From aa70fc929f58cc5788058d590402f840b08d3615 Mon Sep 17 00:00:00 2001
From: James Le Cuirot <jlecuirot@microsoft.com>
Date: Thu, 19 Dec 2024 18:19:46 +0000
Subject: [PATCH] Delay generating test update payload in official builds

The update payload needs the kernel, which isn't signed during the image
job. Secure Boot is not currently enabled for update tests, but we may
as well do this properly. The production update upload is generated
manually at the end after everything has already been signed.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
---
 build_image                   | 2 +-
 ci-automation/sbsign_image.sh | 3 ++-
 sbsign_image                  | 5 ++++-
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/build_image b/build_image
index a9e6bcdaf8..739bc49b55 100755
--- a/build_image
+++ b/build_image
@@ -177,7 +177,7 @@ if [[ "${PROD_IMAGE}" -eq 1 ]]; then
   if [[ ${FLAGS_extract_update} -eq ${FLAGS_TRUE} ]]; then
     extract_update "${FLATCAR_PRODUCTION_IMAGE_NAME}" "${DISK_LAYOUT}"
   fi
-  if [[ ${FLAGS_generate_update} -eq ${FLAGS_TRUE} ]]; then
+  if [[ ${FLAGS_generate_update} -eq ${FLAGS_TRUE} && ${COREOS_OFFICIAL:-0} -ne 1 ]]; then
     generate_update "${FLATCAR_PRODUCTION_IMAGE_NAME}" "${DISK_LAYOUT}"
   fi
   if [[ "${PROD_TAR}" -eq 1 ]]; then
diff --git a/ci-automation/sbsign_image.sh b/ci-automation/sbsign_image.sh
index 361401b40e..9f2cb630d9 100644
--- a/ci-automation/sbsign_image.sh
+++ b/ci-automation/sbsign_image.sh
@@ -91,7 +91,8 @@ function _sbsign_image_impl() {
                        --only_store_compressed
 
     # Delete uncompressed generic image before signing and upload
-    rm "${images_local}/flatcar_production_image.bin"
+    # Also delete update image because it will be unchanged
+    rm "${images_local}"/flatcar_production_{image,update}.bin
     create_digests "${SIGNER}" "${images_local}"/*
     sign_artifacts "${SIGNER}" "${images_local}"/*
     copy_to_buildcache "${images_remote}"/ "${images_local}"/*
diff --git a/sbsign_image b/sbsign_image
index 66aca04472..7fb3a80d3f 100755
--- a/sbsign_image
+++ b/sbsign_image
@@ -61,8 +61,11 @@ switch_to_strict_mode
 # Create the output directory and temporary mount points.
 mkdir -p "${BUILD_DIR}"
 
+DISK_LAYOUT="${FLAGS_disk_layout:-base}"
+
 fix_mtab
-sbsign_prod_image "${FLATCAR_PRODUCTION_IMAGE_NAME}" "${FLAGS_disk_layout:-base}"
+sbsign_prod_image "${FLATCAR_PRODUCTION_IMAGE_NAME}" "${DISK_LAYOUT}"
+generate_update "${FLATCAR_PRODUCTION_IMAGE_NAME}" "${DISK_LAYOUT}"
 
 echo "Done. ${FLATCAR_PRODUCTION_IMAGE_NAME} and associated files are now signed for Secure Boot in ${BUILD_DIR}."
 command_completed