Merge pull request #285 from marineam/version2

Refresh the update tools zip

build_image

@@ -171,6 +171,12 @@ if [[ "${PROD_IMAGE}" -eq 1 ]]; then
   fi
 fi
 
+if [[ ${FLAGS_generate_update} -eq ${FLAGS_TRUE} ]] || \
+   [[ ${FLAGS_extract_update} -eq ${FLAGS_TRUE} ]]
+then
+  zip_update_tools
+fi
+
 # Write out a version.txt file, this will be used by image_to_vm.sh
 tee "${BUILD_DIR}/version.txt" <<EOF
 COREOS_BUILD=${COREOS_BUILD}

build_library/build_image_util.sh

@@ -64,6 +64,19 @@ extract_update() {
   upload_image "${update_path}"
 }
 
+zip_update_tools() {
+  # There isn't a 'dev' variant of this zip, so always call it production.
+  local update_zip="coreos_production_update.zip"
+
+  info "Generating update tools zip"
+  # Make sure some vars this script needs are exported
+  export REPO_MANIFESTS_DIR SCRIPTS_DIR
+  "${BUILD_LIBRARY_DIR}/generate_au_zip.py" \
+    --output-dir "${BUILD_DIR}" --zip-name "${update_zip}"
+
+  upload_image "${BUILD_DIR}/${update_zip}"
+}
+
 generate_update() {
   local image_name="$1"
   local disk_layout="$2"
@@ -79,12 +92,6 @@ generate_update() {
   delta_generator -private_key "${devkey}" \
     -in_file "${update}.gz" -out_metadata "${update}.meta"
 
-  info "Generating update tools zip"
-  # Make sure some vars this script needs are exported
-  export REPO_MANIFESTS_DIR SCRIPTS_DIR
-  "${BUILD_LIBRARY_DIR}/generate_au_zip.py" \
-    --output-dir "${BUILD_DIR}" --zip-name "${update_prefix}.zip"
-
   upload_image -d "${update}.DIGESTS" "${update}".{bin,gz,meta,zip}
 }
 

build_library/generate_au_zip.py

@@ -20,12 +20,12 @@ REPO_MANIFESTS_DIR = os.environ['REPO_MANIFESTS_DIR']
 SCRIPTS_DIR = os.environ['SCRIPTS_DIR']
 
 # GLOBALS
-STATIC_FILES = ['/usr/bin/old_bins/cgpt',
+STATIC_FILES = ['%s/version.txt' % REPO_MANIFESTS_DIR,
-                '/usr/bin/cros_generate_update_payload',
-                '%s/version.txt' % REPO_MANIFESTS_DIR,
-                '%s/chromeos-common.sh' % SCRIPTS_DIR,
                 '%s/common.sh' % SCRIPTS_DIR,
+                '%s/core_pre_alpha' % SCRIPTS_DIR,
+                '%s/core_promote' % SCRIPTS_DIR,
                 '%s/core_roller_upload' % SCRIPTS_DIR,
+                '%s/core_sign_update' % SCRIPTS_DIR,
                 ]
 
 DYNAMIC_EXECUTABLES = ['/usr/bin/delta_generator',

offline_signing/devel.key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAzFS5uVJ+pgibcFLD3kbYk02Edj0HXq31ZT/Bva1sLp3Ysv+Q
+Tv/ezjf0gGFfASdgpz6G+zTipS9AIrQr0yFR+tdp1ZsHLGxVwvUoXFftdapqlyj8
+uQcWjjbN7qJsZu0Ett/qo93hQ5nHW7Sv5dRm/ZsDFqk2Uvyaoef4bF9r03wYpZq7
+K3oALZ2smETv+A5600mj1Xg5M52QFU67UHlsEFkZphrGjiqiCdp9AAbAvE7a5rFc
+Jf86YR73QX08K8BX7OMzkn3DsqdnWvLB3l3W6kvIuP+75SrMNeYAcU8PI1+bzLcA
+G3VN3jA78zeKALgynUNH50mxuiiU3DO4DZ+p5QIDAQABAoIBAH7ENbE+9+nkPyMx
+hekaBPVmSz7b3/2iaTNWmckmlY5aSX3LxejtH3rLBjq7rihWGMXJqg6hodcfeGfP
+Zb0H2AeKq1Nlac7qq05XsKGRv3WXs6dyO1BDkH/Minh5dk1o0NrwEm91kXLSLfe8
+IsCwxPCjwgfGFTjpFLpL4zjA/nFmWRyk2eyvs5VYRGKbbC83alUy7LutyRdZfw1b
+nwXldw2m8k/HPbGhaAqPpXTOjckIXZS5Dcp3smrOzwObZ6c3gQzg8upaRmxJVOmk
+cgCFTe0yUB2GMTEE3SUmuWJyZqECoyQtuiu0yT3igH8MZQpjg9NXm0eho/bXjN36
+frH+ikUCgYEA7VdCRcisnYWct29j+Bnaio9yXwwxhfoee53a4LQgjw5RLGUe1mXe
+j56oZ1Mak3Hh55sVQLNXZBuXHQqPsr7KkWXJXedDNFfq1u6by4LeJV0YYiDjjaCM
+T5G4Tcs7xhBWszLMCjhpJCrwHdGk3aa65UQ+angZlxhyziULCjpb5rMCgYEA3GUb
+VkqlVuNkHoogOMwg+h1jUSkwtWvP/z/FOXrKjivuwSgQ+i6PsildI3FL/WQtJxgd
+arB+l0L8TZJ6spFdNXwGmdCLqEcgEBYl11EojOXYLa7oLONI41iRQ3/nBBIqC38P
+Cs6CZQG/ZpKSoOzXE34BwcrOL99MA2oaVpGHuQcCgYA1IIk3Mbph8FyqOwb3rGHd
+Dksdt48GXHyiUy2BixCWtS+6blA+0cLGB0/PAS07wAw/WdmiCAMR55Ml7w1Hh6m0
+bkJrAK9schmhTvwUzBCJ8JLatF37f+qojQfichHJPjMKHd7KkuIGNI5XPmxXKVFA
+rMwD7SpdRh28w1H7UiDsPQKBgGebnFtXohyTr2hv9K/evo32LM9ltsFC2rga6YOZ
+BwoI+yeQx1JleyX9LgzQYTHQ2y0quAGE0S4YznVFLCswDQpssMm0cUL9lMQbNVTg
+kViTYKoxNHKNsqE17Kw3v4l5ZIydAZxJ8qC7TphQxV+jl4RRU1AgIAf/SEO+qH0T
+0yMXAoGBAN+y9QpGnGX6cgwLQQ7IC6MC+3NRed21s+KxHzpyF+Zh/q6NTLUSgp8H
+dBmeF4wAZTY+g/fdB9drYeaSdRs3SZsM7gMEvjspjYgE2rV/5gkncFyGKRAiNOR4
+bsy1Gm/UYLTc8+S3fq/xjg9RCjW9JMwavAwL6oVNNt7nyAXPfvSu
+-----END RSA PRIVATE KEY-----

offline_signing/devel.pub.pem

@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzFS5uVJ+pgibcFLD3kbY
+k02Edj0HXq31ZT/Bva1sLp3Ysv+QTv/ezjf0gGFfASdgpz6G+zTipS9AIrQr0yFR
++tdp1ZsHLGxVwvUoXFftdapqlyj8uQcWjjbN7qJsZu0Ett/qo93hQ5nHW7Sv5dRm
+/ZsDFqk2Uvyaoef4bF9r03wYpZq7K3oALZ2smETv+A5600mj1Xg5M52QFU67UHls
+EFkZphrGjiqiCdp9AAbAvE7a5rFcJf86YR73QX08K8BX7OMzkn3DsqdnWvLB3l3W
+6kvIuP+75SrMNeYAcU8PI1+bzLcAG3VN3jA78zeKALgynUNH50mxuiiU3DO4DZ+p
+5QIDAQAB
+-----END PUBLIC KEY-----

offline_signing/download.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -ex
+VERSION="$1"
+GS="gs://builds.release.core-os.net/alpha/boards/amd64-usr/$VERSION"
+
+cd "${2:-.}"
+
+gsutil cp \
+    "${GS}/coreos_production_update.bin.bz2" \
+    "${GS}/coreos_production_update.bin.bz2.sig" \
+    "${GS}/coreos_production_update.zip" \
+    "${GS}/coreos_production_update.zip.sig" ./
+
+gpg --verify "coreos_production_update.bin.bz2.sig"
+gpg --verify "coreos_production_update.zip.sig"

offline_signing/new_key.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+set -ex
+KEY="$1"
+openssl genrsa -rand /dev/random -out "${KEY}.key.pem" 2048
+openssl rsa -in "${KEY}.key.pem" -pubout -out "${KEY}.pub.pem"

offline_signing/print_key.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+# If there is no default printer use ./print_key.sh prod-2 -d printer_name
+# List available printers with lpstat -a
+
+set -ex
+KEY="$1"
+shift
+qrencode -8 -o - < "${KEY}.key.pem" | lp -E -o fit-to-page "$@"

offline_signing/sign.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+set -ex
+DATA_DIR="$1"
+
+gpg --verify "${DATA_DIR}/coreos_production_update.bin.bz2.sig"
+gpg --verify "${DATA_DIR}/coreos_production_update.zip.sig"
+bunzip2 --keep "${DATA_DIR}/coreos_production_update.bin.bz2"
+unzip "${DATA_DIR}/coreos_production_update.zip" -d "${DATA_DIR}"
+
+export PATH="${DATA_DIR}:${PATH}"
+
+core_sign_update \
+    --image "${DATA_DIR}/coreos_production_update.bin" \
+    --output "${DATA_DIR}/update.gz" \
+    --private_keys "devel.key.pem:prod-2.key.pem" \
+    --public_keys  "devel.pub.pem:prod-2.pub.pem"