starlingx/root
Code Issues Proposed changes
99d897bdd4
root/build-tools/sign-rpms
Scott Little 83d4446d74 Prepare the build tools for code restucturing 
Build tools need to be made ready for the code
restructuring:

1) new repos
2) relocation of release-info.inc and bsp files
3) Removal of the stx- prefix from sub-repos.

Changes:
1) Create new functions to find the release-info.inc and
bsp file under both pre and post restructure paths.

2) Update .gitignore to ignore all the new repos that
are to be created.

3) Remove an argument sanity check from build-helm-charts.sh.
It is making invalid assumptions about where applications
can be found in the directory structure.

4) build-iso will need to look to additional repos to find
packages from lower layers.

Change-Id: If62444390d0a5a363974c6ff8cdaceca35978bda
Story: 2006166
Task: 35687
Signed-off-by: Scott Little <scott.little@windriver.com>
2019-09-05 15:18:10 -04:00

294 lines
7.4 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Add file signature to RPMs
#
# This script will add file signature to rpms in a given directory.
# The directory containing the RPMs must be passed as a parameter. There is no default location.
#
#
usage () {
echo ""
echo "Usage: "
echo " sign-rpms -d|--pkg-dir <directory>"
echo " -d --pkg-dir <directory> directory contain the RPMs to sign"
echo " -h|--help this message"
echo ""
}
# number of processors. The process will use all available processors by default.
NPROCS=$(nproc)
export MOCK=/usr/bin/mock
# check input variables
function check_vars {
# need access to repo, which should normally be defined as MY_REPO in the env
if [ ! -z "$MY_REPO" ] && [ -d "$MY_REPO" ] ; then
INTERNAL_REPO_ROOT=$MY_REPO
fi
if [ -z "$INTERNAL_REPO_ROOT" ] ; then
printf " unable to use \$MY_REPO (value \"$MY_REPO\")\n"
printf " -- checking \$MY_REPO_ROOT_DIR (value \"$MY_REPO_ROOT_DIR\")\n"
if [ ! -z "$MY_REPO_ROOT_DIR" ] && [ -d "$MY_REPO_ROOT_DIR/cgcs-root" ] ; then
INTERNAL_REPO_ROOT=$MY_REPO_ROOT_DIR/cgcs-root
printf " Found!\n"
fi
fi
if [ -z "$INTERNAL_REPO_ROOT" ] ; then
printf " No joy -- checking for \$MY_WORKSPACE/cgcs-root\n"
if [ -d "$MY_WORKSPACE/cgcs-root" ] ; then
INTERNAL_REPO_ROOT=$MY_WORKSPACE/cgcs-root
printf " Found!\n"
fi
fi
if [ -z "$INTERNAL_REPO_ROOT" ] ; then
printf " Error -- could not locate cgcs-root repo.\n"
exit 1
fi
if [ -z "$MY_BUILD_ENVIRONMENT" ] ; then
printf " Error -- missing environment variable MY_BUILD_ENVIRONMENT"
exit 1
fi
if [ -z "$MY_BUILD_DIR" ] ; then
printf " Error -- missing environment variable MY_BUILD_DIR"
exit 1
fi
}
#
# this function will add IMA file signatures to all rpms in the Packages directory
#
# the process will copy the signing key and a makefile in the mock env under /tmp
# it will also mount the Packages directory under /mnt/Packages
# then mock will be invoked to sign the packages
#
# This process is using mock because the build servers do not have the same rpm / rpmsign version
#
function _local_cleanup {
printf "Cleaning mock environment\n"
$MOCK -q -r $_MOCK_CFG --scrub=all
}
function __local_trapdoor {
printf "caught signal while attempting to sign files. Cleaning up."
_local_cleanup
exit 1
}
function sign_packages {
OLD_PWD=$PWD
_MOCK_PKG_DIR=/mnt/Packages
_IMA_PRIV_KEY=ima_signing_key.priv
_KEY_DIR=$MY_REPO/build-tools/signing
_MOCK_KEY_DIR=/mnt/keys
_SIGN_MAKEFILE=_sign_pkgs.mk
_MK_DIR=$MY_REPO/build-tools/mk
_MOCK_MK_DIR=/mnt/mk
# mock confgiuration file
_MOCK_CFG=$MY_BUILD_DIR/${MY_BUILD_ENVIRONMENT}-sign.cfg
# recreate configuration file
if [ -f $_MOCK_CFG ]; then
rm $_MOCK_CFG
fi
export BUILD_TYPE=std
export MY_BUILD_DIR_TOP=$MY_BUILD_DIR
modify-build-cfg $_MOCK_CFG
# and customize
echo "config_opts['chroot_setup_cmd'] = 'install shadow-utils make rpm-sign'" >> $_MOCK_CFG
echo "config_opts['root'] = 'mock-sign'" >> $_MOCK_CFG
echo "config_opts['basedir'] = '${MY_WORKSPACE}'" >> $_MOCK_CFG
echo "config_opts['cache_topdir'] = '${MY_WORKSPACE}/mock-cache'" >> $_MOCK_CFG
echo "Signing packages in $_PKG_DIR with $NPROCS threads"
echo "using development key $_KEY_DIR/$_IMA_PRIV_KEY"
printf "Initializing mock environment\n"
trap __local_trapdoor SIGHUP SIGINT SIGABRT SIGTERM
# invoke make in mock to sign packages.
# this call will also create and initialize the mock env
eval $MOCK -q -r $_MOCK_CFG \'--plugin-option=bind_mount:dirs=[\(\"$_PKG_DIR\", \"$_MOCK_PKG_DIR\"\),\(\"$_MK_DIR\",\"$_MOCK_MK_DIR\"\),\(\"$_KEY_DIR\",\"$_MOCK_KEY_DIR\"\)]\' --shell \"cd $_MOCK_PKG_DIR\; make -j $NPROCS -f $_MOCK_MK_DIR/$_SIGN_MAKEFILE KEY=$_MOCK_KEY_DIR/$_IMA_PRIV_KEY\"
retval=$?
trap - SIGHUP SIGINT SIGABRT SIGTERM
_local_cleanup
if [ $retval -ne 0 ] ; then
echo "failed to add file signatures to RPMs in mock environment."
return $retval
fi
cd $OLD_PWD
}
function _copy_and_sign {
# upload rpms to server
scp $_PKG_DIR/*.rpm $SIGNING_USER@$SIGNING_SERVER:$_UPLOAD_DIR
retval=$?
if [ $retval -ne 0 ] ; then
echo "ERROR: failed to copy RPM files to signing server."
return $retval
fi
# get server to sign packages.
ssh $SIGNING_USER@$SIGNING_SERVER -- sudo $SIGNING_SERVER_SCRIPT -s -d $sub
retval=$?
if [ $retval -ne 0 ] ; then
echo "ERROR: failed to sign RPM files."
return $retval
fi
# download results back. This overwrites the original files.
scp $SIGNING_USER@$SIGNING_SERVER:$_UPLOAD_DIR/*.rpm $_PKG_DIR
retval=$?
if [ $retval -ne 0 ] ; then
echo "ERROR: failed to copy signed RPM files back from signing server."
return $retval
fi
return $retval
}
function _server_cleanup {
# cleanup
ssh $SIGNING_USER@$SIGNING_SERVER rm $_UPLOAD_DIR/*.rpm
if [ $? -ne 0 ] ; then
echo "Warning : failed to remove rpms from temporary upload directory ${SIGNING_SERVER}:${_UPLOAD_DIR}."
fi
ssh $SIGNING_USER@$SIGNING_SERVER rmdir $_UPLOAD_DIR
if [ $? -ne 0 ] ; then
echo "Warning : failed to remove temporary upload directory ${SIGNING_SERVER}:${_UPLOAD_DIR}."
fi
}
function __server_trapdoor {
printf "caught signal while attempting to sign files. Cleaning up."
_server_cleanup
exit 1
}
function sign_packages_on_server {
retval=0
# obtain temporary diretory to upload RPMs on signing server
_UPLOAD_DIR=`ssh $SIGNING_USER@$SIGNING_SERVER -- sudo $SIGNING_SERVER_SCRIPT -r`
retval=$?
if [ $retval -ne 0 ] ; then
echo "failed to obtain upload directory from signing server."
return $retval
fi
# extract base chroot dir and rpm dir within chroot
read base com sub <<< $_UPLOAD_DIR
# this is the upload temp dir, outside of chroot env
_UPLOAD_DIR=$base$sub
trap __server_trapdoor SIGHUP SIGINT SIGABRT SIGTERM
_copy_and_sign
retval=$?
trap - SIGHUP SIGINT SIGABRT SIGTERM
_server_cleanup
return $retval
}
#############################################
# Main code
#############################################
# Check args
HELP=0
# return value
retval=0
# read the options
TEMP=`getopt -o hd: --long help,pkg-dir: -n 'test.sh' -- "$@"`
if [ $? -ne 0 ] ; then
echo "Invalid parameters - exiting"
exit 1
fi
eval set -- "$TEMP"
# extract options and their arguments into variables.
while true ; do
case "$1" in
-h|--help) HELP=1 ; shift ;;
-d|--pkg-dir) _PKG_DIR="$2"; shift; shift ;;
--) shift ; break ;;
*) echo "Internal error : unexpected parameter $2" ; exit 1 ;;
esac
done
if [ $HELP -eq 1 ]; then
usage
exit 0
fi
# package directory must be defined
if [ -z "$_PKG_DIR" ]; then
echo "Need package directory. Use -d/--pkg-dir option"
usage
exit 1
fi
# ... and must exist
if [ ! -d "$_PKG_DIR" ]; then
echo "Package directory $_PKG_DIR does not exist"
exit 1
fi
# Init variables
check_vars
echo signing $_PKG_DIR
# sign all rpms
if [ "$USER" == "jenkins" ] && [ ! -z "${SIGNING_USER}" ] && [ ! -z "${SIGNING_SERVER}" ] && [ ! -z "${SIGNING_SERVER_SCRIPT}" ]; then
sign_packages_on_server
retval=$?
else
sign_packages
retval=$?
fi
exit $retval
View Git Blame Copy Permalink