2f9d9a5672
the scripts contained hardcoded references to resources that are not visible outside of the environment where the scripts were originally created and used The scripts sign-rpms was also updated with the original version that was intended to be submitted. The initial submission contained the wrong version. Closes-Bug: #1791343 Change-Id: I8ce5884ad75156d3730cf30a451051d32445e136 Signed-off-by: Paul-Emile Element <Paul-Emile.Element@windriver.com>
292 lines
7.3 KiB
Bash
Executable File
292 lines
7.3 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# Add file signature to RPMs
|
|
#
|
|
# This script will add file signature to rpms in a given directory.
|
|
# The directory containing the RPMs must be passed as a parameter. There is no default location.
|
|
#
|
|
#
|
|
|
|
usage () {
|
|
echo ""
|
|
echo "Usage: "
|
|
echo " sign-rpms -d|--pkg-dir <directory>"
|
|
echo " -d --pkg-dir <directory> directory contain the RPMs to sign"
|
|
echo " -h|--help this message"
|
|
echo ""
|
|
}
|
|
|
|
# number of processors. The process will use all available processors by default.
|
|
NPROCS=$(nproc)
|
|
|
|
export MOCK=/usr/bin/mock
|
|
|
|
# check input variables
|
|
function check_vars {
|
|
# need access to repo, which should normally be defined as MY_REPO in the env
|
|
|
|
if [ ! -z "$MY_REPO" ] && [ -d "$MY_REPO" ] ; then
|
|
INTERNAL_REPO_ROOT=$MY_REPO
|
|
fi
|
|
|
|
if [ -z "$INTERNAL_REPO_ROOT" ] ; then
|
|
printf " unable to use \$MY_REPO (value \"$MY_REPO\")\n"
|
|
printf " -- checking \$MY_REPO_ROOT_DIR (value \"$MY_REPO_ROOT_DIR\")\n"
|
|
if [ ! -z "$MY_REPO_ROOT_DIR" ] && [ -d "$MY_REPO_ROOT_DIR/cgcs-root" ] ; then
|
|
INTERNAL_REPO_ROOT=$MY_REPO_ROOT_DIR/cgcs-root
|
|
printf " Found!\n"
|
|
fi
|
|
fi
|
|
|
|
if [ -z "$INTERNAL_REPO_ROOT" ] ; then
|
|
printf " No joy -- checking for \$MY_WORKSPACE/cgcs-root\n"
|
|
if [ -d "$MY_WORKSPACE/cgcs-root" ] ; then
|
|
INTERNAL_REPO_ROOT=$MY_WORKSPACE/cgcs-root
|
|
printf " Found!\n"
|
|
fi
|
|
fi
|
|
|
|
if [ -z "$INTERNAL_REPO_ROOT" ] ; then
|
|
printf " Error -- could not locate cgcs-root repo.\n"
|
|
exit 1
|
|
fi
|
|
|
|
if [ -z "$MY_BUILD_ENVIRONMENT" ] ; then
|
|
printf " Error -- missing environment variable MY_BUILD_ENVIRONMENT"
|
|
exit 1
|
|
fi
|
|
|
|
if [ -z "$MY_BUILD_DIR" ] ; then
|
|
printf " Error -- missing environment variable MY_BUILD_DIR"
|
|
exit 1
|
|
fi
|
|
|
|
}
|
|
|
|
#
|
|
# this function will add IMA file signatures to all rpms in the Packages directory
|
|
#
|
|
# the process will copy the signing key and a makefile in the mock env under /tmp
|
|
# it will also mount the Packages directory under /mnt/Packages
|
|
# then mock will be invoked to sign the packages
|
|
#
|
|
# This process is using mock because the build servers do not have the same rpm / rpmsign version
|
|
#
|
|
|
|
function _local_cleanup {
|
|
|
|
printf "Cleaning mock environment\n"
|
|
$MOCK -q -r $_MOCK_CFG --scrub=all
|
|
|
|
}
|
|
|
|
function __local_trapdoor {
|
|
printf "caught signal while attempting to sign files. Cleaning up."
|
|
_local_cleanup
|
|
|
|
exit 1
|
|
}
|
|
|
|
|
|
function sign_packages {
|
|
OLD_PWD=$PWD
|
|
|
|
_MOCK_PKG_DIR=/mnt/Packages
|
|
_IMA_PRIV_KEY=ima_signing_key.priv
|
|
_KEY_DIR=$MY_REPO/build-tools/signing
|
|
_MOCK_KEY_DIR=/mnt/keys
|
|
_SIGN_MAKEFILE=_sign_pkgs.mk
|
|
_MK_DIR=$MY_REPO/build-tools/mk
|
|
_MOCK_MK_DIR=/mnt/mk
|
|
|
|
# mock confgiuration file
|
|
_MOCK_CFG=$MY_BUILD_DIR/${MY_BUILD_ENVIRONMENT}-sign.cfg
|
|
|
|
# recreate configuration file
|
|
rm $_MOCK_CFG
|
|
export BUILD_TYPE=std
|
|
export MY_BUILD_DIR_TOP=$MY_BUILD_DIR
|
|
modify-build-cfg $_MOCK_CFG
|
|
# and customize
|
|
echo "config_opts['chroot_setup_cmd'] = 'install shadow-utils make rpm-sign'" >> $_MOCK_CFG
|
|
echo "config_opts['root'] = 'mock-sign'" >> $_MOCK_CFG
|
|
echo "config_opts['basedir'] = '${MY_WORKSPACE}'" >> $_MOCK_CFG
|
|
echo "config_opts['cache_topdir'] = '${MY_WORKSPACE}/mock-cache'" >> $_MOCK_CFG
|
|
|
|
echo "Signing packages in $_PKG_DIR with $NPROCS threads"
|
|
echo "using development key $_KEY_DIR/$_IMA_PRIV_KEY"
|
|
|
|
printf "Initializing mock environment\n"
|
|
|
|
trap __local_trapdoor SIGHUP SIGINT SIGABRT SIGTERM
|
|
|
|
# invoke make in mock to sign packages.
|
|
# this call will also create and initialize the mock env
|
|
eval $MOCK -q -r $_MOCK_CFG \'--plugin-option=bind_mount:dirs=[\(\"$_PKG_DIR\", \"$_MOCK_PKG_DIR\"\),\(\"$_MK_DIR\",\"$_MOCK_MK_DIR\"\),\(\"$_KEY_DIR\",\"$_MOCK_KEY_DIR\"\)]\' --shell \"cd $_MOCK_PKG_DIR\; make -j $NPROCS -f $_MOCK_MK_DIR/$_SIGN_MAKEFILE KEY=$_MOCK_KEY_DIR/$_IMA_PRIV_KEY\"
|
|
|
|
retval=$?
|
|
|
|
trap - SIGHUP SIGINT SIGABRT SIGTERM
|
|
|
|
_local_cleanup
|
|
|
|
if [ $retval -ne 0 ] ; then
|
|
echo "failed to add file signatures to RPMs in mock environment."
|
|
return $retval
|
|
fi
|
|
|
|
cd $OLD_PWD
|
|
|
|
}
|
|
|
|
function _copy_and_sign {
|
|
|
|
# upload rpms to server
|
|
scp $_PKG_DIR/*.rpm $SIGNING_USER@$SIGNING_SERVER:$_UPLOAD_DIR
|
|
retval=$?
|
|
if [ $retval -ne 0 ] ; then
|
|
echo "ERROR: failed to copy RPM files to signing server."
|
|
return $retval
|
|
fi
|
|
|
|
# get server to sign packages.
|
|
ssh $SIGNING_USER@$SIGNING_SERVER -- sudo $SIGNING_SERVER_SCRIPT -s -d $sub
|
|
retval=$?
|
|
if [ $retval -ne 0 ] ; then
|
|
echo "ERROR: failed to sign RPM files."
|
|
return $retval
|
|
fi
|
|
|
|
# download results back. This overwrites the original files.
|
|
scp $SIGNING_USER@$SIGNING_SERVER:$_UPLOAD_DIR/*.rpm $_PKG_DIR
|
|
retval=$?
|
|
if [ $retval -ne 0 ] ; then
|
|
echo "ERROR: failed to copy signed RPM files back from signing server."
|
|
return $retval
|
|
fi
|
|
|
|
return $retval
|
|
|
|
}
|
|
|
|
|
|
function _server_cleanup {
|
|
|
|
# cleanup
|
|
ssh $SIGNING_USER@$SIGNING_SERVER rm $_UPLOAD_DIR/*.rpm
|
|
if [ $? -ne 0 ] ; then
|
|
echo "Warning : failed to remove rpms from temporary upload directory ${SIGNING_SERVER}:${_UPLOAD_DIR}."
|
|
fi
|
|
ssh $SIGNING_USER@$SIGNING_SERVER rmdir $_UPLOAD_DIR
|
|
if [ $? -ne 0 ] ; then
|
|
echo "Warning : failed to remove temporary upload directory ${SIGNING_SERVER}:${_UPLOAD_DIR}."
|
|
fi
|
|
|
|
}
|
|
|
|
function __server_trapdoor {
|
|
|
|
printf "caught signal while attempting to sign files. Cleaning up."
|
|
_server_cleanup
|
|
|
|
exit 1
|
|
}
|
|
|
|
|
|
function sign_packages_on_server {
|
|
|
|
retval=0
|
|
|
|
# obtain temporary diretory to upload RPMs on signing server
|
|
_UPLOAD_DIR=`ssh $SIGNING_USER@$SIGNING_SERVER -- sudo $SIGNING_SERVER_SCRIPT -r`
|
|
|
|
retval=$?
|
|
if [ $retval -ne 0 ] ; then
|
|
echo "failed to obtain upload directory from signing server."
|
|
return $retval
|
|
fi
|
|
|
|
# extract base chroot dir and rpm dir within chroot
|
|
read base com sub <<< $_UPLOAD_DIR
|
|
|
|
# this is the upload temp dir, outside of chroot env
|
|
_UPLOAD_DIR=$base$sub
|
|
|
|
trap __server_trapdoor SIGHUP SIGINT SIGABRT SIGTERM
|
|
|
|
_copy_and_sign
|
|
retval=$?
|
|
|
|
trap - SIGHUP SIGINT SIGABRT SIGTERM
|
|
|
|
_server_cleanup
|
|
|
|
return $retval
|
|
}
|
|
|
|
|
|
|
|
#############################################
|
|
# Main code
|
|
#############################################
|
|
|
|
# Check args
|
|
HELP=0
|
|
|
|
# return value
|
|
retval=0
|
|
|
|
# read the options
|
|
TEMP=`getopt -o hd: --long help,pkg-dir: -n 'test.sh' -- "$@"`
|
|
if [ $? -ne 0 ] ; then
|
|
echo "Invalid parameters - exiting"
|
|
exit 1
|
|
fi
|
|
|
|
eval set -- "$TEMP"
|
|
|
|
# extract options and their arguments into variables.
|
|
while true ; do
|
|
case "$1" in
|
|
-h|--help) HELP=1 ; shift ;;
|
|
-d|--pkg-dir) _PKG_DIR="$2"; shift; shift ;;
|
|
--) shift ; break ;;
|
|
*) echo "Internal error : unexpected parameter $2" ; exit 1 ;;
|
|
esac
|
|
done
|
|
|
|
if [ $HELP -eq 1 ]; then
|
|
usage
|
|
exit 0
|
|
fi
|
|
|
|
# package directory must be defined
|
|
if [ -z "$_PKG_DIR" ]; then
|
|
echo "Need package directory. Use -d/--pkg-dir option"
|
|
usage
|
|
exit 1
|
|
fi
|
|
|
|
# ... and must exist
|
|
if [ ! -d "$_PKG_DIR" ]; then
|
|
echo "Package directory $_PKG_DIR does not exist"
|
|
exit 1
|
|
fi
|
|
|
|
# Init variables
|
|
check_vars
|
|
|
|
echo signing $_PKG_DIR
|
|
|
|
# sign all rpms
|
|
if [ "$USER" == "jenkins" ]; then
|
|
sign_packages_on_server
|
|
retval=$?
|
|
else
|
|
sign_packages
|
|
retval=$?
|
|
fi
|
|
|
|
exit $retval
|
|
|