build-iso: better ISO & secureboot signing config
* Jenkins scripts: - remove POST_ISO_SIGNING job parameter, as ISO signing is controled by build.conf, as originally intended. * build.conf: - rename SIGN_ISO => SIGN_ISO_FORMAL to better reflect purpose. ISOs are always signed, with developer keys (SIGN_ISO_FORMAL=false) or the signing server (SIGN_ISO_FORMAL=true). - add SECUREBOOT_FORMAL - whether to generate secureboot signatures using the signing server (true), or not to generate them at all (false) * Added code in job_utils.sh to set the defaults for these new config options as necessary, in case the job runs against an older build.conf that still has the obsolete BUILD_ISO option. TESTS ======================== * Make sure SIGN_ISO_FORMAL==true calls "build-image --no-sign" followed by "sign_iso_formal.sh" * Make sure SIGN_ISO_FORMAL==false calls "build-image" not followed by "sign_iso_formal.sh" and the dev-key based ISO signature gets created * Make sure SECUREBOOT_FORMAL==true calls calls the secureboot script * Make sure SECUREBOOT_FORMAL==false does not call the secureboot script * Test with both the new parameters undefined, but SIGN_ISO defined, and make sure they aquire expected defaults Story: 2010226 Task: 47777 Depends-On: https://review.opendev.org/c/starlingx/root/+/879206 Signed-off-by: Davlet Panech <davlet.panech@windriver.com> Change-Id: I928de97fefc70b3062820547d1256c2a3ce106e8
This commit is contained in:
parent
f4232d02d6
commit
04f9dea597
@ -163,9 +163,6 @@ pipeline {
|
|||||||
booleanParam (
|
booleanParam (
|
||||||
name: 'BUILD_ISO'
|
name: 'BUILD_ISO'
|
||||||
)
|
)
|
||||||
booleanParam (
|
|
||||||
name: 'POST_ISO_SIGNING'
|
|
||||||
)
|
|
||||||
booleanParam (
|
booleanParam (
|
||||||
name: 'BUILD_RT'
|
name: 'BUILD_RT'
|
||||||
)
|
)
|
||||||
|
@ -43,9 +43,6 @@ pipeline {
|
|||||||
booleanParam (
|
booleanParam (
|
||||||
name: 'BUILD_ISO'
|
name: 'BUILD_ISO'
|
||||||
)
|
)
|
||||||
booleanParam (
|
|
||||||
name: 'POST_ISO_SIGNING'
|
|
||||||
)
|
|
||||||
}
|
}
|
||||||
stages {
|
stages {
|
||||||
stage ("build-iso") {
|
stage ("build-iso") {
|
||||||
@ -54,7 +51,6 @@ pipeline {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
stage ("sign-iso") {
|
stage ("sign-iso") {
|
||||||
when { expression { params.POST_ISO_SIGNING } }
|
|
||||||
steps {
|
steps {
|
||||||
sh ("${Constants.SCRIPTS_DIR}/sign-iso.sh")
|
sh ("${Constants.SCRIPTS_DIR}/sign-iso.sh")
|
||||||
}
|
}
|
||||||
|
@ -14,12 +14,25 @@ require_job_env BUILD_ISO
|
|||||||
|
|
||||||
load_build_env
|
load_build_env
|
||||||
|
|
||||||
|
require_job_env SECUREBOOT_FORMAL
|
||||||
|
require_job_env SIGN_ISO_FORMAL
|
||||||
|
|
||||||
$BUILD_ISO || bail "BUILD_ISO=false, bailing out"
|
$BUILD_ISO || bail "BUILD_ISO=false, bailing out"
|
||||||
|
|
||||||
if [[ -n "$SIGNING_SERVER" ]] ; then
|
if $SECUREBOOT_FORMAL ; then
|
||||||
notice "preparing secureboot signatures"
|
notice "signing secureboot packages"
|
||||||
stx_docker_cmd $DRY_RUN_ARG "SIGNING_SERVER=${SIGNING_USER:-signing}@${SIGNING_SERVER} PATH=\$MY_REPO/build-tools:\$PATH sign-secure-boot_debian"
|
[[ -n "$SIGNING_SERVER" ]] || die "SECUREBOOT_FORMAL requires SIGNING_SERVER"
|
||||||
|
sign_secure_boot_env="SIGNING_SERVER=${SIGNING_USER:-signing}@${SIGNING_SERVER}"
|
||||||
|
stx_docker_cmd $DRY_RUN_ARG "$sign_secure_boot_env PATH=\$MY_REPO/build-tools:\$PATH sign-secure-boot_debian"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
build_img_args=
|
||||||
|
# Job is configured to sign the ISO with official keys.
|
||||||
|
if $SIGN_ISO_FORMAL ; then
|
||||||
|
[[ -n "$SIGNING_SERVER" ]] || die "SIGN_ISO_FORMAL requires SIGNING_SERVER"
|
||||||
|
# Don't sign ISO with developer keys; we will sign it separately
|
||||||
|
# in sign-iso.sh
|
||||||
|
build_img_args+=" --no-sign"
|
||||||
|
fi
|
||||||
notice "building STD ISO"
|
notice "building STD ISO"
|
||||||
stx_docker_cmd $DRY_RUN_ARG "build-image"
|
stx_docker_cmd $DRY_RUN_ARG "build-image $build_img_args"
|
||||||
|
@ -182,6 +182,39 @@ __set_build_vars() {
|
|||||||
else
|
else
|
||||||
PARALLEL=
|
PARALLEL=
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Validate & set defaults for ISO & secureboot options
|
||||||
|
|
||||||
|
# SIGN_ISO_FORMAL was spelled as SIGN_ISO in the past
|
||||||
|
if [[ -n "$SIGN_ISO" ]] ; then
|
||||||
|
warn "SIGN_ISO is deprecated, please use SIGN_ISO_FORMAL instead"
|
||||||
|
fi
|
||||||
|
if [[ -z "$SIGN_ISO_FORMAL" ]] ; then
|
||||||
|
if [[ -n "$SIGN_ISO" ]] ; then
|
||||||
|
SIGN_ISO_FORMAL="$SIGN_ISO"
|
||||||
|
elif [[ -n "$SIGNING_SERVER" ]] ; then
|
||||||
|
SIGN_ISO_FORMAL="true"
|
||||||
|
else
|
||||||
|
SIGN_ISO_FORMAL="false"
|
||||||
|
fi
|
||||||
|
warn "SIGN_ISO_FORMAL is missing, assuming \"$SIGN_ISO_FORMAL\""
|
||||||
|
fi
|
||||||
|
if [[ "$SIGN_ISO_FORMAL" != "true" && "$SIGN_ISO_FORMAL" != "false" ]] ; then
|
||||||
|
die "SIGN_ISO_FORMAL must be \"true\" or \"false\""
|
||||||
|
fi
|
||||||
|
|
||||||
|
# SECUREBOOT_FORMAL
|
||||||
|
if [[ -z "$SECUREBOOT_FORMAL" ]] ; then
|
||||||
|
if [[ -n "$SIGNING_SERVER" ]] ; then
|
||||||
|
SECUREBOOT_FORMAL="true"
|
||||||
|
else
|
||||||
|
SECUREBOOT_FORMAL="false"
|
||||||
|
fi
|
||||||
|
warn "SECUREBOOT_FORMAL is missing, assuming \"$SECUREBOOT_FORMAL\""
|
||||||
|
elif [[ "$SECUREBOOT_FORMAL" != "true" && "$SECUREBOOT_FORMAL" != "false" ]] ; then
|
||||||
|
die "SECUREBOOT_FORMAL must be \"true\" or \"false\""
|
||||||
|
fi
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
__started_by_jenkins() {
|
__started_by_jenkins() {
|
||||||
|
@ -14,30 +14,39 @@ require_job_env BUILD_ISO
|
|||||||
|
|
||||||
load_build_env
|
load_build_env
|
||||||
|
|
||||||
require_job_env SIGN_ISO
|
require_job_env SIGN_ISO_FORMAL
|
||||||
$SIGN_ISO || bail "SIGN_ISO=false, bailing out"
|
|
||||||
|
|
||||||
require_job_env SIGNING_SERVER
|
|
||||||
require_job_env SIGNING_USER
|
|
||||||
|
|
||||||
$BUILD_ISO || bail "BUILD_ISO=false, bailing out"
|
$BUILD_ISO || bail "BUILD_ISO=false, bailing out"
|
||||||
$SIGN_ISO || bail "SIGN_ISO=false, bailing out"
|
|
||||||
[[ -n "$SIGNING_SERVER" ]] || bail "SIGNING_SERVER is empoty, bailing out"
|
|
||||||
|
|
||||||
sign_iso() {
|
sign_iso() {
|
||||||
local iso_file="$1"
|
local iso_file="$1"
|
||||||
(
|
local sig_file="${iso_file%.iso}.sig"
|
||||||
export MY_REPO=$REPO_ROOT/cgcs-root
|
|
||||||
export MY_WORKSPACE=$WORKSPACE_ROOT
|
# Job is configured to sign the ISO with formal keys
|
||||||
export PATH=$MY_REPO/build-tools:$PATH:/usr/local/bin
|
if $SIGN_ISO_FORMAL ; then
|
||||||
sig_file="${iso_file%.iso}.sig"
|
[[ -n "$SIGNING_SERVER" ]] || die "SECUREBOOT_FORMAL requires SIGNING_SERVER"
|
||||||
maybe_run rm -f "$sig_file"
|
(
|
||||||
maybe_run sign_iso_formal.sh "$iso_file" || die "failed to sign ISO"
|
export MY_REPO=$REPO_ROOT/cgcs-root
|
||||||
if ! $DRY_RUN ; then
|
export MY_WORKSPACE=$WORKSPACE_ROOT
|
||||||
[[ -f "$sig_file" ]] || die "failed to sign ISO"
|
export PATH=$MY_REPO/build-tools:$PATH:/usr/local/bin
|
||||||
info "created signature $sig_file"
|
export SIGNING_SERVER
|
||||||
fi
|
export SIGNING_USER
|
||||||
)
|
maybe_run rm -f "$sig_file"
|
||||||
|
maybe_run sign_iso_formal.sh "$iso_file" || die "failed to sign ISO"
|
||||||
|
if ! $DRY_RUN ; then
|
||||||
|
[[ -f "$sig_file" ]] || die "failed to sign ISO"
|
||||||
|
info "created signature $sig_file"
|
||||||
|
fi
|
||||||
|
)
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
# ISO is already signed with developer keys - make sure .sig file exists
|
||||||
|
info "skipping formal ISO signing because it's already signed with developer key"
|
||||||
|
if ! $DRY_RUN ; then
|
||||||
|
[[ -f "$sig_file" ]] || die "$sig_file: file not found"
|
||||||
|
info "using existing ISO signature $sig_file"
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -43,11 +43,19 @@ BUILD_PACKAGES_ITERATIONS=3
|
|||||||
DEBIAN_SNAPSHOT_BASE="http://https://snapshot.debian.org/archive/debian"
|
DEBIAN_SNAPSHOT_BASE="http://https://snapshot.debian.org/archive/debian"
|
||||||
DEBIAN_SECURITY_SNAPSHOT_BASE="https://snapshot.debian.org/archive/debian-security"
|
DEBIAN_SECURITY_SNAPSHOT_BASE="https://snapshot.debian.org/archive/debian-security"
|
||||||
|
|
||||||
# ISO sigining
|
# Signing server for formal ISO and secureboot signing (see below)
|
||||||
SIGN_ISO=false # If false, don't signe the ISO
|
|
||||||
SIGNING_SERVER="some.host.org"
|
SIGNING_SERVER="some.host.org"
|
||||||
SIGNING_USER="some_user_id"
|
SIGNING_USER="some_user_id"
|
||||||
|
|
||||||
|
# Sign ISO with a key controlled by $SIGNING_SERVER
|
||||||
|
# If false, ISO will be signed with developer key in
|
||||||
|
# cgcs-root/build-tools/signing/dev-private-key.pem
|
||||||
|
SIGN_ISO_FORMAL=true
|
||||||
|
|
||||||
|
# Sign kernel-related packages with a key & cert controlled by
|
||||||
|
# $SIGNING_SERVER. When "false", don't add secureboot signatures.
|
||||||
|
SECUREBOOT_FORMAL=true
|
||||||
|
|
||||||
# Run this command inside the build container at the end of the build
|
# Run this command inside the build container at the end of the build
|
||||||
# Current directory will be set to $MY_WORKSPACE/export.
|
# Current directory will be set to $MY_WORKSPACE/export.
|
||||||
# This command must leave any additional files to be published in that
|
# This command must leave any additional files to be published in that
|
||||||
|
Loading…
Reference in New Issue
Block a user