From 2f9d9a5672a5c2cda7375d5efa747beef55675b9 Mon Sep 17 00:00:00 2001 From: Paul-Emile Element Date: Fri, 7 Sep 2018 13:09:07 -0400 Subject: [PATCH] cleanup signing scripts the scripts contained hardcoded references to resources that are not visible outside of the environment where the scripts were originally created and used The scripts sign-rpms was also updated with the original version that was intended to be submitted. The initial submission contained the wrong version. Closes-Bug: #1791343 Change-Id: I8ce5884ad75156d3730cf30a451051d32445e136 Signed-off-by: Paul-Emile Element --- build-tools/sign-rpms | 279 +++++++++++++++++-------------- build-tools/sign-secure-boot | 2 - build-tools/sign_iso_formal.sh | 15 +- build-tools/sign_patch_formal.sh | 9 +- 4 files changed, 167 insertions(+), 138 deletions(-) diff --git a/build-tools/sign-rpms b/build-tools/sign-rpms index 4e2300b0..f0512e9f 100755 --- a/build-tools/sign-rpms +++ b/build-tools/sign-rpms @@ -23,43 +23,43 @@ export MOCK=/usr/bin/mock # check input variables function check_vars { - # need access to repo, which should normally be defined as MY_REPO in the env + # need access to repo, which should normally be defined as MY_REPO in the env - if [ ! -z "$MY_REPO" ] && [ -d "$MY_REPO" ] ; then - INTERNAL_REPO_ROOT=$MY_REPO - fi + if [ ! -z "$MY_REPO" ] && [ -d "$MY_REPO" ] ; then + INTERNAL_REPO_ROOT=$MY_REPO + fi - if [ -z "$INTERNAL_REPO_ROOT" ] ; then - printf " unable to use \$MY_REPO (value \"$MY_REPO\")\n" - printf " -- checking \$MY_REPO_ROOT_DIR (value \"$MY_REPO_ROOT_DIR\")\n" - if [ ! -z "$MY_REPO_ROOT_DIR" ] && [ -d "$MY_REPO_ROOT_DIR/cgcs-root" ] ; then - INTERNAL_REPO_ROOT=$MY_REPO_ROOT_DIR/cgcs-root - printf " Found!\n" - fi - fi + if [ -z "$INTERNAL_REPO_ROOT" ] ; then + printf " unable to use \$MY_REPO (value \"$MY_REPO\")\n" + printf " -- checking \$MY_REPO_ROOT_DIR (value \"$MY_REPO_ROOT_DIR\")\n" + if [ ! -z "$MY_REPO_ROOT_DIR" ] && [ -d "$MY_REPO_ROOT_DIR/cgcs-root" ] ; then + INTERNAL_REPO_ROOT=$MY_REPO_ROOT_DIR/cgcs-root + printf " Found!\n" + fi + fi - if [ -z "$INTERNAL_REPO_ROOT" ] ; then - printf " No joy -- checking for \$MY_WORKSPACE/cgcs-root\n" - if [ -d "$MY_WORKSPACE/cgcs-root" ] ; then - INTERNAL_REPO_ROOT=$MY_WORKSPACE/cgcs-root - printf " Found!\n" - fi - fi + if [ -z "$INTERNAL_REPO_ROOT" ] ; then + printf " No joy -- checking for \$MY_WORKSPACE/cgcs-root\n" + if [ -d "$MY_WORKSPACE/cgcs-root" ] ; then + INTERNAL_REPO_ROOT=$MY_WORKSPACE/cgcs-root + printf " Found!\n" + fi + fi - if [ -z "$INTERNAL_REPO_ROOT" ] ; then - printf " Error -- could not locate cgcs-root repo.\n" - exit 1 - fi + if [ -z "$INTERNAL_REPO_ROOT" ] ; then + printf " Error -- could not locate cgcs-root repo.\n" + exit 1 + fi - if [ -z "$MY_BUILD_ENVIRONMENT" ] ; then - printf " Error -- missing environment variable MY_BUILD_ENVIRONMENT" - exit 1 - fi + if [ -z "$MY_BUILD_ENVIRONMENT" ] ; then + printf " Error -- missing environment variable MY_BUILD_ENVIRONMENT" + exit 1 + fi - if [ -z "$MY_BUILD_DIR" ] ; then - printf " Error -- missing environment variable MY_BUILD_DIR" - exit 1 - fi + if [ -z "$MY_BUILD_DIR" ] ; then + printf " Error -- missing environment variable MY_BUILD_DIR" + exit 1 + fi } @@ -73,119 +73,155 @@ function check_vars { # This process is using mock because the build servers do not have the same rpm / rpmsign version # +function _local_cleanup { + + printf "Cleaning mock environment\n" + $MOCK -q -r $_MOCK_CFG --scrub=all + +} + +function __local_trapdoor { + printf "caught signal while attempting to sign files. Cleaning up." + _local_cleanup + + exit 1 +} + function sign_packages { - OLD_PWD=$PWD + OLD_PWD=$PWD - _MOCK_PKG_DIR=/mnt/Packages - _IMA_PRIV_KEY=ima_signing_key.priv - _KEY_DIR=$MY_REPO/build-tools/signing - _MOCK_KEY_DIR=/mnt/keys - _SIGN_MAKEFILE=_sign_pkgs.mk - _MK_DIR=$MY_REPO/build-tools/mk - _MOCK_MK_DIR=/mnt/mk + _MOCK_PKG_DIR=/mnt/Packages + _IMA_PRIV_KEY=ima_signing_key.priv + _KEY_DIR=$MY_REPO/build-tools/signing + _MOCK_KEY_DIR=/mnt/keys + _SIGN_MAKEFILE=_sign_pkgs.mk + _MK_DIR=$MY_REPO/build-tools/mk + _MOCK_MK_DIR=/mnt/mk - # mock confgiuration file - _MOCK_CFG=$MY_BUILD_DIR/${MY_BUILD_ENVIRONMENT}-sign.cfg + # mock confgiuration file + _MOCK_CFG=$MY_BUILD_DIR/${MY_BUILD_ENVIRONMENT}-sign.cfg - # recreate configuration file - rm $_MOCK_CFG - export BUILD_TYPE=std - export MY_BUILD_DIR_TOP=$MY_BUILD_DIR - modify-build-cfg $_MOCK_CFG - # and customize - echo "config_opts['chroot_setup_cmd'] = 'install shadow-utils make rpm-sign'" >> $_MOCK_CFG - echo "config_opts['root'] = 'mock-sign'" >> $_MOCK_CFG - echo "config_opts['basedir'] = '${MY_WORKSPACE}'" >> $_MOCK_CFG - echo "config_opts['cache_topdir'] = '${MY_WORKSPACE}/mock-cache'" >> $_MOCK_CFG + # recreate configuration file + rm $_MOCK_CFG + export BUILD_TYPE=std + export MY_BUILD_DIR_TOP=$MY_BUILD_DIR + modify-build-cfg $_MOCK_CFG + # and customize + echo "config_opts['chroot_setup_cmd'] = 'install shadow-utils make rpm-sign'" >> $_MOCK_CFG + echo "config_opts['root'] = 'mock-sign'" >> $_MOCK_CFG + echo "config_opts['basedir'] = '${MY_WORKSPACE}'" >> $_MOCK_CFG + echo "config_opts['cache_topdir'] = '${MY_WORKSPACE}/mock-cache'" >> $_MOCK_CFG - echo "Signing packages in $_PKG_DIR with $NPROCS threads" - echo "using development key $_KEY_DIR/$_IMA_PRIV_KEY" + echo "Signing packages in $_PKG_DIR with $NPROCS threads" + echo "using development key $_KEY_DIR/$_IMA_PRIV_KEY" - printf "Initializing mock environment\n" + printf "Initializing mock environment\n" - # invoke make in mock to sign packages. - # this call will also create and initialize the mock env - eval $MOCK -q -r $_MOCK_CFG \'--plugin-option=bind_mount:dirs=[\(\"$_PKG_DIR\", \"$_MOCK_PKG_DIR\"\),\(\"$_MK_DIR\",\"$_MOCK_MK_DIR\"\),\(\"$_KEY_DIR\",\"$_MOCK_KEY_DIR\"\)]\' --shell \"cd $_MOCK_PKG_DIR\; make -j $NPROCS -f $_MOCK_MK_DIR/$_SIGN_MAKEFILE KEY=$_MOCK_KEY_DIR/$_IMA_PRIV_KEY\" + trap __local_trapdoor SIGHUP SIGINT SIGABRT SIGTERM - retval=$? + # invoke make in mock to sign packages. + # this call will also create and initialize the mock env + eval $MOCK -q -r $_MOCK_CFG \'--plugin-option=bind_mount:dirs=[\(\"$_PKG_DIR\", \"$_MOCK_PKG_DIR\"\),\(\"$_MK_DIR\",\"$_MOCK_MK_DIR\"\),\(\"$_KEY_DIR\",\"$_MOCK_KEY_DIR\"\)]\' --shell \"cd $_MOCK_PKG_DIR\; make -j $NPROCS -f $_MOCK_MK_DIR/$_SIGN_MAKEFILE KEY=$_MOCK_KEY_DIR/$_IMA_PRIV_KEY\" - printf "Cleaning mock environment\n" - $MOCK -q -r $_MOCK_CFG --scrub=all + retval=$? - if [ $retval -ne 0 ] ; then - echo "failed to add file signatures to RPMs in mock environment." - return $retval - fi + trap - SIGHUP SIGINT SIGABRT SIGTERM - cd $OLD_PWD + _local_cleanup + + if [ $retval -ne 0 ] ; then + echo "failed to add file signatures to RPMs in mock environment." + return $retval + fi + + cd $OLD_PWD } function _copy_and_sign { - # upload rpms to server - scp $_PKG_DIR/*.rpm $SIGNING_USER@$SIGNING_SERVER:$_UPLOAD_DIR - retval=$? - if [ $retval -ne 0 ] ; then - echo "ERROR: failed to copy RPM files to signing server." - return $retval - fi + # upload rpms to server + scp $_PKG_DIR/*.rpm $SIGNING_USER@$SIGNING_SERVER:$_UPLOAD_DIR + retval=$? + if [ $retval -ne 0 ] ; then + echo "ERROR: failed to copy RPM files to signing server." + return $retval + fi - # get server to sign packages. - ssh $SIGNING_USER@$SIGNING_SERVER -- sudo $SIGNING_SERVER_SCRIPT -s -d $sub - retval=$? - if [ $retval -ne 0 ] ; then - echo "ERROR: failed to sign RPM files." - return $retval - fi + # get server to sign packages. + ssh $SIGNING_USER@$SIGNING_SERVER -- sudo $SIGNING_SERVER_SCRIPT -s -d $sub + retval=$? + if [ $retval -ne 0 ] ; then + echo "ERROR: failed to sign RPM files." + return $retval + fi - # download results back. This overwrites the original files. - scp $SIGNING_USER@$SIGNING_SERVER:$_UPLOAD_DIR/*.rpm $_PKG_DIR - retval=$? - if [ $retval -ne 0 ] ; then - echo "ERROR: failed to copy signed RPM files back from signing server." - return $retval - fi + # download results back. This overwrites the original files. + scp $SIGNING_USER@$SIGNING_SERVER:$_UPLOAD_DIR/*.rpm $_PKG_DIR + retval=$? + if [ $retval -ne 0 ] ; then + echo "ERROR: failed to copy signed RPM files back from signing server." + return $retval + fi - return $retval + return $retval } +function _server_cleanup { + + # cleanup + ssh $SIGNING_USER@$SIGNING_SERVER rm $_UPLOAD_DIR/*.rpm + if [ $? -ne 0 ] ; then + echo "Warning : failed to remove rpms from temporary upload directory ${SIGNING_SERVER}:${_UPLOAD_DIR}." + fi + ssh $SIGNING_USER@$SIGNING_SERVER rmdir $_UPLOAD_DIR + if [ $? -ne 0 ] ; then + echo "Warning : failed to remove temporary upload directory ${SIGNING_SERVER}:${_UPLOAD_DIR}." + fi + +} + +function __server_trapdoor { + + printf "caught signal while attempting to sign files. Cleaning up." + _server_cleanup + + exit 1 +} + + function sign_packages_on_server { - retval=0 + retval=0 - # obtain temporary diretory to upload RPMs on signing server - _UPLOAD_DIR=`ssh $SIGNING_USER@$SIGNING_SERVER -- sudo $SIGNING_SERVER_SCRIPT -r` + # obtain temporary diretory to upload RPMs on signing server + _UPLOAD_DIR=`ssh $SIGNING_USER@$SIGNING_SERVER -- sudo $SIGNING_SERVER_SCRIPT -r` - retval=$? - if [ $retval -ne 0 ] ; then - echo "failed to obtain upload directory from signing server." - return $retval - fi + retval=$? + if [ $retval -ne 0 ] ; then + echo "failed to obtain upload directory from signing server." + return $retval + fi - # extract base chroot dir and rpm dir within chroot - read base com sub <<< $_UPLOAD_DIR + # extract base chroot dir and rpm dir within chroot + read base com sub <<< $_UPLOAD_DIR - # this is the upload temp dir, outside of chroot env - _UPLOAD_DIR=$base$sub + # this is the upload temp dir, outside of chroot env + _UPLOAD_DIR=$base$sub - _copy_and_sign - retval=$? + trap __server_trapdoor SIGHUP SIGINT SIGABRT SIGTERM - # cleanup - ssh $SIGNING_USER@$SIGNING_SERVER rm $_UPLOAD_DIR/*.rpm - if [ $? -ne 0 ] ; then - echo "Warning : failed to remove rpms from temporary upload directory." - fi - ssh $SIGNING_USER@$SIGNING_SERVER rmdir $_UPLOAD_DIR - if [ $? -ne 0 ] ; then - echo "Warning : failed to remove temporary upload directory." - fi + _copy_and_sign + retval=$? - return $retval + trap - SIGHUP SIGINT SIGABRT SIGTERM + + _server_cleanup + + return $retval } @@ -196,9 +232,6 @@ function sign_packages_on_server { # Check args HELP=0 -SIGNING_SERVER=yow-tiks01 -SIGNING_USER=signing -SIGNING_SERVER_SCRIPT=/opt/signing/sign_rpms_18.03.sh # return value retval=0 @@ -206,8 +239,8 @@ retval=0 # read the options TEMP=`getopt -o hd: --long help,pkg-dir: -n 'test.sh' -- "$@"` if [ $? -ne 0 ] ; then - echo "Invalid parameters - exiting" - exit 1 + echo "Invalid parameters - exiting" + exit 1 fi eval set -- "$TEMP" @@ -223,21 +256,21 @@ while true ; do done if [ $HELP -eq 1 ]; then - usage - exit 0 + usage + exit 0 fi # package directory must be defined if [ -z "$_PKG_DIR" ]; then - echo "Need package directory. Use -d/--pkg-dir option" - usage - exit 1 + echo "Need package directory. Use -d/--pkg-dir option" + usage + exit 1 fi # ... and must exist if [ ! -d "$_PKG_DIR" ]; then - echo "Package directory $_PKG_DIR does not exist" - exit 1 + echo "Package directory $_PKG_DIR does not exist" + exit 1 fi # Init variables diff --git a/build-tools/sign-secure-boot b/build-tools/sign-secure-boot index c4d00788..4401e5cf 100755 --- a/build-tools/sign-secure-boot +++ b/build-tools/sign-secure-boot @@ -454,8 +454,6 @@ if [ "x$MY_WORKSPACE" == "x" ]; then fi ARCH="x86_64" -SIGNING_SERVER=yow-tiks01 -SIGNING_USER=signing SIGNING_SCRIPT=/opt/signing/sign.sh UPLOAD_PATH=`ssh $SIGNING_USER@$SIGNING_SERVER sudo $SIGNING_SCRIPT -r` SIGNED_PKG_DB=${MY_WORKSPACE}/signed_pkg_list.txt diff --git a/build-tools/sign_iso_formal.sh b/build-tools/sign_iso_formal.sh index fc68444e..85d1b820 100755 --- a/build-tools/sign_iso_formal.sh +++ b/build-tools/sign_iso_formal.sh @@ -16,7 +16,6 @@ ISO_FILE_PATH=$1 ISO_FILE_NAME=$(basename ${ISO_FILE_PATH}) ISO_FILE_ROOT=$(dirname ${ISO_FILE_PATH}) ISO_FILE_NOEXT="${ISO_FILE_NAME%.*}" -SIGNING_SERVER="signing@yow-tiks01" GET_UPLOAD_PATH="sudo /opt/signing/sign.sh -r" REQUEST_SIGN="sudo /opt/signing/sign_iso.sh" SIGNATURE_FILE="$ISO_FILE_NOEXT.sig" @@ -24,7 +23,7 @@ SIGNATURE_FILE="$ISO_FILE_NOEXT.sig" # Make a request for an upload path # Output is a path where we can upload stuff, of the form # "Upload: /tmp/sign_upload.5jR11pS0" -UPLOAD_PATH=`ssh ${SIGNING_SERVER} ${GET_UPLOAD_PATH}` +UPLOAD_PATH=`ssh ${SIGNING_USER}@${SIGNING_SERVER} ${GET_UPLOAD_PATH}` if [ $? -ne 0 ]; then echo "Could not get upload path. Do you have permissions on the signing server?" exit 1 @@ -32,7 +31,7 @@ fi UPLOAD_PATH=`echo ${UPLOAD_PATH} | cut -d ' ' -f 2` echo "Uploading file" -scp -q ${ISO_FILE_PATH} ${SIGNING_SERVER}:${UPLOAD_PATH} +scp -q ${ISO_FILE_PATH} ${SIGNING_USER}@${SIGNING_SERVER}:${UPLOAD_PATH} if [ $? -ne 0 ]; then echo "Could not upload ISO" exit 1 @@ -41,22 +40,22 @@ echo "File uploaded to signing server -- signing" # Make the signing request. # Output is path of detached signature -RESULT=`ssh ${SIGNING_SERVER} ${REQUEST_SIGN} ${UPLOAD_PATH}/${ISO_FILE_NAME}` +RESULT=`ssh ${SIGNING_USER}@${SIGNING_SERVER} ${REQUEST_SIGN} ${UPLOAD_PATH}/${ISO_FILE_NAME}` if [ $? -ne 0 ]; then echo "Could not perform signing -- output $RESULT" - ssh ${SIGNING_SERVER} rm -f ${UPLOAD_PATH}/${ISO_FILE_NAME} + ssh ${SIGNING_USER}@${SIGNING_SERVER} rm -f ${UPLOAD_PATH}/${ISO_FILE_NAME} exit 1 fi echo "Signing complete. Downloading detached signature" -scp -q ${SIGNING_SERVER}:${RESULT} ${ISO_FILE_ROOT}/${SIGNATURE_FILE} +scp -q ${SIGNING_USER}@${SIGNING_SERVER}:${RESULT} ${ISO_FILE_ROOT}/${SIGNATURE_FILE} if [ $? -ne 0 ]; then echo "Could not download newly signed file" - ssh ${SIGNING_SERVER} rm -f ${UPLOAD_PATH}/${ISO_FILE_NAME} + ssh ${SIGNING_USER}@${SIGNING_SERVER} rm -f ${UPLOAD_PATH}/${ISO_FILE_NAME} exit 1 fi # Clean up (ISOs are big) -ssh ${SIGNING_SERVER} rm -f ${UPLOAD_PATH}/${ISO_FILE_NAME} +ssh ${SIGNING_USER}@${SIGNING_SERVER} rm -f ${UPLOAD_PATH}/${ISO_FILE_NAME} echo "${ISO_FILE_ROOT}/${SIGNATURE_FILE} detached signature" diff --git a/build-tools/sign_patch_formal.sh b/build-tools/sign_patch_formal.sh index 9056c25d..d6975758 100755 --- a/build-tools/sign_patch_formal.sh +++ b/build-tools/sign_patch_formal.sh @@ -13,21 +13,20 @@ fi PATCH_FILE_PATH=$1 PATCH_FILE_NAME=$(basename ${PATCH_FILE_PATH}) -SIGNING_SERVER="signing@yow-tiks01" GET_UPLOAD_PATH="sudo /opt/signing/sign.sh -r" REQUEST_SIGN="sudo /opt/signing/sign_patch.sh" # Make a request for an upload path # Output is a path where we can upload stuff, of the form # "Upload: /tmp/sign_upload.5jR11pS0" -UPLOAD_PATH=`ssh ${SIGNING_SERVER} ${GET_UPLOAD_PATH}` +UPLOAD_PATH=`ssh ${SIGNING_USER}@${SIGNING_SERVER} ${GET_UPLOAD_PATH}` if [ $? -ne 0 ]; then echo "Could not get upload path. Do you have permissions on the signing server?" exit 1 fi UPLOAD_PATH=`echo ${UPLOAD_PATH} | cut -d ' ' -f 2` -scp -q ${PATCH_FILE_PATH} ${SIGNING_SERVER}:${UPLOAD_PATH} +scp -q ${PATCH_FILE_PATH} ${SIGNING_USER}@${SIGNING_SERVER}:${UPLOAD_PATH} if [ $? -ne 0 ]; then echo "Could upload patch" exit 1 @@ -36,14 +35,14 @@ echo "File uploaded to signing server" # Make the signing request. # Output is path of newly signed file -RESULT=`ssh ${SIGNING_SERVER} ${REQUEST_SIGN} ${UPLOAD_PATH}/${PATCH_FILE_NAME}` +RESULT=`ssh ${SIGNING_USER}@${SIGNING_SERVER} ${REQUEST_SIGN} ${UPLOAD_PATH}/${PATCH_FILE_NAME}` if [ $? -ne 0 ]; then echo "Could not perform signing -- output $RESULT" exit 1 fi echo "Signing complete. Downloading" -scp -q ${SIGNING_SERVER}:${RESULT} ${PATCH_FILE_PATH} +scp -q ${SIGNING_USER}@${SIGNING_SERVER}:${RESULT} ${PATCH_FILE_PATH} if [ $? -ne 0 ]; then echo "Could not download newly signed file" exit 1