mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-09-22 06:01:41 +02:00
Code Issues Packages Projects Releases Wiki Activity

bootstrap_sdk: add support for directly GPG signing SDK tarballs

Browse Source 
SDK tarballs have a .DIGESTS file but it is created by catalyst instead
of the upload_image function. In order to support plain GPG signing but
not avoid re-generating .DIGESTS we need to move that code out of
upload_image to a new function. upload_files shouldn't do it itself
because it is also used for portage binary packages which shouldn't be
signed (there is no point, nothing would verify the signatures).
This commit is contained in:
Michael Marineau 2015-06-28 17:02:23 -07:00
parent 22e3c116cc
commit 5789c6bbbf
2 changed files with 37 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
bootstrap_sdk
View File

@ -87,7 +87,8 @@ if [[ "$STAGES" =~ stage4 ]]; then
info "SDK ready: $BUILDS/${release_name}" info "SDK ready: $BUILDS/${release_name}"
def_upload_path="${UPLOAD_ROOT}/sdk/${ARCH}/${FLAGS_version}" def_upload_path="${UPLOAD_ROOT}/sdk/${ARCH}/${FLAGS_version}"
upload_files "tarball" "${def_upload_path}" "" "$BUILDS/${release_name}" \ sign_and_upload_files "tarball" "${def_upload_path}" "" \
"$BUILDS/${release_name}" \
"$BUILDS/${release_name}.CONTENTS" "$BUILDS/${release_name}.DIGESTS" "$BUILDS/${release_name}.CONTENTS" "$BUILDS/${release_name}.DIGESTS"
upload_files "packages" "${def_upload_path}" "pkgs/" "${BINPKGS}"/* upload_files "packages" "${def_upload_path}" "pkgs/" "${BINPKGS}"/*
fi fi

53
build_library/release_util.sh
View File

@ -98,6 +98,40 @@ upload_files() {
"${local_upload_path}/${extra_upload_suffix}" "${local_upload_path}/${extra_upload_suffix}"
} }
# Identical to upload_files but GPG signs every file if enabled.
# Usage: sign_and_upload_files "file type" "${UPLOAD_ROOT}/default/path" "" files...
# arg1: file type reported via log
# arg2: default upload path, overridden by --upload_path
# arg3: upload path suffix that can't be overridden, must end in /
# argv: remaining args are files or directories to upload
sign_and_upload_files() {
[[ ${FLAGS_upload} -eq ${FLAGS_TRUE} ]] || return 0
local msg="$1"
local path="$2"
local suffix="$3"
shift 3
# Create simple GPG detached signature for all uploads.
local sigs=()
if [[ -n "${FLAGS_sign}" ]]; then
local file
for file in "$@"; do
if [[ "${file}" =~ \.(asc|gpg|sig)$ ]]; then
continue
fi
rm -f "${file}.sig"
gpg --batch --local-user "${FLAGS_sign}" \
--detach-sign "${file}" || die "gpg failed"
sigs+=( "${file}.sig" )
done
fi
upload_files "${msg}" "${path}" "${suffix}" "$@" "${sigs[@]}"
}
upload_packages() { upload_packages() {
[[ ${FLAGS_upload} -eq ${FLAGS_TRUE} ]] || return 0 [[ ${FLAGS_upload} -eq ${FLAGS_TRUE} ]] || return 0
[[ -n "${BOARD}" ]] || die "board_options.sh must be sourced first" [[ -n "${BOARD}" ]] || die "board_options.sh must be sourced first"
@ -160,26 +194,9 @@ upload_image() {
uploads+=( "${digests}.asc" ) uploads+=( "${digests}.asc" )
fi fi
# Create simple GPG detached signature for all uploads.
local sigs=()
if [[ -n "${FLAGS_sign}" ]]; then
local file
for file in "${uploads[@]}"; do
if [[ "${file}" =~ \.(asc|gpg|sig)$ ]]; then
continue
fi
rm -f "${file}.sig"
gpg --batch --local-user "${FLAGS_sign}" \
--detach-sign "${file}" || die "gpg failed"
sigs+=( "${file}.sig" )
done
fi
uploads+=( "${sigs[@]}" )
local log_msg=$(basename "$digests" .DIGESTS) local log_msg=$(basename "$digests" .DIGESTS)
local def_upload_path="${UPLOAD_ROOT}/boards/${BOARD}/${COREOS_VERSION_STRING}" local def_upload_path="${UPLOAD_ROOT}/boards/${BOARD}/${COREOS_VERSION_STRING}"
upload_files "${log_msg}" "${def_upload_path}" "" "${uploads[@]}" sign_and_upload_files "${log_msg}" "${def_upload_path}" "" "${uploads[@]}"
} }
# Translate the configured upload URL to a download URL # Translate the configured upload URL to a download URL