Add patch signing to the pipeline

This change allows the user to select if he wants to sign the patch using the SIGN_PATCH variable, when set to True it will automatically add the "--remote-sign" option to the patch-builder script and export the env variables, SIGNING_USER and SIGNING_SERVER, from the build.conf Test plan: PASS: Run entire patch pipeline with SIGN_PATCH enable Story: 2010676 Task: 51404 Change-Id: I7e895f30ea64a517a3555117250a4f00f8b6dfe1 Signed-off-by: Dostoievski Batista <dostoievski.albinobatista@windriver.com>
2024-11-25 20:00:11 -03:00 · 2024-11-25 20:00:11 -03:00 · 0cf05c13c6
commit 0cf05c13c6
parent b093595ac8
3 changed files with 21 additions and 2 deletions
--- a/pipelines/parts/patch-make.Jenkinsfile
+++ b/pipelines/parts/patch-make.Jenkinsfile
@ -40,6 +40,9 @@ pipeline {
        booleanParam(
            name: 'DRY_RUN'
        )
+        booleanParam(
+            name: 'SIGN_PATCH'
+        )
        string (
            name: 'BUILD_HOME'
        )
--- a/pipelines/patch-monolithic.Jenkinsfile
+++ b/pipelines/patch-monolithic.Jenkinsfile
@ -174,6 +174,11 @@ pipeline {
            'Used together with REMOTE_SERVER' +
            'e.g.: /localdisk/loadbuild/starlingx-master/latest_build'
        )
+        booleanParam(
+            name: 'SIGN_PATCH',
+            defaultValue: true,
+            description: 'Send patch to be signed by signing server.'
+        )
        string(
            name: 'SW_VERSION',
            description: 'Version of the build being used. e.g., XX.YY'
--- a/scripts/patch-make.sh
+++ b/scripts/patch-make.sh
@ -12,6 +12,7 @@ source $(dirname "$0")/lib/job_utils.sh
 require_job_env BUILD_HOME
 require_job_env SW_VERSION
 require_job_env PATCH_NUM
+require_job_env SIGN_PATCH

 load_build_env

@ -29,6 +30,16 @@ if [ ! -z "${PATCH_NAME}" ]; then
    EXTRA_ARGS+=("--name ${PATCH_NAME}")
 fi

-# Build the patch
-stx_docker_cmd $DRY_RUN_ARG "patch-builder --recipe ${RECIPE_PATH} ${EXTRA_ARGS[*]}"
+# If patch needs to be signed by a remote signing server
+ENV_VARIABLES=''
+if [ ! -z "${SIGN_PATCH}" ]; then
+    # Variables usually set on build.conf
+    require_job_env SIGNING_SERVER
+    require_job_env SIGNING_USER
+    EXTRA_ARGS+=("--remote-sign")
+    ENV_VARIABLES="export SIGNING_SERVER=${SIGNING_SERVER};export SIGNING_USER=${SIGNING_USER};"
+fi
+
+# Build the patch
+stx_docker_cmd $DRY_RUN_ARG "${ENV_VARIABLES}patch-builder --recipe ${RECIPE_PATH} ${EXTRA_ARGS[*]}"