caution apps build (build_local) hardcoded e2e=false/locksmith=false and passed None for the app branch/commit, so its enclave image never matched a real deployment of the same app.
For any app using e2e: true (steve) or locksmith: true, the locally-built PCR0/PCR1 were wrong — and the embedded manifest.json was missing the app_source block (also measured into the ramdisk).
This makes build_local read the same inputs the deploy/verify paths already do:
- read e2e and locksmith flags from the Procfile
- capture the git commit and branch and pass them through, so the manifest records app_source
With this, caution apps build reproduces a deployed enclave's PCR0 exactly (verified against a live caution verify --attestation-url), given the deployment's BOOTPROOF_COMMIT/STEVE_COMMIT (read from its attestation manifest):
BOOTPROOF_COMMIT=<manifest.bootproof_commit> STEVE_COMMIT=<manifest.steve_commit> caution apps build --no-cache
❓ to follow up on
apps build still needs BOOTPROOF_COMMIT/STEVE_COMMIT passed by hand — it has no manifest to read them from. These are resolved server-side from mutable env (api/builder.rs), so today the only way to learn a deployment's actual values is to read them back from its attestation manifest after deploying. We should be able to get them before a deploy (e.g. a command/endpoint reporting the builder's current defaults, or pinning them in the Procfile/manifest) so a local apps build can match a future deployment deterministically.
example
caution verify:
❯ caution verify --no-cache --attestation-url https://minitel.kobl.one/attestation
Verifying enclave attestation...
[...]
Extracting remote PCR values...
Remote PCR values (from deployed enclave):
PCR0: 7624732ce51a68c4a44b40aead26e3eee7b60a94460fd1f55f32ca93dfd0cb6add7f60c449be67b092ede3aa5dae870e
PCR1: 7624732ce51a68c4a44b40aead26e3eee7b60a94460fd1f55f32ca93dfd0cb6add7f60c449be67b092ede3aa5dae870e
PCR2: 21b9efbc184807662e966d34f390821309eeac6802309798826296bf3e8bec7c10edb30948c90ba67310f7b964fc500a
Manifest information:
App source: https://github.com/vkobel/minitel commit: 296335bddb7eaf1264e25a2190b8454708845531 branch: feat/caution-enclave
Enclave source: https://git.distrust.co/public/enclaveos/archive/9582e25239430070667fdd0a6b64d887f1c308df.tar.gz commit: 9582e25239430070667fdd0a6b64d887f1c308df
Framework source: https://codeberg.org/caution/platform/archive/main.tar.gz commit: 639bc8adc600563d9903fed228d93523a7d66fe2
[...]
Expected PCR values:
PCR0: 7624732ce51a68c4a44b40aead26e3eee7b60a94460fd1f55f32ca93dfd0cb6add7f60c449be67b092ede3aa5dae870e
PCR1: 7624732ce51a68c4a44b40aead26e3eee7b60a94460fd1f55f32ca93dfd0cb6add7f60c449be67b092ede3aa5dae870e
PCR2: 21b9efbc184807662e966d34f390821309eeac6802309798826296bf3e8bec7c10edb30948c90ba67310f7b964fc500a
[...]
then from the cloned repo, same commit (296335bddb7e):
❯ BOOTPROOF_COMMIT=78f531a2c245404a9d8879fb71cc397096ae0077 \
STEVE_COMMIT=1dee1a0d55d1106fd8a237c09733406489cc8d12 \
caution apps build --no-cache
Building EIF locally for inspection...
✓ Application image built: caution-local-build:296335bddb7e
[...]
=== PCR Values ===
PCR0 (Enclave image): 7624732ce51a68c4a44b40aead26e3eee7b60a94460fd1f55f32ca93dfd0cb6add7f60c449be67b092ede3aa5dae870e
PCR1 (Kernel/boot): 7624732ce51a68c4a44b40aead26e3eee7b60a94460fd1f55f32ca93dfd0cb6add7f60c449be67b092ede3aa5dae870e
PCR2 (Application): 21b9efbc184807662e966d34f390821309eeac6802309798826296bf3e8bec7c10edb30948c90ba67310f7b964fc500a
[...]
`caution apps build` (build_local) hardcoded e2e=false/locksmith=false and passed None for the app branch/commit, so its enclave image never matched a real deployment of the same app.
For any app using `e2e: true` (steve) or `locksmith: true`, the locally-built PCR0/PCR1 were wrong — and the embedded manifest.json was missing the app_source block (also measured into the ramdisk).
This makes build_local read the same inputs the deploy/verify paths already do:
- read e2e and locksmith flags from the Procfile
- capture the git commit and branch and pass them through, so the manifest records app_source
With this, caution apps build reproduces a deployed enclave's PCR0 exactly (verified against a live caution `verify --attestation-url`), given the deployment's BOOTPROOF_COMMIT/STEVE_COMMIT (read from its attestation manifest):
```bash
BOOTPROOF_COMMIT=<manifest.bootproof_commit> STEVE_COMMIT=<manifest.steve_commit> caution apps build --no-cache
```
### ❓ to follow up on
apps build still needs BOOTPROOF_COMMIT/STEVE_COMMIT passed by hand — it has no manifest to read them from. These are resolved server-side from mutable env (api/builder.rs), so today the only way to learn a deployment's actual values is to read them back from its attestation manifest after deploying. We should be able to get them before a deploy (e.g. a command/endpoint reporting the builder's current defaults, or pinning them in the Procfile/manifest) so a local apps build can match a future deployment deterministically.
### example
caution verify:
```bash
❯ caution verify --no-cache --attestation-url https://minitel.kobl.one/attestation
Verifying enclave attestation...
[...]
Extracting remote PCR values...
Remote PCR values (from deployed enclave):
PCR0: 7624732ce51a68c4a44b40aead26e3eee7b60a94460fd1f55f32ca93dfd0cb6add7f60c449be67b092ede3aa5dae870e
PCR1: 7624732ce51a68c4a44b40aead26e3eee7b60a94460fd1f55f32ca93dfd0cb6add7f60c449be67b092ede3aa5dae870e
PCR2: 21b9efbc184807662e966d34f390821309eeac6802309798826296bf3e8bec7c10edb30948c90ba67310f7b964fc500a
Manifest information:
App source: https://github.com/vkobel/minitel commit: 296335bddb7eaf1264e25a2190b8454708845531 branch: feat/caution-enclave
Enclave source: https://git.distrust.co/public/enclaveos/archive/9582e25239430070667fdd0a6b64d887f1c308df.tar.gz commit: 9582e25239430070667fdd0a6b64d887f1c308df
Framework source: https://codeberg.org/caution/platform/archive/main.tar.gz commit: 639bc8adc600563d9903fed228d93523a7d66fe2
[...]
Expected PCR values:
PCR0: 7624732ce51a68c4a44b40aead26e3eee7b60a94460fd1f55f32ca93dfd0cb6add7f60c449be67b092ede3aa5dae870e
PCR1: 7624732ce51a68c4a44b40aead26e3eee7b60a94460fd1f55f32ca93dfd0cb6add7f60c449be67b092ede3aa5dae870e
PCR2: 21b9efbc184807662e966d34f390821309eeac6802309798826296bf3e8bec7c10edb30948c90ba67310f7b964fc500a
[...]
```
then from the cloned repo, same commit (`296335bddb7e`):
```bash
❯ BOOTPROOF_COMMIT=78f531a2c245404a9d8879fb71cc397096ae0077 \
STEVE_COMMIT=1dee1a0d55d1106fd8a237c09733406489cc8d12 \
caution apps build --no-cache
Building EIF locally for inspection...
✓ Application image built: caution-local-build:296335bddb7e
[...]
=== PCR Values ===
PCR0 (Enclave image): 7624732ce51a68c4a44b40aead26e3eee7b60a94460fd1f55f32ca93dfd0cb6add7f60c449be67b092ede3aa5dae870e
PCR1 (Kernel/boot): 7624732ce51a68c4a44b40aead26e3eee7b60a94460fd1f55f32ca93dfd0cb6add7f60c449be67b092ede3aa5dae870e
PCR2 (Application): 21b9efbc184807662e966d34f390821309eeac6802309798826296bf3e8bec7c10edb30948c90ba67310f7b964fc500a
[...]
```