flatcar-scripts/ci-automation/sbsign_image.sh

#!/bin/bash
#
# Copyright (c) 2024 The Flatcar Maintainers.
# Use of this source code is governed by the Apache 2.0 license.

# >>> This file is supposed to be SOURCED from the repository ROOT. <<<
#
# sbsign_image() should be called w/ the positional INPUT parameters below.

# Secure Boot image signing build automation stub.
#   This script will sign an existing OS image for Secure Boot.
#
# PREREQUISITES:
#
#   1. SDK version and OS image version are recorded in sdk_container/.repo/manifests/version.txt
#   2. Scripts repo version tag of OS image version to be built is available and checked out.
#   3. The generic Flatcar image must be present in build cache server.
#
# INPUT:
#
#   1. Architecture (ARCH) of the TARGET vm images ("arm64", "amd64").
#
# OPTIONAL INPUT:
#
#   1. SIGNER. Environment variable. Name of the owner of the artifact signing key.
#        Defaults to nothing if not set - in such case, artifacts will not be signed.
#        If provided, SIGNING_KEY environment variable should also be provided, otherwise this environment variable will be ignored.
#
#   2. SIGNING_KEY. Environment variable. The artifact signing key.
#        Defaults to nothing if not set - in such case, artifacts will not be signed.
#        If provided, SIGNER environment variable should also be provided, otherwise this environment variable will be ignored.
#
#   3. A file ../scripts.patch to apply with "git am -3" for the scripts repo.
#
# OUTPUT:
#
#   1. OS image and related artifacts signed for Secure Boot pushed to buildcache.
#   2. If signer key was passed, signatures of artifacts from point 1, pushed along to buildcache.
#   3. DIGESTS of the artifacts from point 1, pushed to buildcache. If signer key was passed, armored ASCII files of the generated DIGESTS files too, pushed to buildcache.

function sbsign_image() {
    # Run a subshell, so the traps, environment changes and global
    # variables are not spilled into the caller.
    (
        set -euo pipefail

        _sbsign_image_impl "${@}"
    )
}
# --

function _sbsign_image_impl() {
    local arch="$1"

    source sdk_lib/sdk_container_common.sh
    local channel=""
    channel="$(get_git_channel)"
    source ci-automation/ci_automation_common.sh
    source ci-automation/gpg_setup.sh
    source sdk_container/.repo/manifests/version.txt

    if is_official "${FLATCAR_VERSION}"; then
        export COREOS_OFFICIAL=1
    else
        export COREOS_OFFICIAL=0
    fi

    apply_local_patches

    local images_remote="images/${arch}/${FLATCAR_VERSION}"
    local images_local="__build__/images/images/${arch}-usr/${channel}-${FLATCAR_VERSION}"

    copy_from_buildcache "${images_remote}/flatcar_production_image.bin.bz2" "${images_local}"
    lbunzip2 --force "${images_local}/flatcar_production_image.bin.bz2"

    # Get SDK from either the registry or import from build cache
    # This is a NOP if the image is present locally.
    local sdk_name="flatcar-sdk-${arch}"
    local docker_sdk_vernum="$(vernum_to_docker_image_version "${FLATCAR_SDK_VERSION}")"

    docker_image_from_registry_or_buildcache "${sdk_name}" "${docker_sdk_vernum}"
    local sdk_image="$(docker_image_fullname "${sdk_name}" "${docker_sdk_vernum}")"
    echo "docker image rm -f '${sdk_image}'" >> ./ci-cleanup.sh

    ./run_sdk_container -x ./ci-cleanup.sh -v "${FLATCAR_VERSION}" -U -C "${sdk_image}" \
        ./sbsign_image --board="${arch}-usr" \
                       --group="${channel}" --version="${FLATCAR_VERSION}" \
                       --output_root="${CONTAINER_IMAGE_ROOT}" \
                       --only_store_compressed

    # Delete uncompressed generic image before signing and upload
    rm "${images_local}/flatcar_production_image.bin"
    create_digests "${SIGNER}" "${images_local}"/*
    sign_artifacts "${SIGNER}" "${images_local}"/*
    copy_to_buildcache "${images_remote}"/ "${images_local}"/*
}
# --