Skip to content

fix(installer): two R8 curl|bash install P0s — stamper guard-clobber + provision --name (→ v1.8.2)#289

Merged
saadqbal merged 3 commits into
developfrom
fix/r8-stamper-guard-clobber-develop
Jul 1, 2026
Merged

fix(installer): two R8 curl|bash install P0s — stamper guard-clobber + provision --name (→ v1.8.2)#289
saadqbal merged 3 commits into
developfrom
fix/r8-stamper-guard-clobber-develop

Conversation

@saadqbal

@saadqbal saadqbal commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Develop-first landing of two P0s that broke the R8 curl | bash install end to end (both slipped past the v1.8.1 release because the installer was never actually run through provisioning — only static checks + a hand-done cosign verify).

1. Stamper clobbered install.sh's fail-closed guard

The sign-installer-manifest job replaced __TRACEBLOC_RELEASE_REF__ globally, rewriting not just DEFAULT_REF= but also the guard that checks the same token (== "__TRACEBLOC_RELEASE_REF__"== "v1.8.1") — so the stamped installer errored "wasn't stamped" on every run.

  • Stamp only /^DEFAULT_REF=/; assert DEFAULT_REF stamped and the guard sentinel survives.
  • Self-test now runs the stamped installer and asserts it clears the guard (the missing positive-path test).

2. Provisioning never passed --name

provision.sh runs tracebloc client create with output redirected to the log, so the CLI can't prompt and hard-requires --name — every browser-auth install failed at Step 3 with "--name is required (non-interactive — no TTY to prompt)".

  • provision.sh now supplies name (+ location): TRACEBLOC_CLIENT_NAME/_LOCATION env override → /dev/tty prompt (RFC §6.4 "name this machine + confirm location") → fail closed.
  • +2 provision.bats tests; existing mint tests updated.

Verified locally

Simulated the fixed stamper (TAG=v1.8.2) and ran the result → clears the guard, proceeds to fetch; BRANCH=… still fails closed. provision.bats green (12/12), shellcheck clean. Chart bumped 1.8.1 → 1.8.2.

Lands on develop; a matching PR to main cuts v1.8.2.


Note

Medium Risk
Touches the release installer stamping pipeline and interactive provisioning for machine credentials—high user impact on install success, but changes are narrowly scoped with regression tests and CI guards.

Overview
Fixes two P0 regressions that broke the R8 curl | bash install path end to end.

Release stamper (v1.8.1): The sign-installer-manifest job replaced __TRACEBLOC_RELEASE_REF__ on every line, including the fail-closed guard in install.sh that compares REF to that sentinel. Stamped installers then always reported "wasn't stamped". Stamping is now limited to the DEFAULT_REF= line, with CI checks that DEFAULT_REF is pinned to the tag and the guard still contains the placeholder. The self-test runs the stamped installer and asserts it clears the guard (positive path), not only bash -n and mutable-BRANCH rejection.

Provisioning: With client create output redirected to the log, the CLI cannot prompt and requires --name. provision.sh now resolves machine name (and optional location) via TRACEBLOC_CLIENT_NAME / TRACEBLOC_CLIENT_LOCATION, interactive prompts on /dev/tty (works under curl | bash), or fails closed; it passes --name / --location through an argv array. Bats coverage for argv passthrough and the no-name non-TTY case; manifest.sha256 updated for provision.sh. Helm chart version 1.8.2.

Reviewed by Cursor Bugbot for commit f816324. Bugbot is set up for automated code reviews on this repo. Configure here.

…ives (v1.8.1 regression)

The sign-installer-manifest job replaced __TRACEBLOC_RELEASE_REF__ GLOBALLY when
stamping the published install.sh. install.sh's fail-closed guard
(`if [[ "$REF" == "__TRACEBLOC_RELEASE_REF__" ]]`) references the SAME token to
detect an un-stamped build, so the global replace rewrote it to the release tag
too — turning the guard into `== "v1.8.1"`, which then fired on the exact success
case. Every install from the v1.8.1 signed installer errored "This installer
wasn't stamped with a pinned release tag" (backend#830); curl|bash of
tracebloc.io/i.sh (→ releases/latest/download/install.sh) was broken for everyone.

- Anchor the awk stamp to `/^DEFAULT_REF=/` — only the assignment line is
  rewritten; the guard keeps its placeholder sentinel and works.
- Post-stamp: assert DEFAULT_REF was stamped to the tag AND the guard sentinel is
  still present (regression guard for the clobber).
- Self-test: add the missing POSITIVE path — run the stamped installer and assert
  it clears the guard (never prints "wasn't stamped"). The old self-test only
  checked bad-ref rejection, which passed despite the bug. Verified locally: the
  surgically-stamped install.sh clears the guard and proceeds to the fetch.
- chart: bump 1.8.1 -> 1.8.2 for the re-release (version + appVersion lockstep).

install.sh source is unchanged — the fix is entirely in the stamper.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…provisioning)

Second R8 install regression, found running the installer end to end: provision.sh
runs `tracebloc client create` with its output redirected to the log (the
credential must never reach the terminal), so the CLI can't prompt — and it
hard-requires --name non-interactively. Every browser-auth `curl | bash` install
failed at Step 3 with "--name is required (non-interactive — no TTY to prompt)".

provision.sh now supplies the name (+ location) itself:
- TRACEBLOC_CLIENT_NAME / TRACEBLOC_CLIENT_LOCATION env override (unattended), else
- prompt on /dev/tty — works under curl|bash, whose stdin isn't the terminal;
  matches RFC-0001 §6.4 "name this machine + confirm its location", else
- fail closed with a clear "set TRACEBLOC_CLIENT_NAME" message.
Passes --name (required) + --location (when provided) via an array so multi-word
values survive. The TTY check is split into _prompt_tty() so tests can force the
non-interactive path.

Tests: the provision.bats mint tests now carry a name; +2 tests (env
--name/--location passed through; no-name + no-TTY is fatal). shellcheck clean.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@saadqbal saadqbal changed the title fix(release): R8 stamper clobbered install.sh's guard — develop-first landing (v1.8.1 regression → v1.8.2) fix(installer): two R8 curl|bash install P0s — stamper guard-clobber + provision --name (→ v1.8.2) Jul 1, 2026
The R8 bootstrap verifies each fetched sub-script against manifest.sha256;
editing provision.sh (add --name/--location) changed its digest, so the
manifest must be regenerated or the installer-tests 'Installer manifest is
current' check fails (and the published installer would reject provision.sh).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@saadqbal saadqbal merged commit 5a03236 into develop Jul 1, 2026
36 checks passed
saadqbal added a commit that referenced this pull request Jul 1, 2026
…evelop (#290)

fix(installer): two R8 curl|bash install P0s — stamper guard-clobber + provision --name (→ v1.8.2)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants