mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-14 00:16:59 +02:00
Code Issues Packages Projects Releases Wiki Activity
64f1595ae7
flatcar-scripts/ci-automation/sbsign_image.sh
James Le Cuirot aa70fc929f
Delay generating test update payload in official builds 
The update payload needs the kernel, which isn't signed during the image
job. Secure Boot is not currently enabled for update tests, but we may
as well do this properly. The production update upload is generated
manually at the end after everything has already been signed.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
2024-12-20 16:29:32 +00:00

101 lines
4.1 KiB
Bash
Raw Blame History

#!/bin/bash
#
# Copyright (c) 2024 The Flatcar Maintainers.
# Use of this source code is governed by the Apache 2.0 license.
# >>> This file is supposed to be SOURCED from the repository ROOT. <<<
#
# sbsign_image() should be called w/ the positional INPUT parameters below.
# Secure Boot image signing build automation stub.
# This script will sign an existing OS image for Secure Boot.
#
# PREREQUISITES:
#
# 1. SDK version and OS image version are recorded in sdk_container/.repo/manifests/version.txt
# 2. Scripts repo version tag of OS image version to be built is available and checked out.
# 3. The generic Flatcar image must be present in build cache server.
#
# INPUT:
#
# 1. Architecture (ARCH) of the TARGET vm images ("arm64", "amd64").
#
# OPTIONAL INPUT:
#
# 1. SIGNER. Environment variable. Name of the owner of the artifact signing key.
# Defaults to nothing if not set - in such case, artifacts will not be signed.
# If provided, SIGNING_KEY environment variable should also be provided, otherwise this environment variable will be ignored.
#
# 2. SIGNING_KEY. Environment variable. The artifact signing key.
# Defaults to nothing if not set - in such case, artifacts will not be signed.
# If provided, SIGNER environment variable should also be provided, otherwise this environment variable will be ignored.
#
# 3. A file ../scripts.patch to apply with "git am -3" for the scripts repo.
#
# OUTPUT:
#
# 1. OS image and related artifacts signed for Secure Boot pushed to buildcache.
# 2. If signer key was passed, signatures of artifacts from point 1, pushed along to buildcache.
# 3. DIGESTS of the artifacts from point 1, pushed to buildcache. If signer key was passed, armored ASCII files of the generated DIGESTS files too, pushed to buildcache.
function sbsign_image() {
# Run a subshell, so the traps, environment changes and global
# variables are not spilled into the caller.
(
set -euo pipefail
_sbsign_image_impl "${@}"
)
}
# --
function _sbsign_image_impl() {
local arch="$1"
source sdk_lib/sdk_container_common.sh
local channel=""
channel="$(get_git_channel)"
source ci-automation/ci_automation_common.sh
source ci-automation/gpg_setup.sh
source sdk_container/.repo/manifests/version.txt
if is_official "${FLATCAR_VERSION}"; then
export COREOS_OFFICIAL=1
else
export COREOS_OFFICIAL=0
fi
apply_local_patches
local images_remote="images/${arch}/${FLATCAR_VERSION}"
local images_local="__build__/images/images/${arch}-usr/${channel}-${FLATCAR_VERSION}"
copy_from_buildcache "${images_remote}/flatcar_production_image.bin.bz2" "${images_local}"
lbunzip2 --force "${images_local}/flatcar_production_image.bin.bz2"
# Get SDK from either the registry or import from build cache
# This is a NOP if the image is present locally.
local sdk_name="flatcar-sdk-${arch}"
local docker_sdk_vernum="$(vernum_to_docker_image_version "${FLATCAR_SDK_VERSION}")"
docker_image_from_registry_or_buildcache "${sdk_name}" "${docker_sdk_vernum}"
local sdk_image="$(docker_image_fullname "${sdk_name}" "${docker_sdk_vernum}")"
echo "docker image rm -f '${sdk_image}'" >> ./ci-cleanup.sh
local docker_vernum="$(vernum_to_docker_image_version "${FLATCAR_VERSION}")"
local sbsign_container="flatcar-sbsign-image-${arch}-${docker_vernum}"
./run_sdk_container -x ./ci-cleanup.sh -n "${sbsign_container}" -v "${FLATCAR_VERSION}" -U -C "${sdk_image}" \
./sbsign_image --board="${arch}-usr" \
--group="${channel}" --version="${FLATCAR_VERSION}" \
--output_root="${CONTAINER_IMAGE_ROOT}" \
--only_store_compressed
# Delete uncompressed generic image before signing and upload
# Also delete update image because it will be unchanged
rm "${images_local}"/flatcar_production_{image,update}.bin
create_digests "${SIGNER}" "${images_local}"/*
sign_artifacts "${SIGNER}" "${images_local}"/*
copy_to_buildcache "${images_remote}"/ "${images_local}"/*
}
# --
Reference in New Issue View Git Blame Copy Permalink