mirror of
https://github.com/flatcar/scripts.git
synced 2025-10-24 13:51:31 +02:00
The update payload needs the kernel, which isn't signed during the image job. Secure Boot is not currently enabled for update tests, but we may as well do this properly. The production update upload is generated manually at the end after everything has already been signed. Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
101 lines
4.1 KiB
Bash
101 lines
4.1 KiB
Bash
#!/bin/bash
|
|
#
|
|
# Copyright (c) 2024 The Flatcar Maintainers.
|
|
# Use of this source code is governed by the Apache 2.0 license.
|
|
|
|
# >>> This file is supposed to be SOURCED from the repository ROOT. <<<
|
|
#
|
|
# sbsign_image() should be called w/ the positional INPUT parameters below.
|
|
|
|
# Secure Boot image signing build automation stub.
|
|
# This script will sign an existing OS image for Secure Boot.
|
|
#
|
|
# PREREQUISITES:
|
|
#
|
|
# 1. SDK version and OS image version are recorded in sdk_container/.repo/manifests/version.txt
|
|
# 2. Scripts repo version tag of OS image version to be built is available and checked out.
|
|
# 3. The generic Flatcar image must be present in build cache server.
|
|
#
|
|
# INPUT:
|
|
#
|
|
# 1. Architecture (ARCH) of the TARGET vm images ("arm64", "amd64").
|
|
#
|
|
# OPTIONAL INPUT:
|
|
#
|
|
# 1. SIGNER. Environment variable. Name of the owner of the artifact signing key.
|
|
# Defaults to nothing if not set - in such case, artifacts will not be signed.
|
|
# If provided, SIGNING_KEY environment variable should also be provided, otherwise this environment variable will be ignored.
|
|
#
|
|
# 2. SIGNING_KEY. Environment variable. The artifact signing key.
|
|
# Defaults to nothing if not set - in such case, artifacts will not be signed.
|
|
# If provided, SIGNER environment variable should also be provided, otherwise this environment variable will be ignored.
|
|
#
|
|
# 3. A file ../scripts.patch to apply with "git am -3" for the scripts repo.
|
|
#
|
|
# OUTPUT:
|
|
#
|
|
# 1. OS image and related artifacts signed for Secure Boot pushed to buildcache.
|
|
# 2. If signer key was passed, signatures of artifacts from point 1, pushed along to buildcache.
|
|
# 3. DIGESTS of the artifacts from point 1, pushed to buildcache. If signer key was passed, armored ASCII files of the generated DIGESTS files too, pushed to buildcache.
|
|
|
|
function sbsign_image() {
|
|
# Run a subshell, so the traps, environment changes and global
|
|
# variables are not spilled into the caller.
|
|
(
|
|
set -euo pipefail
|
|
|
|
_sbsign_image_impl "${@}"
|
|
)
|
|
}
|
|
# --
|
|
|
|
function _sbsign_image_impl() {
|
|
local arch="$1"
|
|
|
|
source sdk_lib/sdk_container_common.sh
|
|
local channel=""
|
|
channel="$(get_git_channel)"
|
|
source ci-automation/ci_automation_common.sh
|
|
source ci-automation/gpg_setup.sh
|
|
source sdk_container/.repo/manifests/version.txt
|
|
|
|
if is_official "${FLATCAR_VERSION}"; then
|
|
export COREOS_OFFICIAL=1
|
|
else
|
|
export COREOS_OFFICIAL=0
|
|
fi
|
|
|
|
apply_local_patches
|
|
|
|
local images_remote="images/${arch}/${FLATCAR_VERSION}"
|
|
local images_local="__build__/images/images/${arch}-usr/${channel}-${FLATCAR_VERSION}"
|
|
|
|
copy_from_buildcache "${images_remote}/flatcar_production_image.bin.bz2" "${images_local}"
|
|
lbunzip2 --force "${images_local}/flatcar_production_image.bin.bz2"
|
|
|
|
# Get SDK from either the registry or import from build cache
|
|
# This is a NOP if the image is present locally.
|
|
local sdk_name="flatcar-sdk-${arch}"
|
|
local docker_sdk_vernum="$(vernum_to_docker_image_version "${FLATCAR_SDK_VERSION}")"
|
|
|
|
docker_image_from_registry_or_buildcache "${sdk_name}" "${docker_sdk_vernum}"
|
|
local sdk_image="$(docker_image_fullname "${sdk_name}" "${docker_sdk_vernum}")"
|
|
echo "docker image rm -f '${sdk_image}'" >> ./ci-cleanup.sh
|
|
|
|
local docker_vernum="$(vernum_to_docker_image_version "${FLATCAR_VERSION}")"
|
|
local sbsign_container="flatcar-sbsign-image-${arch}-${docker_vernum}"
|
|
./run_sdk_container -x ./ci-cleanup.sh -n "${sbsign_container}" -v "${FLATCAR_VERSION}" -U -C "${sdk_image}" \
|
|
./sbsign_image --board="${arch}-usr" \
|
|
--group="${channel}" --version="${FLATCAR_VERSION}" \
|
|
--output_root="${CONTAINER_IMAGE_ROOT}" \
|
|
--only_store_compressed
|
|
|
|
# Delete uncompressed generic image before signing and upload
|
|
# Also delete update image because it will be unchanged
|
|
rm "${images_local}"/flatcar_production_{image,update}.bin
|
|
create_digests "${SIGNER}" "${images_local}"/*
|
|
sign_artifacts "${SIGNER}" "${images_local}"/*
|
|
copy_to_buildcache "${images_remote}"/ "${images_local}"/*
|
|
}
|
|
# --
|