTL_HASH "580833ecb0776ede67096ae2ac621ab78761454fdee7bffdeeed0889a45f24bd")
 	endif()
 
 	ExternalProject_Add(

scripts/publish-rpm

@@ -14,6 +14,16 @@ check_program() {
   fi
 }
 
+# Sign RPM packages with embedded GPG signature using rpmsign
+#
+# $@: paths of RPM files to sign.
+rpmsign_packages() {
+    echo "Signing RPM packages with rpmsign..."
+    rpmsign --define '_gpg_name Falcosecurity Package Signing' --resign "$@"
+    echo "Verifying RPM signatures..."
+    rpm -qp --qf '%{NAME}-%{VERSION}-%{RELEASE}.%{ARCH}: %|DSAHEADER?{%{DSAHEADER:pgpsig}}:{%|RSAHEADER?{%{RSAHEADER:pgpsig}}:{(none)}|}|\n' "$@"
+}
+
 # Updates the signature of a RPM package in the local repository
 #
 # $1: path of the repository.
@@ -127,6 +137,8 @@ fi
 check_program createrepo
 check_program gpg
 check_program aws
+check_program rpmsign
+check_program rpm
 
 # settings
 s3_bucket_repo="s3://falco-distribution/packages/${repo}"
@@ -140,19 +152,32 @@ aws s3 cp ${s3_bucket_repo} ${tmp_repo_path} --recursive
 
 # update signatures for all existing packages
 if [ "${sign_all}" ]; then
+  # collect all RPM files
+  rpm_files=()
   for file in ${tmp_repo_path}/*; do
-    if [ -f "$file" ]; then # exclude directories, symlinks, etc...
-      if [[ ! $file == *.asc ]]; then # exclude signature files
-        package=$(basename -- ${file})
-        echo "Signing ${package}..."
-        sign_rpm ${tmp_repo_path} ${file}
-
-        echo "Syncing ${package}.asc to ${s3_bucket_repo}..."
-        aws s3 cp ${tmp_repo_path}/${package}.asc ${s3_bucket_repo}/${package}.asc --acl public-read
-      fi
+    if [ -f "$file" ] && [[ $file == *.rpm ]]; then
+      rpm_files+=("$file")
     fi
   done
+
+  # sign all RPM packages with embedded GPG signature
+  if [ ${#rpm_files[@]} -gt 0 ]; then
+    rpmsign_packages "${rpm_files[@]}"
+  fi
+
+  # create detached signatures and upload
+  for file in "${rpm_files[@]}"; do
+    package=$(basename -- ${file})
+    echo "Creating detached signature for ${package}..."
+    sign_rpm ${tmp_repo_path} ${file}
+
+    echo "Syncing ${package} and ${package}.asc to ${s3_bucket_repo}..."
+    aws s3 cp ${tmp_repo_path}/${package} ${s3_bucket_repo}/${package} --acl public-read
+    aws s3 cp ${tmp_repo_path}/${package}.asc ${s3_bucket_repo}/${package}.asc --acl public-read
+  done
+  aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/*.rpm
   aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/*.asc
+  update_repo ${tmp_repo_path}
   sign_repo ${tmp_repo_path}
 fi
 
@@ -161,8 +186,9 @@ if [[ ${repo} == "rpm-dev" ]]; then
   reduce_dir_size ${tmp_repo_path} 10 rpm
 fi
 
-# update the repo by adding new packages
+# sign and add new packages to the repo
 if ! [ ${#files[@]} -eq 0 ]; then
+  rpmsign_packages "${files[@]}"
   for file in "${files[@]}"; do
     echo "Adding ${file}..."
     add_rpm ${tmp_repo_path} ${file}

userspace/engine/rule_loader.h

@@ -215,7 +215,8 @@ struct deprecated_field_warning : warning {
 	        df(df) {}
 
 	std::string as_string() const override {
-		return warning::as_string() + ": field '" + falco::load_result::deprecated_field_str(df);
+		return warning::as_string() + ": field '" + falco::load_result::deprecated_field_str(df) +
+		       "'";
 	};
 	std::string description() const override {
 		return warning::description() + ": " + falco::load_result::deprecated_field_desc(df);