root/build-tools/sign-rpms
Paul-Emile Element 2f9d9a5672 cleanup signing scripts
the scripts contained hardcoded references to resources
that are not visible outside of the environment
where the scripts were originally created and used

The scripts sign-rpms was also updated with the original version
that was intended to be submitted. The initial submission contained
the wrong version.

Closes-Bug: #1791343

Change-Id: I8ce5884ad75156d3730cf30a451051d32445e136
Signed-off-by: Paul-Emile Element <Paul-Emile.Element@windriver.com>
2018-09-07 14:44:37 -04:00

292 lines
7.3 KiB
Bash
Executable File

#!/bin/bash
# Add file signature to RPMs
#
# This script will add file signature to rpms in a given directory.
# The directory containing the RPMs must be passed as a parameter. There is no default location.
#
#
usage () {
echo ""
echo "Usage: "
echo " sign-rpms -d|--pkg-dir <directory>"
echo " -d --pkg-dir <directory> directory contain the RPMs to sign"
echo " -h|--help this message"
echo ""
}
# number of processors. The process will use all available processors by default.
NPROCS=$(nproc)
export MOCK=/usr/bin/mock
# check input variables
function check_vars {
# need access to repo, which should normally be defined as MY_REPO in the env
if [ ! -z "$MY_REPO" ] && [ -d "$MY_REPO" ] ; then
INTERNAL_REPO_ROOT=$MY_REPO
fi
if [ -z "$INTERNAL_REPO_ROOT" ] ; then
printf " unable to use \$MY_REPO (value \"$MY_REPO\")\n"
printf " -- checking \$MY_REPO_ROOT_DIR (value \"$MY_REPO_ROOT_DIR\")\n"
if [ ! -z "$MY_REPO_ROOT_DIR" ] && [ -d "$MY_REPO_ROOT_DIR/cgcs-root" ] ; then
INTERNAL_REPO_ROOT=$MY_REPO_ROOT_DIR/cgcs-root
printf " Found!\n"
fi
fi
if [ -z "$INTERNAL_REPO_ROOT" ] ; then
printf " No joy -- checking for \$MY_WORKSPACE/cgcs-root\n"
if [ -d "$MY_WORKSPACE/cgcs-root" ] ; then
INTERNAL_REPO_ROOT=$MY_WORKSPACE/cgcs-root
printf " Found!\n"
fi
fi
if [ -z "$INTERNAL_REPO_ROOT" ] ; then
printf " Error -- could not locate cgcs-root repo.\n"
exit 1
fi
if [ -z "$MY_BUILD_ENVIRONMENT" ] ; then
printf " Error -- missing environment variable MY_BUILD_ENVIRONMENT"
exit 1
fi
if [ -z "$MY_BUILD_DIR" ] ; then
printf " Error -- missing environment variable MY_BUILD_DIR"
exit 1
fi
}
#
# this function will add IMA file signatures to all rpms in the Packages directory
#
# the process will copy the signing key and a makefile in the mock env under /tmp
# it will also mount the Packages directory under /mnt/Packages
# then mock will be invoked to sign the packages
#
# This process is using mock because the build servers do not have the same rpm / rpmsign version
#
function _local_cleanup {
printf "Cleaning mock environment\n"
$MOCK -q -r $_MOCK_CFG --scrub=all
}
function __local_trapdoor {
printf "caught signal while attempting to sign files. Cleaning up."
_local_cleanup
exit 1
}
function sign_packages {
OLD_PWD=$PWD
_MOCK_PKG_DIR=/mnt/Packages
_IMA_PRIV_KEY=ima_signing_key.priv
_KEY_DIR=$MY_REPO/build-tools/signing
_MOCK_KEY_DIR=/mnt/keys
_SIGN_MAKEFILE=_sign_pkgs.mk
_MK_DIR=$MY_REPO/build-tools/mk
_MOCK_MK_DIR=/mnt/mk
# mock confgiuration file
_MOCK_CFG=$MY_BUILD_DIR/${MY_BUILD_ENVIRONMENT}-sign.cfg
# recreate configuration file
rm $_MOCK_CFG
export BUILD_TYPE=std
export MY_BUILD_DIR_TOP=$MY_BUILD_DIR
modify-build-cfg $_MOCK_CFG
# and customize
echo "config_opts['chroot_setup_cmd'] = 'install shadow-utils make rpm-sign'" >> $_MOCK_CFG
echo "config_opts['root'] = 'mock-sign'" >> $_MOCK_CFG
echo "config_opts['basedir'] = '${MY_WORKSPACE}'" >> $_MOCK_CFG
echo "config_opts['cache_topdir'] = '${MY_WORKSPACE}/mock-cache'" >> $_MOCK_CFG
echo "Signing packages in $_PKG_DIR with $NPROCS threads"
echo "using development key $_KEY_DIR/$_IMA_PRIV_KEY"
printf "Initializing mock environment\n"
trap __local_trapdoor SIGHUP SIGINT SIGABRT SIGTERM
# invoke make in mock to sign packages.
# this call will also create and initialize the mock env
eval $MOCK -q -r $_MOCK_CFG \'--plugin-option=bind_mount:dirs=[\(\"$_PKG_DIR\", \"$_MOCK_PKG_DIR\"\),\(\"$_MK_DIR\",\"$_MOCK_MK_DIR\"\),\(\"$_KEY_DIR\",\"$_MOCK_KEY_DIR\"\)]\' --shell \"cd $_MOCK_PKG_DIR\; make -j $NPROCS -f $_MOCK_MK_DIR/$_SIGN_MAKEFILE KEY=$_MOCK_KEY_DIR/$_IMA_PRIV_KEY\"
retval=$?
trap - SIGHUP SIGINT SIGABRT SIGTERM
_local_cleanup
if [ $retval -ne 0 ] ; then
echo "failed to add file signatures to RPMs in mock environment."
return $retval
fi
cd $OLD_PWD
}
function _copy_and_sign {
# upload rpms to server
scp $_PKG_DIR/*.rpm $SIGNING_USER@$SIGNING_SERVER:$_UPLOAD_DIR
retval=$?
if [ $retval -ne 0 ] ; then
echo "ERROR: failed to copy RPM files to signing server."
return $retval
fi
# get server to sign packages.
ssh $SIGNING_USER@$SIGNING_SERVER -- sudo $SIGNING_SERVER_SCRIPT -s -d $sub
retval=$?
if [ $retval -ne 0 ] ; then
echo "ERROR: failed to sign RPM files."
return $retval
fi
# download results back. This overwrites the original files.
scp $SIGNING_USER@$SIGNING_SERVER:$_UPLOAD_DIR/*.rpm $_PKG_DIR
retval=$?
if [ $retval -ne 0 ] ; then
echo "ERROR: failed to copy signed RPM files back from signing server."
return $retval
fi
return $retval
}
function _server_cleanup {
# cleanup
ssh $SIGNING_USER@$SIGNING_SERVER rm $_UPLOAD_DIR/*.rpm
if [ $? -ne 0 ] ; then
echo "Warning : failed to remove rpms from temporary upload directory ${SIGNING_SERVER}:${_UPLOAD_DIR}."
fi
ssh $SIGNING_USER@$SIGNING_SERVER rmdir $_UPLOAD_DIR
if [ $? -ne 0 ] ; then
echo "Warning : failed to remove temporary upload directory ${SIGNING_SERVER}:${_UPLOAD_DIR}."
fi
}
function __server_trapdoor {
printf "caught signal while attempting to sign files. Cleaning up."
_server_cleanup
exit 1
}
function sign_packages_on_server {
retval=0
# obtain temporary diretory to upload RPMs on signing server
_UPLOAD_DIR=`ssh $SIGNING_USER@$SIGNING_SERVER -- sudo $SIGNING_SERVER_SCRIPT -r`
retval=$?
if [ $retval -ne 0 ] ; then
echo "failed to obtain upload directory from signing server."
return $retval
fi
# extract base chroot dir and rpm dir within chroot
read base com sub <<< $_UPLOAD_DIR
# this is the upload temp dir, outside of chroot env
_UPLOAD_DIR=$base$sub
trap __server_trapdoor SIGHUP SIGINT SIGABRT SIGTERM
_copy_and_sign
retval=$?
trap - SIGHUP SIGINT SIGABRT SIGTERM
_server_cleanup
return $retval
}
#############################################
# Main code
#############################################
# Check args
HELP=0
# return value
retval=0
# read the options
TEMP=`getopt -o hd: --long help,pkg-dir: -n 'test.sh' -- "$@"`
if [ $? -ne 0 ] ; then
echo "Invalid parameters - exiting"
exit 1
fi
eval set -- "$TEMP"
# extract options and their arguments into variables.
while true ; do
case "$1" in
-h|--help) HELP=1 ; shift ;;
-d|--pkg-dir) _PKG_DIR="$2"; shift; shift ;;
--) shift ; break ;;
*) echo "Internal error : unexpected parameter $2" ; exit 1 ;;
esac
done
if [ $HELP -eq 1 ]; then
usage
exit 0
fi
# package directory must be defined
if [ -z "$_PKG_DIR" ]; then
echo "Need package directory. Use -d/--pkg-dir option"
usage
exit 1
fi
# ... and must exist
if [ ! -d "$_PKG_DIR" ]; then
echo "Package directory $_PKG_DIR does not exist"
exit 1
fi
# Init variables
check_vars
echo signing $_PKG_DIR
# sign all rpms
if [ "$USER" == "jenkins" ]; then
sign_packages_on_server
retval=$?
else
sign_packages
retval=$?
fi
exit $retval