From 9643128247f2e053df6f368d293120578188f313 Mon Sep 17 00:00:00 2001
From: James Forcier <james.forcier@coreos.com>
Date: Thu, 24 May 2018 17:00:10 -0700
Subject: [PATCH 1/5] offline_signing: rename to signing

As signing will no longer be offline, rename the directory
appropriately.
---
 {offline_signing => signing}/devel.key.pem | 0
 {offline_signing => signing}/devel.pub.pem | 0
 {offline_signing => signing}/new_key.sh    | 0
 {offline_signing => signing}/print_key.sh  | 0
 {offline_signing => signing}/sign.sh       | 0
 {offline_signing => signing}/transfer.sh   | 0
 6 files changed, 0 insertions(+), 0 deletions(-)
 rename {offline_signing => signing}/devel.key.pem (100%)
 rename {offline_signing => signing}/devel.pub.pem (100%)
 rename {offline_signing => signing}/new_key.sh (100%)
 rename {offline_signing => signing}/print_key.sh (100%)
 rename {offline_signing => signing}/sign.sh (100%)
 rename {offline_signing => signing}/transfer.sh (100%)

diff --git a/offline_signing/devel.key.pem b/signing/devel.key.pem
similarity index 100%
rename from offline_signing/devel.key.pem
rename to signing/devel.key.pem
diff --git a/offline_signing/devel.pub.pem b/signing/devel.pub.pem
similarity index 100%
rename from offline_signing/devel.pub.pem
rename to signing/devel.pub.pem
diff --git a/offline_signing/new_key.sh b/signing/new_key.sh
similarity index 100%
rename from offline_signing/new_key.sh
rename to signing/new_key.sh
diff --git a/offline_signing/print_key.sh b/signing/print_key.sh
similarity index 100%
rename from offline_signing/print_key.sh
rename to signing/print_key.sh
diff --git a/offline_signing/sign.sh b/signing/sign.sh
similarity index 100%
rename from offline_signing/sign.sh
rename to signing/sign.sh
diff --git a/offline_signing/transfer.sh b/signing/transfer.sh
similarity index 100%
rename from offline_signing/transfer.sh
rename to signing/transfer.sh

From 35622c2abb790f8765061371a47e4c0c6fe7fe12 Mon Sep 17 00:00:00 2001
From: James Forcier <james.forcier@coreos.com>
Date: Thu, 24 May 2018 17:00:32 -0700
Subject: [PATCH 2/5] core_sign_update: add support for new signing server

---
 core_sign_update | 29 +++++++++++++++++++++++++++--
 1 file changed, 27 insertions(+), 2 deletions(-)

diff --git a/core_sign_update b/core_sign_update
index b2bb40350a..e897d108f6 100755
--- a/core_sign_update
+++ b/core_sign_update
@@ -18,9 +18,13 @@ export GCLIENT_ROOT=$(readlink -f "${SCRIPT_ROOT}/../../")
 DEFINE_string image "" "The filesystem image of /usr"
 DEFINE_string kernel "" "The kernel image"
 DEFINE_string output "" "Output file"
-DEFINE_string private_keys "" "Path or pkcs11 URI to private keys."
+DEFINE_string private_keys "" "Path, pkcs11 URI, or fero:<keyname> for private keys."
 DEFINE_string public_keys "" "Path to public keys in .pem format."
 DEFINE_string keys_separator ":" "Separator for the above keys"
+DEFINE_string user_signatures "" \
+    "Colon-separated paths to user signatures to provide to signing server"
+DEFINE_string signing_server_address "" "Hostname of the signing server"
+DEFINE_integer signing_server_port "50051" "Port of the signing server"
 
 # Parse command line
 FLAGS "$@" || exit 1
@@ -41,6 +45,7 @@ cleanup() {
 
 trap cleanup INT TERM EXIT
 
+echo "=== Creating signable update payload... ==="
 delta_generator \
     -new_image "$FLAGS_image" \
     -new_kernel "$FLAGS_kernel" \
@@ -63,6 +68,16 @@ for key in "${private_keys[@]}"; do
 done
 signature_sizes="${signature_sizes:1:${#signature_sizes}}"
 
+# We don't need to maintain backwards compatibility with old `sign.sh` scripts here, so we only
+# allow colon-separated values for user signature files.
+IFS=":" read -a user_signatures <<< "$FLAGS_user_signatures"
+
+user_signatures_arg=""
+for user_signature in "${user_signatures[@]}"; do
+    user_signatures_arg="${user_signatures_arg} --signature ${user_signature}"
+done
+user_signatures_arg="${user_signatures_arg:1:${#user_signatures_arg}}"
+
 delta_generator \
 	--signature_size ${signature_sizes} \
 	--in_file update \
@@ -116,12 +131,21 @@ cat padding-pkcs11 update.hash > update.pkcs11-padhash
 echo "AAH/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////ADAxMA0GCWCGSAFlAwQCAQUABCA=" | base64 -d > padding
 cat padding update.hash > update.padhash
 
-
+echo "===      Signing update payload...      ==="
 i=1
 signature_sizes=""
 for key in "${private_keys[@]}"; do
 	if [[ "${key}" == pkcs11* ]]; then
 		openssl rsautl -engine pkcs11 -pkcs -sign -inkey ${key} -keyform engine -in update.pkcs11-padhash -out update.sig.${i}
+	elif [[ "${key}" == fero* ]]; then
+		fero-client \
+			--address $FLAGS_signing_server_address \
+			--port $FLAGS_signing_server_port \
+			sign --pkcs1 \
+			--file update.hash \
+			--output update.sig.${i} \
+			--secret-key ${key:5:${#key}} \
+			${user_signatures_arg}
 	else
 		openssl rsautl -raw -sign -inkey ${key} -in update.padhash -out update.sig.${i}
 	fi
@@ -148,6 +172,7 @@ for key in "${public_keys[@]}"; do
 done
 
 mv update.signed ${FLAGS_output}
+echo "=== Update payload signed successfully. ==="
 
 trap - INT TERM EXIT
 cleanup noexit

From 447efbb575a7ea5b3c732e39df894bba8b5b0259 Mon Sep 17 00:00:00 2001
From: James Forcier <james.forcier@coreos.com>
Date: Tue, 29 May 2018 14:28:44 -0700
Subject: [PATCH 3/5] signing/sign: pass user signatures to core_sign_update

---
 signing/sign.sh | 56 ++++++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 48 insertions(+), 8 deletions(-)

diff --git a/signing/sign.sh b/signing/sign.sh
index ecd690a951..3b99426ca5 100755
--- a/signing/sign.sh
+++ b/signing/sign.sh
@@ -1,22 +1,62 @@
 #!/usr/bin/env bash
 
 set -ex
+
+if [[ $# -lt 2 ]]; then
+	echo "Usage: $0 DATA_DIR SIGS_DIR [SERVER_ADDR [SERVER_PORT]]"
+	exit 1
+fi
+
 DATA_DIR="$(readlink -f "$1")"
 KEYS_DIR="$(readlink -f "$(dirname "$0")")"
+SIGS_DIR="$(readlink -f "$2")"
+SERVER_ADDR="${3:-10.7.16.138}"
+SERVER_PORT="${4:-50051}"
 
+echo "===     Verifying update payload...     ==="
 gpg2 --verify "${DATA_DIR}/coreos_production_update.bin.bz2.sig"
 gpg2 --verify "${DATA_DIR}/coreos_production_image.vmlinuz.sig"
 gpg2 --verify "${DATA_DIR}/coreos_production_update.zip.sig"
+echo "===   Decompressing update payload...   ==="
 bunzip2 --keep "${DATA_DIR}/coreos_production_update.bin.bz2"
 unzip "${DATA_DIR}/coreos_production_update.zip" -d "${DATA_DIR}"
 
-export PATH="${DATA_DIR}:${PATH}"
+payload_signature_files=""
+for i in ${SIGS_DIR}/update.sig.*; do
+	payload_signature_files=${payload_signature_files}:${i}
+done
+payload_signature_files="${payload_signature_files:1:${#payload_signature_files}}"
 
-cd "${DATA_DIR}"
+pushd "${DATA_DIR}"
 ./core_sign_update \
-    --image "${DATA_DIR}/coreos_production_update.bin" \
-    --kernel "${DATA_DIR}/coreos_production_image.vmlinuz" \
-    --output "${DATA_DIR}/coreos_production_update.gz" \
-    --private_keys "${KEYS_DIR}/devel.key.pem+pkcs11:object=CoreOS_Update_Signing_Key;type=private" \
-    --public_keys  "${KEYS_DIR}/devel.pub.pem+${KEYS_DIR}/prod-2.pub.pem" \
-    --keys_separator "+"
+	--image "${DATA_DIR}/coreos_production_update.bin" \
+	--kernel "${DATA_DIR}/coreos_production_image.vmlinuz" \
+	--output "${DATA_DIR}/coreos_production_update.gz" \
+	--private_keys "${KEYS_DIR}/devel.key.pem+fero:coreos-update-prod" \
+	--public_keys  "${KEYS_DIR}/devel.pub.pem+${KEYS_DIR}/prod-2.pub.pem" \
+	--keys_separator "+" \
+	--signing_server_address "$SERVER_ADDR" \
+	--signing_server_port "$SERVER_PORT" \
+	--user_signatures "${payload_signature_files}"
+popd
+
+echo "===      Signing torcx manifest...      ==="
+torcx_signature_arg=""
+for torcx_signature in ${SIGS_DIR}/torcx_manifest.json.sig.*; do
+	torcx_signature_arg="${torcx_signature_arg} --signature ${torcx_signature}"
+done
+torcx_signature_arg="${torcx_signature_arg:1:${#torcx_signature_arg}}"
+
+fero-client \
+	--address $SERVER_ADDR \
+	--port $SERVER_PORT \
+	sign \
+	--file "${DATA_DIR}/torcx_manifest.json" \
+	--output "${DATA_DIR}/torcx_manifest.json.sig-fero" \
+	--secret-key coreos-torcx \
+	${torcx_signature_arg}
+gpg2 --enarmor \
+	--output "${DATA_DIR}/torcx_manifest.json.asc" \
+	"${DATA_DIR}/torcx_manifest.json.sig-fero"
+echo "=== Torcx manifest signed successfully. ==="
+rm -f "${DATA_DIR}/torcx_manifest.json.sig-fero"

From f162943ee30b010ca9aa4834bfef81033fe7786e Mon Sep 17 00:00:00 2001
From: James Forcier <james.forcier@coreos.com>
Date: Tue, 29 May 2018 14:29:09 -0700
Subject: [PATCH 4/5] core_dev_sign_update: add script

This script is used by developers to create their individual signatures
to be submitted together via sign.sh.
---
 core_dev_sign_update | 86 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 86 insertions(+)
 create mode 100755 core_dev_sign_update

diff --git a/core_dev_sign_update b/core_dev_sign_update
new file mode 100755
index 0000000000..46704653a4
--- /dev/null
+++ b/core_dev_sign_update
@@ -0,0 +1,86 @@
+#!/usr/bin/env bash
+
+SCRIPT_ROOT=$(dirname $(readlink -f "$0"))
+. "${SCRIPT_ROOT}/common.sh" || exit 1
+
+assert_inside_chroot
+
+DEFINE_string data_dir "" "Directory containing downloaded release artifacts"
+DEFINE_string board "" "Board to sign artifacts for"
+DEFINE_string version "" "Version to sign artifacts for"
+DEFINE_integer n_signatures "2" "Number of signatures this release will be signed with"
+DEFINE_string output_dir "" "Output directory"
+DEFINE_string gpg_key "" "Value for '--default-key' argument to gpg --sign"
+
+FLAGS "$@" || exit 1
+eval set -- "${FLAGS_ARGV}"
+
+set -e
+
+data_dir="${FLAGS_data_dir}/${FLAGS_board}/${FLAGS_version}"
+output_dir="${FLAGS_output_dir}/${FLAGS_board}/${FLAGS_version}"
+mkdir -p "$output_dir"
+
+cleanup() {
+	# core_sign_update expects to unpack this too, so we'll clean it up.
+	rm -f "${data_dir}/coreos_production_update.bin"
+
+	rm -f "${data_dir}/update"
+	rm -f "${data_dir}/update.hash"
+}
+
+trap cleanup INT TERM EXIT
+
+# delta_generator expects a list of colon-separated sizes for signature hash algorithms in order to
+# build the update payload protobuf properly. Since we already assume sha256 elsewhere in
+# core_sign_update, do it here as well.
+signature_sizes=""
+for i in $(seq 1 $FLAGS_n_signatures); do
+	signature_sizes="${signature_sizes}:256"
+done
+signature_sizes="${signature_sizes:1:${#signature_sizes}}"
+
+echo "===     Verifying update payload...     ==="
+gpg2 --verify "${data_dir}/coreos_production_update.bin.bz2.sig"
+gpg2 --verify "${data_dir}/coreos_production_image.vmlinuz.sig"
+gpg2 --verify "${data_dir}/coreos_production_update.zip.sig"
+echo "===   Decompressing update payload...   ==="
+bunzip2 --keep "${data_dir}/coreos_production_update.bin.bz2"
+
+echo "=== Creating signable update payload... ==="
+delta_generator \
+	-new_image "${data_dir}/coreos_production_update.bin" \
+	-new_kernel "${data_dir}/coreos_production_image.vmlinuz" \
+	-out_file "${data_dir}/update"
+delta_generator \
+	--signature_size ${signature_sizes} \
+	--in_file "${data_dir}/update" \
+	--out_hash_file "${data_dir}/update.hash"
+
+echo "===      Signing update payload...      ==="
+if [[ -z "${FLAGS_gpg_key}" ]]; then
+	gpg2 \
+		--output "${output_dir}/update.sig.$(whoami)" \
+		--armor --detach-sign "${data_dir}/update.hash"
+else
+	gpg2 \
+		--local-user "$FLAGS_gpg_key" \
+		--output "${output_dir}/update.sig.$(whoami)" \
+		--armor --detach-sign "${data_dir}/update.hash"
+fi
+echo "=== Update payload signed successfully. ==="
+
+echo "===     Verifying torcx manifest...     ==="
+gpg2 --verify "${data_dir}/torcx_manifest.json.sig"
+echo "===      Signing torcx manifest...      ==="
+if [[ -z "${FLAGS_gpg_key}" ]]; then
+	gpg2 \
+		--output "${output_dir}/torcx_manifest.json.sig.$(whoami)" \
+		--detach-sign --armor "${data_dir}/torcx_manifest.json"
+else
+	gpg2 \
+		--local-user "$FLAGS_gpg_key" \
+		--output "${output_dir}/torcx_manifest.json.sig.$(whoami)" \
+		--detach-sign --armor "${data_dir}/torcx_manifest.json"
+fi
+echo "=== Torcx manifest signed successfully. ==="

From 9af91ae7712ba6dac1376457541858fa8c7a10e3 Mon Sep 17 00:00:00 2001
From: James Forcier <james.forcier@coreos.com>
Date: Fri, 6 Jul 2018 09:40:45 -0700
Subject: [PATCH 5/5] signing/prod-2.pub.pem: add production pubkey

signing/sign.sh expects to find the production public key in the signing
directory, so put it there.
---
 signing/prod-2.pub.pem | 9 +++++++++
 1 file changed, 9 insertions(+)
 create mode 100644 signing/prod-2.pub.pem

diff --git a/signing/prod-2.pub.pem b/signing/prod-2.pub.pem
new file mode 100644
index 0000000000..10fcaff58b
--- /dev/null
+++ b/signing/prod-2.pub.pem
@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7pO21yN+b6yx9P+wHzS2
+clxGs18eWxfoleETLbFVmcXu783rgBP0bFjYfqrNZNaI1Ip6bxEYkPacg0xFg7ri
+lNdO/cxJV5Ltj40wFlpmzJOAH8hx5SF8KWg2NV1I6TS8pp+CQqcvvOKu6AIcWfeY
+11V7eJ8rWcDsnqpTg8T1VRxytsg2UjTMfQwzcGLTb8cQ8AV39ED5WC5NdS9Bld4h
+XqS9Dx6Pe3JOQLZze6XIIwWuB2jxGpM1GWfRNm5nxvne3l7ggC970482a7STGK10
+fD8//k8myVxleMAeQoMRXoRq9p3C84H4Bw8v2dX13kFFCgfEQj6SOZ5huXZKLPpB
+LwIDAQAB
+-----END PUBLIC KEY-----