ava-labs · PlatCore · Apr 6, 2026 · Apr 6, 2026 · Apr 6, 2026 · Apr 6, 2026
@@ -0,0 +1,59 @@
+# Build container for DEB packaging of avalanchego and subnet-evm.
+#
+# Based on Ubuntu 22.04 (jammy) so the produced binary's glibc floor
+# matches the oldest supported target release. Source tree is bind-mounted
+# at runtime, not COPY'd.
+#
+# Usage (via build-builder-image.sh with DOCKERFILE=Dockerfile.deb):
+#   DOCKERFILE=Dockerfile.deb .github/packaging/scripts/build-builder-image.sh
+#   docker run --rm -v .:/build -v ./build/deb:/output avalanchego-deb-builder ...
+
+FROM ubuntu:22.04
+
+ARG GO_VERSION=INVALID
+ARG GO_CHECKSUM=INVALID
+ARG TARGETARCH
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+# Install build dependencies
+# - gcc: required for cgo (CGO_ENABLED=1 in scripts/constants.sh)
+# - gettext: envsubst for nfpm config template expansion
+# - gnupg: GPG key import for nfpm-native DEB signing
+# - git: version detection in build scripts
+# - curl: downloading Go and nfpm
+RUN apt-get update && apt-get install -y \
+        gcc \
+        gettext \
+        gnupg \
+        git \
+        curl \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install Go (with SHA256 verification)
+RUN curl -fsSL -o /tmp/go.tar.gz \
+        "https://go.dev/dl/go${GO_VERSION}.linux-${TARGETARCH}.tar.gz" \
+    && echo "${GO_CHECKSUM}  /tmp/go.tar.gz" | sha256sum -c - \
+    && tar -C /usr/local -xzf /tmp/go.tar.gz \
+    && rm /tmp/go.tar.gz
+ENV PATH="/usr/local/go/bin:${PATH}"
+
+# Install nfpm (with SHA256 verification via checksums.txt)
+ARG NFPM_VERSION=2.41.1
+# nfpm releases use x86_64 and arm64 (not aarch64)
+RUN case "${TARGETARCH}" in \
+        amd64) NFPM_ARCH="x86_64" ;; \
+        arm64) NFPM_ARCH="arm64" ;; \
+        *) echo "Unsupported arch: ${TARGETARCH}" && exit 1 ;; \
+    esac && \
+    NFPM_TARBALL="nfpm_${NFPM_VERSION}_Linux_${NFPM_ARCH}.tar.gz" && \
+    curl -fsSL -o /tmp/nfpm.tar.gz \
+        "https://github.com/goreleaser/nfpm/releases/download/v${NFPM_VERSION}/${NFPM_TARBALL}" && \
+    curl -fsSL -o /tmp/checksums.txt \
+        "https://github.com/goreleaser/nfpm/releases/download/v${NFPM_VERSION}/checksums.txt" && \
+    EXPECTED=$(grep "  ${NFPM_TARBALL}$" /tmp/checksums.txt | awk '{print $1}') && \
+    echo "${EXPECTED}  /tmp/nfpm.tar.gz" | sha256sum -c - && \
+    tar -C /usr/local/bin -xzf /tmp/nfpm.tar.gz nfpm && \
+    rm /tmp/nfpm.tar.gz /tmp/checksums.txt
+
+WORKDIR /build
@@ -1,6 +1,8 @@
-# RPM packaging tasks for avalanchego and subnet-evm.
+# Packaging tasks for avalanchego and subnet-evm (RPM and DEB).
 #
-# Builds RPMs inside a Rocky Linux 9 container (glibc 2.34) with GPG signing.
+# RPMs are built inside a Rocky Linux 9 container (glibc 2.34).
+# DEBs are built inside an Ubuntu 22.04 container (glibc 2.35).
+# Both formats are signed inline by nfpm.
 # PACKAGING_TAG defaults to v0.0.0 for local testing; set for release builds.
 
 version: '3'
@@ -14,7 +16,7 @@ vars:
   PACKAGING_GO_VERSION:
     sh: go list -m -f '{{ "{{.GoVersion}}" }}' | head -1
   # Map uname -m to RPM arch names (arm64 -> aarch64).
-  PACKAGING_HOST_ARCH:
+  PACKAGING_RPM_HOST_ARCH:
     sh: |
       arch=$(uname -m)
       case "${arch}" in
@@ -28,8 +30,19 @@ vars:
   # Default tag for local testing; overridden by CI for release builds.
   PACKAGING_TAG:
     sh: echo "${PACKAGING_TAG:-v0.0.0}"
-  PACKAGING_DOCKER_IMAGE: avalanchego-rpm-builder
-  PACKAGING_OUTPUT_DIR: '{{.REPO_ROOT}}/build/rpm'
+  # Map uname -m to DEB arch names (x86_64 -> amd64).
+  PACKAGING_DEB_HOST_ARCH:
+    sh: |
+      arch=$(uname -m)
+      case "${arch}" in
+        x86_64)        echo "amd64" ;;
+        aarch64|arm64) echo "arm64" ;;
+        *)             echo "${arch}" ;;
+      esac
+  PACKAGING_RPM_DOCKER_IMAGE: avalanchego-rpm-builder
+  PACKAGING_DEB_DOCKER_IMAGE: avalanchego-deb-builder
+  PACKAGING_RPM_OUTPUT_DIR: '{{.REPO_ROOT}}/build/rpm'
+  PACKAGING_DEB_OUTPUT_DIR: '{{.REPO_ROOT}}/build/deb'
 
 tasks:
   default:
@@ -43,70 +56,76 @@ tasks:
       - task: build-avalanchego-rpm
       - task: build-subnet-evm-rpm
 
-  build-builder-docker-image:
+  build-rpm-builder-docker-image:
     desc: Builds the RPM builder Docker image
     internal: true
     env:
       GO_VERSION: '{{.PACKAGING_GO_VERSION}}'
-      DOCKER_IMAGE: '{{.PACKAGING_DOCKER_IMAGE}}'
+      DOCKER_IMAGE: '{{.PACKAGING_RPM_DOCKER_IMAGE}}'
       CONTEXT_DIR: '{{.REPO_ROOT}}/.github/packaging'
       DOCKERFILE: Dockerfile.rpm
     cmds:
       - cmd: '{{.REPO_ROOT}}/.github/packaging/scripts/build-builder-image.sh'
 
-  build-avalanchego-rpm:
-    desc: Builds RPM for avalanchego
+  build-package:
+    desc: Builds a package in the supplied builder Docker image
+    internal: true
     vars:
-      PACKAGE_ARCH: '{{.PACKAGE_ARCH | default .PACKAGING_HOST_ARCH}}'
-      RPM_TAG: '{{.PACKAGING_TAG}}'
+      PASSPHRASE_ENV: 'NFPM_{{.NFPM_PACKAGER | upper}}_PASSPHRASE'
     env:
       GPG_KEY_PASSPHRASE: '{{.GPG_KEY_PASSPHRASE}}'
-    deps: [build-builder-docker-image]
+      VERSION: '{{trimPrefix "v" .TAG}}'
+      TAG: '{{.TAG}}'
     cmds:
-      - cmd: mkdir -p {{.PACKAGING_OUTPUT_DIR}}
+      - cmd: mkdir -p {{.OUTPUT_DIR}}
       - cmd: >-
           docker run --rm
           -v {{.REPO_ROOT}}:/build
-          -v {{.PACKAGING_OUTPUT_DIR}}:/output
+          -v {{.OUTPUT_DIR}}:/output
           {{if .GPG_KEY_FILE}}-v {{.GPG_KEY_FILE}}:{{.GPG_KEY_FILE}}:ro{{end}}
-          -e PKG_FORMAT=RPM
-          -e PACKAGE=avalanchego
-          -e VERSION={{trimPrefix "v" .RPM_TAG}}
-          -e TAG={{.RPM_TAG}}
+          -e NFPM_PACKAGER={{.NFPM_PACKAGER}}
+          -e PACKAGE={{.PACKAGE}}
+          -e VERSION
+          -e TAG
           -e PACKAGE_ARCH={{.PACKAGE_ARCH}}
           -e OUTPUT_DIR=/output
           -e AVALANCHEGO_COMMIT={{.PACKAGING_GIT_COMMIT}}
           {{if .GPG_KEY_FILE}}-e GPG_KEY_FILE={{.GPG_KEY_FILE}}{{end}}
           {{if .GPG_KEY_PASSPHRASE}}-e GPG_KEY_PASSPHRASE{{end}}
-          {{.PACKAGING_DOCKER_IMAGE}}
+          {{.DOCKER_IMAGE}}
           .github/packaging/scripts/build-package.sh
 
+  build-avalanchego-rpm:
+    desc: Builds RPM for avalanchego
+    vars:
+      PACKAGE_ARCH: '{{.PACKAGE_ARCH | default .RPM_ARCH | default .PACKAGING_RPM_HOST_ARCH}}'
+    deps: [build-rpm-builder-docker-image]
+    cmds:
+      - task: build-package
+        vars:
+          PACKAGE: avalanchego
+          NFPM_PACKAGER: rpm
+          TAG: '{{.PACKAGING_TAG}}'
+          PACKAGE_ARCH: '{{.PACKAGE_ARCH}}'
+          OUTPUT_DIR: '{{.PACKAGING_RPM_OUTPUT_DIR}}'
+          DOCKER_IMAGE: '{{.PACKAGING_RPM_DOCKER_IMAGE}}'
+          GPG_KEY_FILE: '{{.GPG_KEY_FILE | default ""}}'
+
   build-subnet-evm-rpm:
     desc: Builds RPM for subnet-evm
     vars:
-      PACKAGE_ARCH: '{{.PACKAGE_ARCH | default .PACKAGING_HOST_ARCH}}'
-      RPM_TAG: '{{.PACKAGING_TAG}}'
-    env:
-      GPG_KEY_PASSPHRASE: '{{.GPG_KEY_PASSPHRASE}}'
-    deps: [build-builder-docker-image]
+      PACKAGE_ARCH: '{{.PACKAGE_ARCH | default .RPM_ARCH | default .PACKAGING_RPM_HOST_ARCH}}'
+    deps: [build-rpm-builder-docker-image]
     cmds:
-      - cmd: mkdir -p {{.PACKAGING_OUTPUT_DIR}}
-      - cmd: >-
-          docker run --rm
-          -v {{.REPO_ROOT}}:/build
-          -v {{.PACKAGING_OUTPUT_DIR}}:/output
-          {{if .GPG_KEY_FILE}}-v {{.GPG_KEY_FILE}}:{{.GPG_KEY_FILE}}:ro{{end}}
-          -e PKG_FORMAT=RPM
-          -e PACKAGE=subnet-evm
-          -e VERSION={{trimPrefix "v" .RPM_TAG}}
-          -e TAG={{.RPM_TAG}}
-          -e PACKAGE_ARCH={{.PACKAGE_ARCH}}
-          -e OUTPUT_DIR=/output
-          -e AVALANCHEGO_COMMIT={{.PACKAGING_GIT_COMMIT}}
-          {{if .GPG_KEY_FILE}}-e GPG_KEY_FILE={{.GPG_KEY_FILE}}{{end}}
-          {{if .GPG_KEY_PASSPHRASE}}-e GPG_KEY_PASSPHRASE{{end}}
-          {{.PACKAGING_DOCKER_IMAGE}}
-          .github/packaging/scripts/build-package.sh
+      - task: build-package
+        vars:
+          PACKAGE: subnet-evm
+          NFPM_PACKAGER: rpm
+          TAG: '{{.PACKAGING_TAG}}'
+          PACKAGE_ARCH: '{{.PACKAGE_ARCH}}'
+          OUTPUT_DIR: '{{.PACKAGING_RPM_OUTPUT_DIR}}'
+          DOCKER_IMAGE: '{{.PACKAGING_RPM_DOCKER_IMAGE}}'
+          GPG_KEY_FILE: '{{.GPG_KEY_FILE | default ""}}'
 
   test-build-rpms:
     desc: Builds and validates RPMs end-to-end
@@ -119,6 +138,71 @@ tasks:
     env:
       TAG: '{{.PACKAGING_TAG}}'
       GIT_COMMIT: '{{.PACKAGING_GIT_COMMIT}}'
-      PACKAGE_ARCH: '{{.PACKAGE_ARCH | default .PACKAGING_HOST_ARCH}}'
+      PACKAGE_ARCH: '{{.PACKAGE_ARCH | default .PACKAGING_RPM_HOST_ARCH}}'
     cmds:
       - cmd: '{{.REPO_ROOT}}/.github/packaging/scripts/validate-rpm.sh'
+
+  # ── DEB packaging tasks ──────────────────────────────────────────
+
+  build-debs:
+    desc: Builds DEBs for both avalanchego and subnet-evm
+    cmds:
+      - task: build-avalanchego-deb
+      - task: build-subnet-evm-deb
+
+  build-deb-builder-docker-image:
+    desc: Builds the DEB builder Docker image
+    internal: true
+    env:
+      GO_VERSION: '{{.PACKAGING_GO_VERSION}}'
+      DOCKER_IMAGE: '{{.PACKAGING_DEB_DOCKER_IMAGE}}'
+      CONTEXT_DIR: '{{.REPO_ROOT}}/.github/packaging'
+      DOCKERFILE: Dockerfile.deb
+    cmds:
+      - cmd: '{{.REPO_ROOT}}/.github/packaging/scripts/build-builder-image.sh'
+
+  build-avalanchego-deb:
+    desc: Builds DEB for avalanchego
+    vars:
+      PACKAGE_ARCH: '{{.PACKAGE_ARCH | default .DEB_ARCH | default .PACKAGING_DEB_HOST_ARCH}}'
+    deps: [build-deb-builder-docker-image]
+    cmds:
+      - task: build-package
+        vars:
+          PACKAGE: avalanchego
+          NFPM_PACKAGER: deb
+          TAG: '{{.PACKAGING_TAG}}'
+          PACKAGE_ARCH: '{{.PACKAGE_ARCH}}'
+          OUTPUT_DIR: '{{.PACKAGING_DEB_OUTPUT_DIR}}'
+          DOCKER_IMAGE: '{{.PACKAGING_DEB_DOCKER_IMAGE}}'
+          GPG_KEY_FILE: '{{.GPG_KEY_FILE | default ""}}'
+
+  build-subnet-evm-deb:
+    desc: Builds DEB for subnet-evm
+    vars:
+      PACKAGE_ARCH: '{{.PACKAGE_ARCH | default .DEB_ARCH | default .PACKAGING_DEB_HOST_ARCH}}'
+    deps: [build-deb-builder-docker-image]
+    cmds:
+      - task: build-package
+        vars:
+          PACKAGE: subnet-evm
+          NFPM_PACKAGER: deb
+          TAG: '{{.PACKAGING_TAG}}'
+          PACKAGE_ARCH: '{{.PACKAGE_ARCH}}'
+          OUTPUT_DIR: '{{.PACKAGING_DEB_OUTPUT_DIR}}'
+          DOCKER_IMAGE: '{{.PACKAGING_DEB_DOCKER_IMAGE}}'
+          GPG_KEY_FILE: '{{.GPG_KEY_FILE | default ""}}'
+
+  test-build-debs:
+    desc: Builds and validates DEBs end-to-end
+    cmds:
+      - task: build-debs
+      - task: validate-debs
+
+  validate-debs:
+    desc: Validates built DEBs by installing and smoke testing in fresh containers
+    env:
+      TAG: '{{.PACKAGING_TAG}}'
+      GIT_COMMIT: '{{.PACKAGING_GIT_COMMIT}}'
+    cmds:
+      - cmd: '{{.REPO_ROOT}}/.github/packaging/scripts/validate-deb.sh'
@@ -0,0 +1,19 @@
+name: avalanchego
+arch: "${PACKAGE_ARCH}"
+version: "${VERSION}"
+maintainer: "Ava Labs <security@avalabs.org>"
+description: "AvalancheGo node — the official Avalanche protocol implementation"
+homepage: "https://github.com/ava-labs/avalanchego"
+license: "BSD-3-Clause"
+depends:
+  - "libc6 (>= 2.34)"
+contents:
+  - src: "${BINARY_PATH}"
+    dst: /usr/local/bin/avalanchego
+    file_info:
+      mode: 0755
+changelog: "${NFPM_CHANGELOG}"
+deb:
+  compression: gzip
+  signature:
+    key_file: "${NFPM_SIGNING_KEY}"
@@ -0,0 +1,20 @@
+name: subnet-evm
+arch: "${PACKAGE_ARCH}"
+version: "${VERSION}"
+maintainer: "Ava Labs <security@avalabs.org>"
+description: "Subnet-EVM plugin for AvalancheGo"
+homepage: "https://github.com/ava-labs/avalanchego"
+license: "BSD-3-Clause"
+depends:
+  - "libc6 (>= 2.34)"
+contents:
+  - src: "${BINARY_PATH}"
+    # SUBNET_EVM_VM_ID is sourced from graft/subnet-evm/scripts/default-vm-data.sh
+    dst: /usr/local/lib/avalanchego/plugins/${SUBNET_EVM_VM_ID}
+    file_info:
+      mode: 0755
+changelog: "${NFPM_CHANGELOG}"
+deb:
+  compression: gzip
+  signature:
+    key_file: "${NFPM_SIGNING_KEY}"