From 0a74a57c40b4c5894c09baf7b87ba0d9db5beabf Mon Sep 17 00:00:00 2001 From: Benjamin Gilbert Date: Tue, 5 Sep 2017 15:32:05 -0700 Subject: [PATCH 1/4] offline_signing: verify downloads with gpg2 --- offline_signing/download.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/offline_signing/download.sh b/offline_signing/download.sh index bf46eb70e9..e070d276a2 100755 --- a/offline_signing/download.sh +++ b/offline_signing/download.sh @@ -24,6 +24,6 @@ gsutil cp \ "${GS}/coreos_production_update.zip" \ "${GS}/coreos_production_update.zip.sig" ./ -gpg --verify "coreos_production_image.vmlinuz.sig" -gpg --verify "coreos_production_update.bin.bz2.sig" -gpg --verify "coreos_production_update.zip.sig" +gpg2 --verify "coreos_production_image.vmlinuz.sig" +gpg2 --verify "coreos_production_update.bin.bz2.sig" +gpg2 --verify "coreos_production_update.zip.sig" From b3cb2e0608f85e06bf7d235b83a777816d0a5747 Mon Sep 17 00:00:00 2001 From: Benjamin Gilbert Date: Tue, 5 Sep 2017 16:35:34 -0700 Subject: [PATCH 2/4] offline_signing: download multiple versions and boards per invocation --- offline_signing/download.sh | 76 +++++++++++++++++++++++++++---------- 1 file changed, 56 insertions(+), 20 deletions(-) diff --git a/offline_signing/download.sh b/offline_signing/download.sh index e070d276a2..41ffaefd61 100755 --- a/offline_signing/download.sh +++ b/offline_signing/download.sh @@ -2,28 +2,64 @@ set -eux -BOARD="${1?Must provide a board (e.g. amd64-usr)}" -VERSION="${2?Must provide a version (e.g. 1234.0.0)}" -CHANNEL="${3?Must provide a channel (e.g. alpha)}" +download() { + local channel="$1" + local version="$2" + local board="$3" -if ! [[ "${CHANNEL}" =~ alpha|beta|stable ]]; then - echo "Invalid channel ${CHANNEL}" - echo "Usage: $0 [OUTPUT DIR]" + local gs="gs://builds.release.core-os.net/${channel}/boards/${board}/${version}" + local dir="${BASEDIR}/${board}/${version}" + mkdir -p "${dir}" + pushd "${dir}" >/dev/null + + gsutil cp \ + "${gs}/coreos_production_image.vmlinuz" \ + "${gs}/coreos_production_image.vmlinuz.sig" \ + "${gs}/coreos_production_update.bin.bz2" \ + "${gs}/coreos_production_update.bin.bz2.sig" \ + "${gs}/coreos_production_update.zip" \ + "${gs}/coreos_production_update.zip.sig" ./ + + gpg2 --verify "coreos_production_image.vmlinuz.sig" + gpg2 --verify "coreos_production_update.bin.bz2.sig" + gpg2 --verify "coreos_production_update.zip.sig" + + popd >/dev/null +} + +usage() { + echo "Usage: $0 [{-a|-b|-s} ]..." >&2 exit 1 +} + +CMD=download + +BASEDIR="${1:-}" +if [[ -z "${BASEDIR}" ]]; then + usage fi +shift -GS="gs://builds.release.core-os.net/${CHANNEL}/boards/$BOARD/$VERSION" +# Walk argument pairs. +while [[ $# > 0 ]]; do + c="$1" + v="${2?Must provide a version (e.g. 1234.0.0)}" + shift 2 -cd "${4:-.}" - -gsutil cp \ - "${GS}/coreos_production_image.vmlinuz" \ - "${GS}/coreos_production_image.vmlinuz.sig" \ - "${GS}/coreos_production_update.bin.bz2" \ - "${GS}/coreos_production_update.bin.bz2.sig" \ - "${GS}/coreos_production_update.zip" \ - "${GS}/coreos_production_update.zip.sig" ./ - -gpg2 --verify "coreos_production_image.vmlinuz.sig" -gpg2 --verify "coreos_production_update.bin.bz2.sig" -gpg2 --verify "coreos_production_update.zip.sig" + case "${c}" in + -a) + $CMD "alpha" "${v}" "amd64-usr" + $CMD "alpha" "${v}" "arm64-usr" + ;; + -b) + $CMD "beta" "${v}" "amd64-usr" + $CMD "beta" "${v}" "arm64-usr" + ;; + -s) + $CMD "stable" "${v}" "amd64-usr" + ;; + *) + usage + ;; + esac +done From 3ed15a8762254f77c2ab2b3fa6f820c58b882630 Mon Sep 17 00:00:00 2001 From: Benjamin Gilbert Date: Tue, 5 Sep 2017 16:38:16 -0700 Subject: [PATCH 3/4] offline_signing: automatically fix ownership of output dir --- offline_signing/download.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/offline_signing/download.sh b/offline_signing/download.sh index 41ffaefd61..78f71e65f5 100755 --- a/offline_signing/download.sh +++ b/offline_signing/download.sh @@ -40,6 +40,11 @@ if [[ -z "${BASEDIR}" ]]; then fi shift +if [[ -d "${BASEDIR}" && ! -O "${BASEDIR}" ]]; then + echo "Fixing ownership of ${BASEDIR}..." + sudo chown -R "${USER}" "${BASEDIR}" +fi + # Walk argument pairs. while [[ $# > 0 ]]; do c="$1" From 9c93dcb272677775446c959cf8ec16a44aef37f4 Mon Sep 17 00:00:00 2001 From: Benjamin Gilbert Date: Tue, 5 Sep 2017 17:01:48 -0700 Subject: [PATCH 4/4] offline_signing: add subcommand to upload to roller --- offline_signing/{download.sh => transfer.sh} | 51 ++++++++++++++++++-- 1 file changed, 47 insertions(+), 4 deletions(-) rename offline_signing/{download.sh => transfer.sh} (53%) diff --git a/offline_signing/download.sh b/offline_signing/transfer.sh similarity index 53% rename from offline_signing/download.sh rename to offline_signing/transfer.sh index 78f71e65f5..7a3ab7cc4e 100755 --- a/offline_signing/download.sh +++ b/offline_signing/transfer.sh @@ -27,18 +27,61 @@ download() { popd >/dev/null } +upload() { + local channel="$1" + local version="$2" + local board="$3" + + local payload="${BASEDIR}/${board}/${version}/coreos_production_update.gz" + if [[ ! -e "${payload}" ]]; then + echo "No such file: ${payload}" >&2 + exit 1 + fi + + declare -A appid + appid[amd64-usr]=e96281a6-d1af-4bde-9a0a-97b76e56dc57 + appid[arm64-usr]=103867da-e3a2-4c92-b0b3-7fbd7f7d8b71 + + "$(dirname $0)/../core_roller_upload" \ + --user="${ROLLER_USERNAME}" \ + --api_key="${ROLLER_API_KEY}" \ + --app_id="${appid[${board}]}" \ + --board="${board}" \ + --version="${version}" \ + --payload="${payload}" +} + usage() { - echo "Usage: $0 [{-a|-b|-s} ]..." >&2 + echo "Usage: $0 {download|upload} [{-a|-b|-s} ]..." >&2 exit 1 } -CMD=download +# Parse base arguments. +CMD="${1:-}" +BASEDIR="${2:-}" +shift 2 ||: + +case "${CMD}" in + download) + ;; + upload) + if [[ -e "${HOME}/.config/roller.conf" ]]; then + . "${HOME}/.config/roller.conf" + fi + if [[ -z "${ROLLER_USERNAME:-}" || -z "${ROLLER_API_KEY:-}" ]]; then + echo 'Missing $ROLLER_USERNAME or $ROLLER_API_KEY.' >&2 + echo "Consider adding shell assignments to ~/.config/roller.conf." >&2 + exit 1 + fi + ;; + *) + usage + ;; +esac -BASEDIR="${1:-}" if [[ -z "${BASEDIR}" ]]; then usage fi -shift if [[ -d "${BASEDIR}" && ! -O "${BASEDIR}" ]]; then echo "Fixing ownership of ${BASEDIR}..."