starlingx/jenkins-pipelines
Code Issues Proposed changes
jenkins-pipelines/scripts/sign-iso.sh
Davlet Panech 04f9dea597 build-iso: better ISO & secureboot signing config 
* Jenkins scripts:
- remove POST_ISO_SIGNING job parameter, as ISO signing is controled
  by build.conf, as originally intended.

* build.conf:
- rename SIGN_ISO => SIGN_ISO_FORMAL to better reflect purpose. ISOs
  are always signed, with developer keys (SIGN_ISO_FORMAL=false) or
  the signing server (SIGN_ISO_FORMAL=true).
- add SECUREBOOT_FORMAL - whether to generate secureboot signatures
  using the signing server (true), or not to generate them at all
  (false)

* Added code in job_utils.sh to set the defaults for these new config
  options as necessary, in case the job runs against an older build.conf
  that still has the obsolete BUILD_ISO option.

TESTS
========================
* Make sure SIGN_ISO_FORMAL==true calls "build-image --no-sign"
  followed by "sign_iso_formal.sh"
* Make sure SIGN_ISO_FORMAL==false calls "build-image" not
  followed by "sign_iso_formal.sh" and the dev-key based ISO signature
  gets created
* Make sure SECUREBOOT_FORMAL==true calls calls the secureboot script
* Make sure SECUREBOOT_FORMAL==false does not call the secureboot script
* Test with both the new parameters undefined, but SIGN_ISO defined,
  and make sure they aquire expected defaults

Story: 2010226
Task: 47777

Depends-On: https://review.opendev.org/c/starlingx/root/+/879206
Signed-off-by: Davlet Panech <davlet.panech@windriver.com>
Change-Id: I928de97fefc70b3062820547d1256c2a3ce106e8
2023-04-05 20:13:16 -04:00

73 lines
2.2 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
#
# Copyright (c) 2022 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
set -e
source $(dirname "$0")/lib/job_utils.sh
require_job_env BUILD_HOME
require_job_env BUILD_ISO
load_build_env
require_job_env SIGN_ISO_FORMAL
$BUILD_ISO || bail "BUILD_ISO=false, bailing out"
sign_iso() {
local iso_file="$1"
local sig_file="${iso_file%.iso}.sig"
# Job is configured to sign the ISO with formal keys
if $SIGN_ISO_FORMAL ; then
[[ -n "$SIGNING_SERVER" ]] || die "SECUREBOOT_FORMAL requires SIGNING_SERVER"
(
export MY_REPO=$REPO_ROOT/cgcs-root
export MY_WORKSPACE=$WORKSPACE_ROOT
export PATH=$MY_REPO/build-tools:$PATH:/usr/local/bin
export SIGNING_SERVER
export SIGNING_USER
maybe_run rm -f "$sig_file"
maybe_run sign_iso_formal.sh "$iso_file" || die "failed to sign ISO"
if ! $DRY_RUN ; then
[[ -f "$sig_file" ]] || die "failed to sign ISO"
info "created signature $sig_file"
fi
)
exit 0
fi
# ISO is already signed with developer keys - make sure .sig file exists
info "skipping formal ISO signing because it's already signed with developer key"
if ! $DRY_RUN ; then
[[ -f "$sig_file" ]] || die "$sig_file: file not found"
info "using existing ISO signature $sig_file"
fi
}
declare -a iso_files
iso_files+=($BUILD_HOME/localdisk/deploy/starlingx-intel-x86-64-cd.iso)
for iso_file in "${iso_files[@]}" ; do
if [[ -L "$iso_file" ]] ; then
iso_link_target="$(readlink "$iso_file")" || exit 1
[[ -n "$iso_link_target" ]] || die "failed to read symlink $iso_file"
[[ ! "$iso_link_target" =~ ^/ ]] || die "$iso_file: link target must not include slashes"
real_iso_file="$(dirname "$iso_file")/$iso_link_target"
sign_iso "$real_iso_file"
sig_file="${iso_file%.iso}.sig"
sig_link_target="${iso_link_target%.iso}.sig"
if ! $DRY_RUN ; then
ln -sfn "$sig_link_target" "$sig_file" || exit 1
info "created signature link $sig_file => $sig_link_target"
fi
else
sign_iso "$iso_file"
fi
done
View Git Blame Copy Permalink