mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-08 21:46:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

core_sign_update: remain compatible with older sign.sh

Browse Source 
The motivation behind retaining this backwards compatibility, at least
now, is that it's actually non-trivial to revert these code changes for
a given release.

The `sign.sh` changes can easily be changed, but the `core_sign_update`
code is included in the update-specific "au_zip" file. Replacing that is
a little more fiddly.

Since it's possible we'll still want to revert to the previous signing
behavior, make it so the update payload (namely core_sign_update) should
work both under the previous `sign.sh` script, and when using the new
one.
This commit is contained in:
Euan Kemp 2017-07-11 13:55:59 -07:00
parent 5cbc755abc
commit 61be39c999
2 changed files with 8 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
core_sign_update
View File

@ -18,8 +18,9 @@ export GCLIENT_ROOT=$(readlink -f "${SCRIPT_ROOT}/../../")
DEFINE_string image "" "The filesystem image of /usr" DEFINE_string image "" "The filesystem image of /usr"
DEFINE_string kernel "" "The kernel image" DEFINE_string kernel "" "The kernel image"
DEFINE_string output "" "Output file" DEFINE_string output "" "Output file"
DEFINE_string private_keys "" "Path to private key in .pem format." DEFINE_string private_keys "" "Path or pkcs11 URI to private keys."
DEFINE_string public_keys "" "Path to public key in .pem format." DEFINE_string public_keys "" "Path to public keys in .pem format."
DEFINE string keys_separator ":" "Separator for the above keys"
# Parse command line # Parse command line
FLAGS "$@" || exit 1 FLAGS "$@" || exit 1
@ -45,8 +46,9 @@ delta_generator \
-new_kernel "$FLAGS_kernel" \ -new_kernel "$FLAGS_kernel" \
-out_file update -out_file update
IFS=+ read -a private_keys <<< "$FLAGS_private_keys" # The separator is configurable for backwards compatibility with old `sign.sh` scripts.
IFS=+ read -a public_keys <<< "$FLAGS_public_keys" IFS="${keys_separator}" read -a private_keys <<< "$FLAGS_private_keys"
IFS="${keys_separator}" read -a public_keys <<< "$FLAGS_public_keys"
if [ ${#private_keys[@]} -ne ${#public_keys[@]} ]; then if [ ${#private_keys[@]} -ne ${#public_keys[@]} ]; then
echo "mismatch in count of private keys and public keys" echo "mismatch in count of private keys and public keys"

3
offline_signing/sign.sh
View File

@ -18,4 +18,5 @@ cd "${DATA_DIR}"
--kernel "${DATA_DIR}/coreos_production_image.vmlinuz" \ --kernel "${DATA_DIR}/coreos_production_image.vmlinuz" \
--output "${DATA_DIR}/coreos_production_update.gz" \ --output "${DATA_DIR}/coreos_production_update.gz" \
--private_keys "${KEYS_DIR}/devel.key.pem+pkcs11:object=CoreOS_Update_Signing_Key;type=private" \ --private_keys "${KEYS_DIR}/devel.key.pem+pkcs11:object=CoreOS_Update_Signing_Key;type=private" \
--public_keys "${KEYS_DIR}/devel.pub.pem+${KEYS_DIR}/prod-2.pub.pem" --public_keys "${KEYS_DIR}/devel.pub.pem+${KEYS_DIR}/prod-2.pub.pem" \
--keys_separator "+"