78 lines
2.4 KiB
Bash
Executable File
78 lines
2.4 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
#
|
|
# Copyright (c) 2022 Wind River Systems, Inc.
|
|
#
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
#
|
|
|
|
set -e
|
|
source $(dirname "$0")/lib/job_utils.sh
|
|
source $(dirname "$0")/lib/retries.sh
|
|
|
|
require_job_env BUILD_HOME
|
|
require_job_env BUILD_ISO
|
|
|
|
load_build_env
|
|
|
|
require_job_env SIGN_ISO_FORMAL
|
|
require_job_env SIGN_MAX_ATTEMPTS
|
|
require_job_env SIGN_BACKOFF_DELAY
|
|
|
|
$BUILD_ISO || bail "BUILD_ISO=false, bailing out"
|
|
|
|
sign_iso() {
|
|
local iso_file="$1"
|
|
local sig_file="${iso_file%.iso}.sig"
|
|
|
|
# Job is configured to sign the ISO with formal keys
|
|
if $SIGN_ISO_FORMAL ; then
|
|
[[ -n "$SIGNING_SERVER" ]] || die "SECUREBOOT_FORMAL requires SIGNING_SERVER"
|
|
(
|
|
export MY_REPO=$REPO_ROOT/cgcs-root
|
|
export MY_WORKSPACE=$WORKSPACE_ROOT
|
|
export PATH=$MY_REPO/build-tools:$PATH:/usr/local/bin
|
|
export SIGNING_SERVER
|
|
export SIGNING_USER
|
|
maybe_run rm -f "$sig_file"
|
|
if ! maybe_run with_retries -d "$SIGN_BACKOFF_DELAY" "$SIGN_MAX_ATTEMPTS" sign_iso_formal.sh "$iso_file" ; then
|
|
die "failed to sign ISO"
|
|
fi
|
|
if ! $DRY_RUN ; then
|
|
[[ -f "$sig_file" ]] || die "failed to sign ISO"
|
|
info "created signature $sig_file"
|
|
fi
|
|
) || exit 1
|
|
return 0
|
|
fi
|
|
|
|
# ISO is already signed with developer keys - make sure .sig file exists
|
|
info "skipping formal ISO signing because it's already signed with developer key"
|
|
if ! $DRY_RUN ; then
|
|
[[ -f "$sig_file" ]] || die "$sig_file: file not found"
|
|
info "using existing ISO signature $sig_file"
|
|
fi
|
|
}
|
|
|
|
|
|
declare -a iso_files
|
|
iso_files+=($BUILD_HOME/localdisk/deploy/starlingx-intel-x86-64-cd.iso)
|
|
|
|
for iso_file in "${iso_files[@]}" ; do
|
|
if [[ -L "$iso_file" ]] ; then
|
|
iso_link_target="$(readlink "$iso_file")" || exit 1
|
|
[[ -n "$iso_link_target" ]] || die "failed to read symlink $iso_file"
|
|
[[ ! "$iso_link_target" =~ / ]] || die "$iso_file: link target must not include slashes"
|
|
real_iso_file="$(dirname "$iso_file")/$iso_link_target"
|
|
sign_iso "$real_iso_file"
|
|
sig_file="${iso_file%.iso}.sig"
|
|
sig_link_target="${iso_link_target%.iso}.sig"
|
|
if ! $DRY_RUN ; then
|
|
ln -sfn "$sig_link_target" "$sig_file" || exit 1
|
|
info "created signature link $sig_file => $sig_link_target"
|
|
fi
|
|
else
|
|
sign_iso "$iso_file"
|
|
fi
|
|
done
|