signing/sign: pass user signatures to core_sign_update

2025-09-24 23:21:17 +02:00 · 2018-05-29 14:28:44 -07:00 · 2018-05-29 14:28:44 -07:00 · 447efbb575
commit 447efbb575
parent 35622c2abb
1 changed files with 48 additions and 8 deletions
--- a/signing/sign.sh
+++ b/signing/sign.sh
@ -1,22 +1,62 @@
 #!/usr/bin/env bash

 set -ex
+
+if [[ $# -lt 2 ]]; then
+	echo "Usage: $0 DATA_DIR SIGS_DIR [SERVER_ADDR [SERVER_PORT]]"
+	exit 1
+fi
+
 DATA_DIR="$(readlink -f "$1")"
 KEYS_DIR="$(readlink -f "$(dirname "$0")")"
+SIGS_DIR="$(readlink -f "$2")"
+SERVER_ADDR="${3:-10.7.16.138}"
+SERVER_PORT="${4:-50051}"

+echo "===     Verifying update payload...     ==="
 gpg2 --verify "${DATA_DIR}/coreos_production_update.bin.bz2.sig"
 gpg2 --verify "${DATA_DIR}/coreos_production_image.vmlinuz.sig"
 gpg2 --verify "${DATA_DIR}/coreos_production_update.zip.sig"
+echo "===   Decompressing update payload...   ==="
 bunzip2 --keep "${DATA_DIR}/coreos_production_update.bin.bz2"
 unzip "${DATA_DIR}/coreos_production_update.zip" -d "${DATA_DIR}"

-export PATH="${DATA_DIR}:${PATH}"
+payload_signature_files=""
+for i in ${SIGS_DIR}/update.sig.*; do
+	payload_signature_files=${payload_signature_files}:${i}
+done
+payload_signature_files="${payload_signature_files:1:${#payload_signature_files}}"

-cd "${DATA_DIR}"
+pushd "${DATA_DIR}"
 ./core_sign_update \
-    --image "${DATA_DIR}/coreos_production_update.bin" \
-    --kernel "${DATA_DIR}/coreos_production_image.vmlinuz" \
-    --output "${DATA_DIR}/coreos_production_update.gz" \
-    --private_keys "${KEYS_DIR}/devel.key.pem+pkcs11:object=CoreOS_Update_Signing_Key;type=private" \
-    --public_keys  "${KEYS_DIR}/devel.pub.pem+${KEYS_DIR}/prod-2.pub.pem" \
-    --keys_separator "+"
+	--image "${DATA_DIR}/coreos_production_update.bin" \
+	--kernel "${DATA_DIR}/coreos_production_image.vmlinuz" \
+	--output "${DATA_DIR}/coreos_production_update.gz" \
+	--private_keys "${KEYS_DIR}/devel.key.pem+fero:coreos-update-prod" \
+	--public_keys  "${KEYS_DIR}/devel.pub.pem+${KEYS_DIR}/prod-2.pub.pem" \
+	--keys_separator "+" \
+	--signing_server_address "$SERVER_ADDR" \
+	--signing_server_port "$SERVER_PORT" \
+	--user_signatures "${payload_signature_files}"
+popd
+
+echo "===      Signing torcx manifest...      ==="
+torcx_signature_arg=""
+for torcx_signature in ${SIGS_DIR}/torcx_manifest.json.sig.*; do
+	torcx_signature_arg="${torcx_signature_arg} --signature ${torcx_signature}"
+done
+torcx_signature_arg="${torcx_signature_arg:1:${#torcx_signature_arg}}"
+
+fero-client \
+	--address $SERVER_ADDR \
+	--port $SERVER_PORT \
+	sign \
+	--file "${DATA_DIR}/torcx_manifest.json" \
+	--output "${DATA_DIR}/torcx_manifest.json.sig-fero" \
+	--secret-key coreos-torcx \
+	${torcx_signature_arg}
+gpg2 --enarmor \
+	--output "${DATA_DIR}/torcx_manifest.json.asc" \
+	"${DATA_DIR}/torcx_manifest.json.sig-fero"
+echo "=== Torcx manifest signed successfully. ==="
+rm -f "${DATA_DIR}/torcx_manifest.json.sig-fero"