mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-09-25 07:31:01 +02:00
Code Issues Packages Projects Releases Wiki Activity

signing/sign: pass user signatures to core_sign_update

Browse Source
This commit is contained in:
James Forcier 2018-05-29 14:28:44 -07:00
parent 35622c2abb
commit 447efbb575
1 changed files with 48 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
signing/sign.sh
View File

@ -1,22 +1,62 @@
#!/usr/bin/env bash #!/usr/bin/env bash
set -ex set -ex
if [[ $# -lt 2 ]]; then
echo "Usage: $0 DATA_DIR SIGS_DIR [SERVER_ADDR [SERVER_PORT]]"
exit 1
fi
DATA_DIR="$(readlink -f "$1")" DATA_DIR="$(readlink -f "$1")"
KEYS_DIR="$(readlink -f "$(dirname "$0")")" KEYS_DIR="$(readlink -f "$(dirname "$0")")"
SIGS_DIR="$(readlink -f "$2")"
SERVER_ADDR="${3:-10.7.16.138}"
SERVER_PORT="${4:-50051}"
echo "=== Verifying update payload... ==="
gpg2 --verify "${DATA_DIR}/coreos_production_update.bin.bz2.sig" gpg2 --verify "${DATA_DIR}/coreos_production_update.bin.bz2.sig"
gpg2 --verify "${DATA_DIR}/coreos_production_image.vmlinuz.sig" gpg2 --verify "${DATA_DIR}/coreos_production_image.vmlinuz.sig"
gpg2 --verify "${DATA_DIR}/coreos_production_update.zip.sig" gpg2 --verify "${DATA_DIR}/coreos_production_update.zip.sig"
echo "=== Decompressing update payload... ==="
bunzip2 --keep "${DATA_DIR}/coreos_production_update.bin.bz2" bunzip2 --keep "${DATA_DIR}/coreos_production_update.bin.bz2"
unzip "${DATA_DIR}/coreos_production_update.zip" -d "${DATA_DIR}" unzip "${DATA_DIR}/coreos_production_update.zip" -d "${DATA_DIR}"
export PATH="${DATA_DIR}:${PATH}" payload_signature_files=""
for i in ${SIGS_DIR}/update.sig.*; do
payload_signature_files=${payload_signature_files}:${i}
done
payload_signature_files="${payload_signature_files:1:${#payload_signature_files}}"
cd "${DATA_DIR}" pushd "${DATA_DIR}"
./core_sign_update \ ./core_sign_update \
--image "${DATA_DIR}/coreos_production_update.bin" \ --image "${DATA_DIR}/coreos_production_update.bin" \
--kernel "${DATA_DIR}/coreos_production_image.vmlinuz" \ --kernel "${DATA_DIR}/coreos_production_image.vmlinuz" \
--output "${DATA_DIR}/coreos_production_update.gz" \ --output "${DATA_DIR}/coreos_production_update.gz" \
--private_keys "${KEYS_DIR}/devel.key.pem+pkcs11:object=CoreOS_Update_Signing_Key;type=private" \ --private_keys "${KEYS_DIR}/devel.key.pem+fero:coreos-update-prod" \
--public_keys "${KEYS_DIR}/devel.pub.pem+${KEYS_DIR}/prod-2.pub.pem" \ --public_keys "${KEYS_DIR}/devel.pub.pem+${KEYS_DIR}/prod-2.pub.pem" \
--keys_separator "+" --keys_separator "+" \
--signing_server_address "$SERVER_ADDR" \
--signing_server_port "$SERVER_PORT" \
--user_signatures "${payload_signature_files}"
popd
echo "=== Signing torcx manifest... ==="
torcx_signature_arg=""
for torcx_signature in ${SIGS_DIR}/torcx_manifest.json.sig.*; do
torcx_signature_arg="${torcx_signature_arg} --signature ${torcx_signature}"
done
torcx_signature_arg="${torcx_signature_arg:1:${#torcx_signature_arg}}"
fero-client \
--address $SERVER_ADDR \
--port $SERVER_PORT \
sign \
--file "${DATA_DIR}/torcx_manifest.json" \
--output "${DATA_DIR}/torcx_manifest.json.sig-fero" \
--secret-key coreos-torcx \
${torcx_signature_arg}
gpg2 --enarmor \
--output "${DATA_DIR}/torcx_manifest.json.asc" \
"${DATA_DIR}/torcx_manifest.json.sig-fero"
echo "=== Torcx manifest signed successfully. ==="
rm -f "${DATA_DIR}/torcx_manifest.json.sig-fero"