canonical · adombeck · Feb 16, 2026
diff --git a/scripts/README.md b/scripts/README.md
@@ -0,0 +1,11 @@
+# Setup
+
+To enable the pre-push hook:
+
+```bash
+ln -sf .scripts/pre-push .git/hooks/pre-push
+```
+
+# Usage
+
+Check the usage messages of the scripts, they all support `--help` (except the pre-push hook).
diff --git a/scripts/build-authd-binaries b/scripts/build-authd-binaries
@@ -0,0 +1,62 @@
+#!/bin/bash
+
+set -euo pipefail
+
+usage(){
+    cat << EOF
+Usage: $0 [--version <version>] [-h|--help]
+
+Build the authd binaries.
+
+Important: Don't trust the PAM module binary built by this script, it behaves
+differently from the one built by the deb package. If you encounter any issues
+with the PAM module, build and install the deb package instead.
+
+Options:
+  --version <version>  Version to set in the binary.
+  -h, --help           Show this help message and exit.
+EOF
+}
+
+# Parse arguments
+while [[ $# -gt 0 ]]; do
+    case "$1" in
+        --version)
+            VERSION="$2"
+            shift 2
+            ;;
+        -h|--help)
+            usage
+            exit 0
+            ;;
+        *)
+            echo "Unknown option: $1"
+            exit 1
+            ;;
+    esac
+done
+
+set -x
+
+if [ -n "${VERSION:=}" ]; then
+    export GOFLAGS="-ldflags=-X=github.com/canonical/authd/internal/consts.Version=${VERSION} --mod=vendor -buildmode=pie"
+fi
+
+go mod vendor
+
+go generate -C internal/proto/authd
+go generate -C pam/internal/gdm
+
+go build -v -o authd ./cmd/authd
+
+go generate -C pam -x -tags pam_debug
+
+go build -C pam -v .
+
+if [ -d ./cmd/authctl ]; then
+    go build -v -o authctl ./cmd/authctl
+fi
+
+# Some protobuf files get updated but the change depends on the locally installed
+# version of protoc (I think) so I don't want to commit it
+git checkout "*.pb.go"
diff --git a/scripts/build-authd-deb b/scripts/build-authd-deb
@@ -0,0 +1,144 @@
+#!/bin/bash
+
+set -euo pipefail
+
+usage(){
+    cat << EOF
+Usage: $0 [options]
+
+Build the authd source and binary deb packages. The build is done in a fresh
+clone of the repository in a separate build directory, so that files that are
+not tracked by git are not included in the package. Uncommitted changes in the
+repository are applied to the build directory
+
+Options:
+  --build-dir <dir>
+      Directory to use for building the package. Defaults to ../build/<repo>.
+      The build artifacts are created in the parent directory of the build
+      directory, so in ../build/ by default.
+
+  --no-lintian
+      Don't run lintian on the source and binary packages. Speeds up the build,
+      but the resulting package won't be checked for issues.
+
+  --only-source
+      Only build the source package, don't build the binary package in sbuild.
+
+  --only-binary
+      Only build the binary package in sbuild, don't build the source package.
+      Requires that the source package is already built and available in the
+      parent directory of the build directory.
+
+  --dist <distribution>
+      The target distribution to build the package for (default: noble).
+EOF
+}
+
+# Parse arguments
+while [[ $# -gt 0 ]]; do
+    case "$1" in
+        --build-dir)
+            BUILD_DIR="$2"
+            shift 2
+            ;;
+        --no-lintian)
+            NO_LINTIAN=1
+            shift
+            ;;
+        --only-source)
+            ONLY_SOURCE=1
+            shift
+            ;;
+        --only-binary)
+            ONLY_BINARY=1
+            shift
+            ;;
+        --dist)
+            DIST="$2"
+            shift 2
+            ;;
+        -h|--help)
+            usage
+            exit 0
+            ;;
+        *)
+            echo "Unknown option: $1"
+            usage
+            exit 1
+            ;;
+    esac
+done
+
+SCRIPT_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
+GIT_ROOT_DIR=$(git rev-parse --show-toplevel)
+BUILD_DIR=${BUILD_DIR:-../build/$(basename "${GIT_ROOT_DIR}")}
+DIST=${DIST:-"noble"}
+
+set -x
+
+if [ -n "${NO_LINTIAN:-}" ]; then
+    SBUILD_ARGS="--no-run-lintian"
+fi
+
+if ! dpkg --status dh-cargo >/dev/null; then
+    echo "dh-cargo is not installed, installing it now..."
+    sudo apt install dh-cargo
+fi
+
+# Create the build directory
+"${SCRIPT_DIR}/create-build-dir" --build-dir "${BUILD_DIR}"
+cd "${BUILD_DIR}"
+
+if [ -z "${ONLY_BINARY:-}" ]; then
+    # Build the source package
+    env \
+      DEB_BUILD_OPTIONS=nocheck \
+      debuild \
+        --no-lintian \
+        -d \
+        --prepend-path="${HOME}/.cargo/bin" \
+        --prepend-path=/usr/local/bin \
+        -S \
+        --unsigned-source \
+        --unsigned-changes
+
+    if [ -z "${NO_LINTIAN:-}" ]; then
+        # shellcheck disable=SC2012 # The .dsc file doesn't contain non-alphanumeric characters
+        DSC_FILE="$(ls -t1 ../*.dsc | head -n1)"
+        lintian --tag-display-limit 0 \
+                --pedantic \
+                --fail-on error,warning,info,pedantic \
+                "$DSC_FILE"
+    fi
+fi
+
+if [ -n "${ONLY_SOURCE:-}" ]; then
+    exit 0
+fi
+
+CHROOT_TARBALL="$HOME/.cache/sbuild/${DIST}-amd64.tar.zst"
+if ! [ -f "$CHROOT_TARBALL" ]; then
+    # Create the sbuild chroot tarball if it doesn't exist
+    # shellcheck disable=SC2016 # We don't want the expression in --customize-hook to be expanded
+    mmdebstrap --variant=buildd --arch=amd64 \
+        --components=main,universe \
+        --include=software-properties-common \
+        --customize-hook='chroot "$1" add-apt-repository -y ppa:ubuntu-enterprise-desktop/golang' \
+        "${DIST}" \
+        "$CHROOT_TARBALL"
+fi
+
+# Build the amd64 binary package in sbuild
+# shellcheck disable=SC2086 # Allow word splitting for SBUILD_ARGS
+# shellcheck disable=SC2012 # The .dsc file doesn't contain non-alphanumeric characters
+env \
+    DEB_BUILD_OPTIONS=nocheck \
+    sbuild ${SBUILD_ARGS:-} -A -v \
+        --build-dir="$(dirname "$(pwd)")" \
+        --build-dep-resolver=aptitude \
+        --dist="${DIST}" \
+        --chroot-mode=unshare \
+        --chroot="source:${CHROOT_TARBALL}" \
+        --enable-network \
+        --lintian-opts="--pedantic --fail-on error,warning,info,pedantic" \
+        "$(ls -t1 ../*.dsc | head -n1)"
diff --git a/scripts/build-broker-binary b/scripts/build-broker-binary
@@ -0,0 +1,115 @@
+#!/bin/bash
+
+set -euo pipefail
+
+usage(){
+    cat << EOF
+Usage: $0 --broker <broker> [options]
+
+Build the broker binary and place it in the squashfs root directory if it exists.
+
+This is useful for building the broker binary for the snap without having to
+build the entire snap. If the snap was previously extracted into a squashfs root
+directory (see build-broker-snap), the squashfs root directory can be installed
+via 'sudo snap try <squashfs-root-dir>'.
+
+Options:
+  --broker <broker>
+      The broker to use. Valid values are 'oidc', 'msentraid' and 'google'.
+      This option is required.
+  --version <version>
+      Version to set in the binary. If not set, a version is generated with the
+      snap/scripts/version script.
+  --build-dir <dir>
+    Directory containing the squashfs root directory to place the built binary in.
+    Defaults to ../build.
+  --skip-libhimmelblau
+      When building the msentraid broker, by default libhimmelblau is also built
+      and copied to the squashfs root directory.
+      This option can be used to skip building libhimmelblau.
+  -h, --help
+      Show this help message and exit.
+EOF
+}
+
+# Parse arguments
+while [[ $# -gt 0 ]]; do
+    case "$1" in
+        --version)
+            VERSION="$2"
+            shift 2
+            ;;
+        --broker)
+            BROKER="$2"
+            shift 2
+            ;;
+        --skip-libhimmelblau)
+            SKIP_LIBHIMMELBLAU=1
+            shift
+            ;;
+        -h|--help)
+            usage
+            exit 0
+            ;;
+        *)
+            echo "Unknown option: $1"
+            exit 1
+            ;;
+    esac
+done
+
+if [ -z "${BROKER:-}" ]; then
+    echo >&2 "Error: --broker option is required"
+    usage
+    exit 1
+fi
+
+BUILD_DIR=${BUILD_DIR:-"../build"}
+SQUASHFS_ROOT_DIR=${SQUASHFS_ROOT_DIR:-"${BUILD_DIR}/authd-${BROKER}-squashfs-root"}
+
+set -x
+
+if [ -z "${VERSION:-}" ]; then
+    # Build the semver tool
+    go -C authd-oidc-brokers/tools build -o semver ./semver
+    # Get the version
+    VERSION=$(SEMVER=authd-oidc-brokers/tools/semver/semver ./snap/scripts/version)
+fi
+
+go mod vendor
+
+./snap/scripts/prepare-variant --broker "${BROKER}"
+
+if [ "${BROKER:-}" = "msentraid" ] && [ -z "${SKIP_LIBHIMMELBLAU:-}" ]; then
+    if ! command -v rustup &> /dev/null; then
+        echo "rustup is required to build libhimmelblau, installing it now..."
+        sudo apt install rustup
+    fi
+
+    # Build the libhimmelblau library and header
+    RELEASE=1 go -C authd-oidc-brokers generate --tags withmsentraid ./internal/providers/msentraid/himmelblau/...
+fi
+
+if [ "${BROKER:-}" != "oidc" ]; then
+    export GOFLAGS="--tags=with${BROKER}"
+    args="--tags=with${BROKER}"
+fi
+
+export GOFLAGS="-ldflags=-X=github.com/canonical/authd/authd-oidc-brokers/internal/consts.Version=${VERSION}"
+
+# shellcheck disable=SC2086 # Allow word splitting for args
+go -C authd-oidc-brokers build -v -o "authd-${BROKER}" ${args:-} ./cmd/authd-oidc
+
+if [ -d "${SQUASHFS_ROOT_DIR}" ]; then
+    # Move the broker binary to the squashfs root directory
+    mv "authd-oidc-brokers/authd-${BROKER}" "${SQUASHFS_ROOT_DIR}/bin/"
+
+    if [ "${BROKER:-}" = "msentraid" ] && [ -z "${SKIP_LIBHIMMELBLAU:-}" ]; then
+        # Copy the libhimmelblau library to the squashfs root directory.
+        install -D "./authd-oidc-brokers/internal/providers/msentraid/himmelblau/libhimmelblau.so.0" \
+          "${SQUASHFS_ROOT_DIR}/lib/libhimmelblau.so.0"
+    fi
+else
+    set +x
+    echo >&2 "Squashfs root directory ${SQUASHFS_ROOT_DIR} does not exist"
+fi