From 82e2461ddf816a5a534eb870e47bb09314f71fbb Mon Sep 17 00:00:00 2001
From: Michael Marineau <michael.marineau@coreos.com>
Date: Tue, 24 Jun 2014 13:34:54 -0700
Subject: [PATCH 1/3] build_image: refresh scripts bundled into the update zip.

---
 build_library/generate_au_zip.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/build_library/generate_au_zip.py b/build_library/generate_au_zip.py
index 3280b8b0f3..ff708dd122 100755
--- a/build_library/generate_au_zip.py
+++ b/build_library/generate_au_zip.py
@@ -20,12 +20,12 @@ REPO_MANIFESTS_DIR = os.environ['REPO_MANIFESTS_DIR']
 SCRIPTS_DIR = os.environ['SCRIPTS_DIR']
 
 # GLOBALS
-STATIC_FILES = ['/usr/bin/old_bins/cgpt',
-                '/usr/bin/cros_generate_update_payload',
-                '%s/version.txt' % REPO_MANIFESTS_DIR,
-                '%s/chromeos-common.sh' % SCRIPTS_DIR,
+STATIC_FILES = ['%s/version.txt' % REPO_MANIFESTS_DIR,
                 '%s/common.sh' % SCRIPTS_DIR,
+                '%s/core_pre_alpha' % SCRIPTS_DIR,
+                '%s/core_promote' % SCRIPTS_DIR,
                 '%s/core_roller_upload' % SCRIPTS_DIR,
+                '%s/core_sign_update' % SCRIPTS_DIR,
                 ]
 
 DYNAMIC_EXECUTABLES = ['/usr/bin/delta_generator',

From 51c78a4685ce4e0c021b23f6904ea0e7d8531da6 Mon Sep 17 00:00:00 2001
From: Michael Marineau <michael.marineau@coreos.com>
Date: Tue, 24 Jun 2014 14:01:09 -0700
Subject: [PATCH 2/3] build_image: generate update tools zip by default

Missed this in 7231b95a, the update zip should still be built when the
usr partition is extracted for generating updates but build_image itself
is not generating and signing the update.
---
 build_image                       |  6 ++++++
 build_library/build_image_util.sh | 19 +++++++++++++------
 2 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/build_image b/build_image
index e308099253..a67bc3163d 100755
--- a/build_image
+++ b/build_image
@@ -171,6 +171,12 @@ if [[ "${PROD_IMAGE}" -eq 1 ]]; then
   fi
 fi
 
+if [[ ${FLAGS_generate_update} -eq ${FLAGS_TRUE} ]] || \
+   [[ ${FLAGS_extract_update} -eq ${FLAGS_TRUE} ]]
+then
+  zip_update_tools
+fi
+
 # Write out a version.txt file, this will be used by image_to_vm.sh
 tee "${BUILD_DIR}/version.txt" <<EOF
 COREOS_BUILD=${COREOS_BUILD}
diff --git a/build_library/build_image_util.sh b/build_library/build_image_util.sh
index 36ef234eb0..2157f00d1a 100755
--- a/build_library/build_image_util.sh
+++ b/build_library/build_image_util.sh
@@ -64,6 +64,19 @@ extract_update() {
   upload_image "${update_path}"
 }
 
+zip_update_tools() {
+  # There isn't a 'dev' variant of this zip, so always call it production.
+  local update_zip="coreos_production_update.zip"
+
+  info "Generating update tools zip"
+  # Make sure some vars this script needs are exported
+  export REPO_MANIFESTS_DIR SCRIPTS_DIR
+  "${BUILD_LIBRARY_DIR}/generate_au_zip.py" \
+    --output-dir "${BUILD_DIR}" --zip-name "${update_zip}"
+
+  upload_image "${BUILD_DIR}/${update_zip}"
+}
+
 generate_update() {
   local image_name="$1"
   local disk_layout="$2"
@@ -79,12 +92,6 @@ generate_update() {
   delta_generator -private_key "${devkey}" \
     -in_file "${update}.gz" -out_metadata "${update}.meta"
 
-  info "Generating update tools zip"
-  # Make sure some vars this script needs are exported
-  export REPO_MANIFESTS_DIR SCRIPTS_DIR
-  "${BUILD_LIBRARY_DIR}/generate_au_zip.py" \
-    --output-dir "${BUILD_DIR}" --zip-name "${update_prefix}.zip"
-
   upload_image -d "${update}.DIGESTS" "${update}".{bin,gz,meta,zip}
 }
 

From f811845778c64b6197e8e3a72a9dcefe0ebf2f02 Mon Sep 17 00:00:00 2001
From: Michael Marineau <michael.marineau@coreos.com>
Date: Tue, 24 Jun 2014 15:22:38 -0700
Subject: [PATCH 3/3] updates: add example scripts for signing update payloads

This pretty much just translates the signing instructions into some
trivial wrapper scripts to serve as an example on how to do this.
---
 offline_signing/devel.key.pem | 27 +++++++++++++++++++++++++++
 offline_signing/devel.pub.pem |  9 +++++++++
 offline_signing/download.sh   | 16 ++++++++++++++++
 offline_signing/new_key.sh    |  6 ++++++
 offline_signing/print_key.sh  |  8 ++++++++
 offline_signing/sign.sh       | 17 +++++++++++++++++
 6 files changed, 83 insertions(+)
 create mode 100644 offline_signing/devel.key.pem
 create mode 100644 offline_signing/devel.pub.pem
 create mode 100755 offline_signing/download.sh
 create mode 100755 offline_signing/new_key.sh
 create mode 100755 offline_signing/print_key.sh
 create mode 100755 offline_signing/sign.sh

diff --git a/offline_signing/devel.key.pem b/offline_signing/devel.key.pem
new file mode 100644
index 0000000000..ac660a755e
--- /dev/null
+++ b/offline_signing/devel.key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAzFS5uVJ+pgibcFLD3kbYk02Edj0HXq31ZT/Bva1sLp3Ysv+Q
+Tv/ezjf0gGFfASdgpz6G+zTipS9AIrQr0yFR+tdp1ZsHLGxVwvUoXFftdapqlyj8
+uQcWjjbN7qJsZu0Ett/qo93hQ5nHW7Sv5dRm/ZsDFqk2Uvyaoef4bF9r03wYpZq7
+K3oALZ2smETv+A5600mj1Xg5M52QFU67UHlsEFkZphrGjiqiCdp9AAbAvE7a5rFc
+Jf86YR73QX08K8BX7OMzkn3DsqdnWvLB3l3W6kvIuP+75SrMNeYAcU8PI1+bzLcA
+G3VN3jA78zeKALgynUNH50mxuiiU3DO4DZ+p5QIDAQABAoIBAH7ENbE+9+nkPyMx
+hekaBPVmSz7b3/2iaTNWmckmlY5aSX3LxejtH3rLBjq7rihWGMXJqg6hodcfeGfP
+Zb0H2AeKq1Nlac7qq05XsKGRv3WXs6dyO1BDkH/Minh5dk1o0NrwEm91kXLSLfe8
+IsCwxPCjwgfGFTjpFLpL4zjA/nFmWRyk2eyvs5VYRGKbbC83alUy7LutyRdZfw1b
+nwXldw2m8k/HPbGhaAqPpXTOjckIXZS5Dcp3smrOzwObZ6c3gQzg8upaRmxJVOmk
+cgCFTe0yUB2GMTEE3SUmuWJyZqECoyQtuiu0yT3igH8MZQpjg9NXm0eho/bXjN36
+frH+ikUCgYEA7VdCRcisnYWct29j+Bnaio9yXwwxhfoee53a4LQgjw5RLGUe1mXe
+j56oZ1Mak3Hh55sVQLNXZBuXHQqPsr7KkWXJXedDNFfq1u6by4LeJV0YYiDjjaCM
+T5G4Tcs7xhBWszLMCjhpJCrwHdGk3aa65UQ+angZlxhyziULCjpb5rMCgYEA3GUb
+VkqlVuNkHoogOMwg+h1jUSkwtWvP/z/FOXrKjivuwSgQ+i6PsildI3FL/WQtJxgd
+arB+l0L8TZJ6spFdNXwGmdCLqEcgEBYl11EojOXYLa7oLONI41iRQ3/nBBIqC38P
+Cs6CZQG/ZpKSoOzXE34BwcrOL99MA2oaVpGHuQcCgYA1IIk3Mbph8FyqOwb3rGHd
+Dksdt48GXHyiUy2BixCWtS+6blA+0cLGB0/PAS07wAw/WdmiCAMR55Ml7w1Hh6m0
+bkJrAK9schmhTvwUzBCJ8JLatF37f+qojQfichHJPjMKHd7KkuIGNI5XPmxXKVFA
+rMwD7SpdRh28w1H7UiDsPQKBgGebnFtXohyTr2hv9K/evo32LM9ltsFC2rga6YOZ
+BwoI+yeQx1JleyX9LgzQYTHQ2y0quAGE0S4YznVFLCswDQpssMm0cUL9lMQbNVTg
+kViTYKoxNHKNsqE17Kw3v4l5ZIydAZxJ8qC7TphQxV+jl4RRU1AgIAf/SEO+qH0T
+0yMXAoGBAN+y9QpGnGX6cgwLQQ7IC6MC+3NRed21s+KxHzpyF+Zh/q6NTLUSgp8H
+dBmeF4wAZTY+g/fdB9drYeaSdRs3SZsM7gMEvjspjYgE2rV/5gkncFyGKRAiNOR4
+bsy1Gm/UYLTc8+S3fq/xjg9RCjW9JMwavAwL6oVNNt7nyAXPfvSu
+-----END RSA PRIVATE KEY-----
diff --git a/offline_signing/devel.pub.pem b/offline_signing/devel.pub.pem
new file mode 100644
index 0000000000..ccee9ee90b
--- /dev/null
+++ b/offline_signing/devel.pub.pem
@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzFS5uVJ+pgibcFLD3kbY
+k02Edj0HXq31ZT/Bva1sLp3Ysv+QTv/ezjf0gGFfASdgpz6G+zTipS9AIrQr0yFR
++tdp1ZsHLGxVwvUoXFftdapqlyj8uQcWjjbN7qJsZu0Ett/qo93hQ5nHW7Sv5dRm
+/ZsDFqk2Uvyaoef4bF9r03wYpZq7K3oALZ2smETv+A5600mj1Xg5M52QFU67UHls
+EFkZphrGjiqiCdp9AAbAvE7a5rFcJf86YR73QX08K8BX7OMzkn3DsqdnWvLB3l3W
+6kvIuP+75SrMNeYAcU8PI1+bzLcAG3VN3jA78zeKALgynUNH50mxuiiU3DO4DZ+p
+5QIDAQAB
+-----END PUBLIC KEY-----
diff --git a/offline_signing/download.sh b/offline_signing/download.sh
new file mode 100755
index 0000000000..7363fbf034
--- /dev/null
+++ b/offline_signing/download.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -ex
+VERSION="$1"
+GS="gs://builds.release.core-os.net/alpha/boards/amd64-usr/$VERSION"
+
+cd "${2:-.}"
+
+gsutil cp \
+    "${GS}/coreos_production_update.bin.bz2" \
+    "${GS}/coreos_production_update.bin.bz2.sig" \
+    "${GS}/coreos_production_update.zip" \
+    "${GS}/coreos_production_update.zip.sig" ./
+
+gpg --verify "coreos_production_update.bin.bz2.sig"
+gpg --verify "coreos_production_update.zip.sig"
diff --git a/offline_signing/new_key.sh b/offline_signing/new_key.sh
new file mode 100755
index 0000000000..f4a755c4c3
--- /dev/null
+++ b/offline_signing/new_key.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+set -ex
+KEY="$1"
+openssl genrsa -rand /dev/random -out "${KEY}.key.pem" 2048
+openssl rsa -in "${KEY}.key.pem" -pubout -out "${KEY}.pub.pem"
diff --git a/offline_signing/print_key.sh b/offline_signing/print_key.sh
new file mode 100755
index 0000000000..8a8253d0c2
--- /dev/null
+++ b/offline_signing/print_key.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# If there is no default printer use ./print_key.sh prod-2 -d printer_name
+# List available printers with lpstat -a
+
+set -ex
+KEY="$1"
+shift
+qrencode -8 -o - < "${KEY}.key.pem" | lp -E -o fit-to-page "$@"
diff --git a/offline_signing/sign.sh b/offline_signing/sign.sh
new file mode 100755
index 0000000000..9e77a6f5f3
--- /dev/null
+++ b/offline_signing/sign.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+set -ex
+DATA_DIR="$1"
+
+gpg --verify "${DATA_DIR}/coreos_production_update.bin.bz2.sig"
+gpg --verify "${DATA_DIR}/coreos_production_update.zip.sig"
+bunzip2 --keep "${DATA_DIR}/coreos_production_update.bin.bz2"
+unzip "${DATA_DIR}/coreos_production_update.zip" -d "${DATA_DIR}"
+
+export PATH="${DATA_DIR}:${PATH}"
+
+core_sign_update \
+    --image "${DATA_DIR}/coreos_production_update.bin" \
+    --output "${DATA_DIR}/update.gz" \
+    --private_keys "devel.key.pem:prod-2.key.pem" \
+    --public_keys  "devel.pub.pem:prod-2.pub.pem"