build-iso: better ISO & secureboot signing config

* Jenkins scripts:
- remove POST_ISO_SIGNING job parameter, as ISO signing is controled
  by build.conf, as originally intended.

* build.conf:
- rename SIGN_ISO => SIGN_ISO_FORMAL to better reflect purpose. ISOs
  are always signed, with developer keys (SIGN_ISO_FORMAL=false) or
  the signing server (SIGN_ISO_FORMAL=true).
- add SECUREBOOT_FORMAL - whether to generate secureboot signatures
  using the signing server (true), or not to generate them at all
  (false)

* Added code in job_utils.sh to set the defaults for these new config
  options as necessary, in case the job runs against an older build.conf
  that still has the obsolete BUILD_ISO option.

TESTS
========================
* Make sure SIGN_ISO_FORMAL==true calls "build-image --no-sign"
  followed by "sign_iso_formal.sh"
* Make sure SIGN_ISO_FORMAL==false calls "build-image" not
  followed by "sign_iso_formal.sh" and the dev-key based ISO signature
  gets created
* Make sure SECUREBOOT_FORMAL==true calls calls the secureboot script
* Make sure SECUREBOOT_FORMAL==false does not call the secureboot script
* Test with both the new parameters undefined, but SIGN_ISO defined,
  and make sure they aquire expected defaults

Story: 2010226
Task: 47777

Depends-On: https://review.opendev.org/c/starlingx/root/+/879206
Signed-off-by: Davlet Panech <davlet.panech@windriver.com>
Change-Id: I928de97fefc70b3062820547d1256c2a3ce106e8

pipelines/monolithic.Jenkinsfile

@@ -163,9 +163,6 @@ pipeline {
         booleanParam (
             name: 'BUILD_ISO'
         )
-        booleanParam (
-            name: 'POST_ISO_SIGNING'
-        )
         booleanParam (
             name: 'BUILD_RT'
         )

pipelines/parts/build-iso.Jenkinsfile

@@ -43,9 +43,6 @@ pipeline {
         booleanParam (
             name: 'BUILD_ISO'
         )
-        booleanParam (
-            name: 'POST_ISO_SIGNING'
-        )
     }
     stages {
         stage ("build-iso") {
@@ -54,7 +51,6 @@ pipeline {
             }
         }
         stage ("sign-iso") {
-            when { expression { params.POST_ISO_SIGNING } }
             steps {
                 sh ("${Constants.SCRIPTS_DIR}/sign-iso.sh")
             }

scripts/build-iso.sh

@@ -14,12 +14,25 @@ require_job_env BUILD_ISO
 
 load_build_env
 
+require_job_env SECUREBOOT_FORMAL
+require_job_env SIGN_ISO_FORMAL
+
 $BUILD_ISO || bail "BUILD_ISO=false, bailing out"
 
-if [[ -n "$SIGNING_SERVER" ]] ; then
-    notice "preparing secureboot signatures"
-    stx_docker_cmd $DRY_RUN_ARG "SIGNING_SERVER=${SIGNING_USER:-signing}@${SIGNING_SERVER} PATH=\$MY_REPO/build-tools:\$PATH sign-secure-boot_debian"
+if $SECUREBOOT_FORMAL ; then
+    notice "signing secureboot packages"
+    [[ -n "$SIGNING_SERVER" ]] || die "SECUREBOOT_FORMAL requires SIGNING_SERVER"
+    sign_secure_boot_env="SIGNING_SERVER=${SIGNING_USER:-signing}@${SIGNING_SERVER}"
+    stx_docker_cmd $DRY_RUN_ARG "$sign_secure_boot_env PATH=\$MY_REPO/build-tools:\$PATH sign-secure-boot_debian"
 fi
 
+build_img_args=
+# Job is configured to sign the ISO with official keys.
+if $SIGN_ISO_FORMAL ; then
+    [[ -n "$SIGNING_SERVER" ]] || die "SIGN_ISO_FORMAL requires SIGNING_SERVER"
+    # Don't sign ISO with developer keys; we will sign it separately
+    # in sign-iso.sh
+    build_img_args+=" --no-sign"
+fi
 notice "building STD ISO"
-stx_docker_cmd $DRY_RUN_ARG "build-image"
+stx_docker_cmd $DRY_RUN_ARG "build-image $build_img_args"

scripts/lib/job_utils.sh

@@ -182,6 +182,39 @@ __set_build_vars() {
     else
         PARALLEL=
     fi
+
+    # Validate & set defaults for ISO & secureboot options
+
+    # SIGN_ISO_FORMAL was spelled as SIGN_ISO in the past
+    if [[ -n "$SIGN_ISO" ]] ; then
+        warn "SIGN_ISO is deprecated, please use SIGN_ISO_FORMAL instead"
+    fi
+    if [[ -z "$SIGN_ISO_FORMAL" ]] ; then
+        if [[ -n "$SIGN_ISO" ]] ; then
+            SIGN_ISO_FORMAL="$SIGN_ISO"
+        elif [[ -n "$SIGNING_SERVER" ]] ; then
+            SIGN_ISO_FORMAL="true"
+        else
+            SIGN_ISO_FORMAL="false"
+        fi
+        warn "SIGN_ISO_FORMAL is missing, assuming \"$SIGN_ISO_FORMAL\""
+    fi
+    if [[ "$SIGN_ISO_FORMAL" != "true" && "$SIGN_ISO_FORMAL" != "false" ]] ; then
+        die "SIGN_ISO_FORMAL must be \"true\" or \"false\""
+    fi
+
+    # SECUREBOOT_FORMAL
+    if [[ -z "$SECUREBOOT_FORMAL" ]] ; then
+        if [[ -n "$SIGNING_SERVER" ]] ; then
+            SECUREBOOT_FORMAL="true"
+        else
+            SECUREBOOT_FORMAL="false"
+        fi
+        warn "SECUREBOOT_FORMAL is missing, assuming \"$SECUREBOOT_FORMAL\""
+    elif [[ "$SECUREBOOT_FORMAL" != "true" && "$SECUREBOOT_FORMAL" != "false" ]] ; then
+        die "SECUREBOOT_FORMAL must be \"true\" or \"false\""
+    fi
+
 }
 
 __started_by_jenkins() {

scripts/sign-iso.sh

@@ -14,30 +14,39 @@ require_job_env BUILD_ISO
 
 load_build_env
 
-require_job_env SIGN_ISO
-$SIGN_ISO || bail "SIGN_ISO=false, bailing out"
-
-require_job_env SIGNING_SERVER
-require_job_env SIGNING_USER
+require_job_env SIGN_ISO_FORMAL
 
 $BUILD_ISO || bail "BUILD_ISO=false, bailing out"
-$SIGN_ISO || bail "SIGN_ISO=false, bailing out"
-[[ -n "$SIGNING_SERVER" ]] || bail "SIGNING_SERVER is empoty, bailing out"
 
 sign_iso() {
     local iso_file="$1"
-    (
-        export MY_REPO=$REPO_ROOT/cgcs-root
-        export MY_WORKSPACE=$WORKSPACE_ROOT
-        export PATH=$MY_REPO/build-tools:$PATH:/usr/local/bin
-        sig_file="${iso_file%.iso}.sig"
-        maybe_run rm -f "$sig_file"
-        maybe_run sign_iso_formal.sh "$iso_file" || die "failed to sign ISO"
-        if ! $DRY_RUN ; then
-            [[ -f "$sig_file" ]] || die "failed to sign ISO"
-            info "created signature $sig_file"
-        fi
-    )
+    local sig_file="${iso_file%.iso}.sig"
+
+    # Job is configured to sign the ISO with formal keys
+    if $SIGN_ISO_FORMAL ; then
+        [[ -n "$SIGNING_SERVER" ]] || die "SECUREBOOT_FORMAL requires SIGNING_SERVER"
+        (
+            export MY_REPO=$REPO_ROOT/cgcs-root
+            export MY_WORKSPACE=$WORKSPACE_ROOT
+            export PATH=$MY_REPO/build-tools:$PATH:/usr/local/bin
+            export SIGNING_SERVER
+            export SIGNING_USER
+            maybe_run rm -f "$sig_file"
+            maybe_run sign_iso_formal.sh "$iso_file" || die "failed to sign ISO"
+            if ! $DRY_RUN ; then
+                [[ -f "$sig_file" ]] || die "failed to sign ISO"
+                info "created signature $sig_file"
+            fi
+        )
+        exit 0
+    fi
+
+    # ISO is already signed with developer keys - make sure .sig file exists
+    info "skipping formal ISO signing because it's already signed with developer key"
+    if ! $DRY_RUN ; then
+        [[ -f "$sig_file" ]] || die "$sig_file: file not found"
+        info "using existing ISO signature $sig_file"
+    fi
 }
 
 

scripts/templates/build.conf.example.in

@@ -43,11 +43,19 @@ BUILD_PACKAGES_ITERATIONS=3
 DEBIAN_SNAPSHOT_BASE="http://https://snapshot.debian.org/archive/debian"
 DEBIAN_SECURITY_SNAPSHOT_BASE="https://snapshot.debian.org/archive/debian-security"
 
-# ISO sigining
-SIGN_ISO=false      # If false, don't signe the ISO
+# Signing server for formal ISO and secureboot signing (see below)
 SIGNING_SERVER="some.host.org"
 SIGNING_USER="some_user_id"
 
+# Sign ISO with a key controlled by $SIGNING_SERVER
+# If false, ISO will be signed with developer key in
+#   cgcs-root/build-tools/signing/dev-private-key.pem
+SIGN_ISO_FORMAL=true
+
+# Sign kernel-related packages with a key & cert controlled by
+# $SIGNING_SERVER. When "false", don't add secureboot signatures.
+SECUREBOOT_FORMAL=true
+
 # Run this command inside the build container at the end of the build
 # Current directory will be set to $MY_WORKSPACE/export.
 # This command must leave any additional files to be published in that