From b59a119fb722086baaaf5ac0bdff0125a5c16369 Mon Sep 17 00:00:00 2001 From: Davlet Panech Date: Fri, 31 Mar 2023 16:28:29 -0400 Subject: [PATCH] build-image: new option --no-sign + .sig symlink * --no-sign: skip signing the ISO with local keys, in case we want to sign it using some other method, eg by calling "sign_iso_formal.sh" separately. * when signing the ISO with a developer key, create a symlink that mirrors the ISO symlink TESTS ====================================== Run with & without --no-sign and make sure the signing script is executed depending on command line. Story: 2010226 Task: 47776 Signed-off-by: Davlet Panech Change-Id: I14077c28be17da1e46a94f309433ad2664eb66fe --- build-tools/stx/build-image | 43 +++++++++++++++++++++++++++++++------ 1 file changed, 37 insertions(+), 6 deletions(-) diff --git a/build-tools/stx/build-image b/build-tools/stx/build-image index b7f2b684..5a6a8938 100755 --- a/build-tools/stx/build-image +++ b/build-tools/stx/build-image @@ -444,14 +444,43 @@ def sign_iso_dev(img_yaml): else: # default image name iso_name = 'starlingx-intel-x86-64-cd' - # openssl dgst -sha256 -sign ${KEY_PATH} -binary -out ${DEPLOY_DIR}/${ISO_NOEXT}.sig $DEPLOY_DIR/starlingx-intel-x86-64-cd.iso - sign_cmd = f'sudo openssl dgst -sha256 -sign {key_path} -binary -out {deploy_dir}/{iso_name}.sig {deploy_dir}/{iso_name}.iso' - ret = subprocess.call(sign_cmd, shell=True) - if ret == 0: - logger.info("Image signed %s", os.path.join(deploy_dir, iso_name + '.iso')) + + iso_file = f'{deploy_dir}/{iso_name}.iso' + sig_file = f'{deploy_dir}/{iso_name}.sig' + + # call realpath to make sure it exists and there are no symlink loops + realpath_cmd = f'realpath -e {iso_file}' + subprocess.run(realpath_cmd, shell=True, check=True) + + # if ISO file is a symlink, create the signature of the symlink's target + if os.path.islink (iso_file): + # get the iso_file's target -- we will create the .sig file next to it + iso_target = os.readlink (iso_file) + sig_target = re.sub (r'[.]iso$', '', iso_target) + '.sig' + if os.path.isabs(iso_target): + real_iso_file = iso_target + real_sig_file = sig_target + else: + real_iso_file = os.path.join (os.path.dirname (iso_file), iso_target) + real_sig_file = os.path.join (os.path.dirname (sig_file), sig_target) else: + real_iso_file = iso_file + real_sig_file = sig_file + + # create the signature + sign_cmd = f'sudo openssl dgst -sha256 -sign {key_path} -binary -out {real_sig_file} {real_iso_file}' + logger.info ("running: %s", sign_cmd) + ret = subprocess.call(sign_cmd, shell=True) + if ret != 0: raise Exception("Error while signing the image") + # ISO is a symlink => create the matc hing .sig link + if os.path.islink (iso_file): + if os.path.exists (sig_file): + os.path.remove (sig_file) + os.symlink (sig_target, sig_file) + + logger.info("Image signed %s", real_iso_file) if __name__ == "__main__": @@ -466,6 +495,8 @@ if __name__ == "__main__": parser.add_argument('-k', '--keep', help="Keep the current environment " + "(ostree, deploy), mainly used for patching", default=False, action='store_true') + parser.add_argument('--no-sign', action='store_true', + default=False, help="Don't sign ISO at the end") args = parser.parse_args() if args.rt: kernel_type = 'rt' @@ -598,7 +629,7 @@ if __name__ == "__main__": os.system('sudo chown -R ${USER}: ' + LAT_ROOT + '/deploy' ) # Sign iso with developer key - if ret == 0: + if ret == 0 and not args.no_sign: sign_iso_dev(lat_yaml) sys.exit(ret)