From 0cf05c13c60911b87c4ef6b10b6abe43b67982f1 Mon Sep 17 00:00:00 2001
From: Dostoievski Batista <dostoievski.albinobatista@windriver.com>
Date: Mon, 25 Nov 2024 20:00:11 -0300
Subject: [PATCH] Add patch signing to the pipeline

This change allows the user to select if he wants to sign the patch
using the SIGN_PATCH variable, when set to True it will automatically
add the "--remote-sign" option to the patch-builder script and export
the env variables, SIGNING_USER and SIGNING_SERVER, from the build.conf

Test plan:
    PASS: Run entire patch pipeline with SIGN_PATCH enable

Story: 2010676
Task: 51404

Change-Id: I7e895f30ea64a517a3555117250a4f00f8b6dfe1
Signed-off-by: Dostoievski Batista <dostoievski.albinobatista@windriver.com>
---
 pipelines/parts/patch-make.Jenkinsfile |  3 +++
 pipelines/patch-monolithic.Jenkinsfile |  5 +++++
 scripts/patch-make.sh                  | 15 +++++++++++++--
 3 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/pipelines/parts/patch-make.Jenkinsfile b/pipelines/parts/patch-make.Jenkinsfile
index e461263..8ac26d1 100644
--- a/pipelines/parts/patch-make.Jenkinsfile
+++ b/pipelines/parts/patch-make.Jenkinsfile
@@ -40,6 +40,9 @@ pipeline {
         booleanParam(
             name: 'DRY_RUN'
         )
+        booleanParam(
+            name: 'SIGN_PATCH'
+        )
         string (
             name: 'BUILD_HOME'
         )
diff --git a/pipelines/patch-monolithic.Jenkinsfile b/pipelines/patch-monolithic.Jenkinsfile
index f299a13..d39c8eb 100644
--- a/pipelines/patch-monolithic.Jenkinsfile
+++ b/pipelines/patch-monolithic.Jenkinsfile
@@ -174,6 +174,11 @@ pipeline {
             'Used together with REMOTE_SERVER' +
             'e.g.: /localdisk/loadbuild/starlingx-master/latest_build'
         )
+        booleanParam(
+            name: 'SIGN_PATCH',
+            defaultValue: true,
+            description: 'Send patch to be signed by signing server.'
+        )
         string(
             name: 'SW_VERSION',
             description: 'Version of the build being used. e.g., XX.YY'
diff --git a/scripts/patch-make.sh b/scripts/patch-make.sh
index aef9ef7..bb1841d 100644
--- a/scripts/patch-make.sh
+++ b/scripts/patch-make.sh
@@ -12,6 +12,7 @@ source $(dirname "$0")/lib/job_utils.sh
 require_job_env BUILD_HOME
 require_job_env SW_VERSION
 require_job_env PATCH_NUM
+require_job_env SIGN_PATCH
 
 load_build_env
 
@@ -29,6 +30,16 @@ if [ ! -z "${PATCH_NAME}" ]; then
     EXTRA_ARGS+=("--name ${PATCH_NAME}")
 fi
 
-# Build the patch
-stx_docker_cmd $DRY_RUN_ARG "patch-builder --recipe ${RECIPE_PATH} ${EXTRA_ARGS[*]}"
+# If patch needs to be signed by a remote signing server
+ENV_VARIABLES=''
+if [ ! -z "${SIGN_PATCH}" ]; then
+    # Variables usually set on build.conf
+    require_job_env SIGNING_SERVER
+    require_job_env SIGNING_USER
+    EXTRA_ARGS+=("--remote-sign")
+    ENV_VARIABLES="export SIGNING_SERVER=${SIGNING_SERVER};export SIGNING_USER=${SIGNING_USER};"
+fi
+
+# Build the patch
+stx_docker_cmd $DRY_RUN_ARG "${ENV_VARIABLES}patch-builder --recipe ${RECIPE_PATH} ${EXTRA_ARGS[*]}"