root/build-tools/sign-rpms
Scott Little 0b8e1605db sign-rpms: Don't attempt off-box signing if variables not set.
Problem:
User 'jenkins' hit a build-iso failure in sign-rpms.
Problem was a test that assumes user jenkins will always
provide environment variable setting for SIGNING_USER,
SIGNING_SERVER and SIGNING_SERVER_SCRIPT.  This is not
a valid assumption.

Solution:
Explicitly test that all three environment variables are set
before invoking sign_packages_on_server.

Story: 2003906
Task: 27974
Change-Id: If9eb61b8001ca58f9262c2eccab96b4820c68102
Signed-off-by: Scott Little <scott.little@windriver.com>
2018-11-19 11:15:51 -05:00

292 lines
7.4 KiB
Bash
Executable File

#!/bin/bash
# Add file signature to RPMs
#
# This script will add file signature to rpms in a given directory.
# The directory containing the RPMs must be passed as a parameter. There is no default location.
#
#
usage () {
echo ""
echo "Usage: "
echo " sign-rpms -d|--pkg-dir <directory>"
echo " -d --pkg-dir <directory> directory contain the RPMs to sign"
echo " -h|--help this message"
echo ""
}
# number of processors. The process will use all available processors by default.
NPROCS=$(nproc)
export MOCK=/usr/bin/mock
# check input variables
function check_vars {
# need access to repo, which should normally be defined as MY_REPO in the env
if [ ! -z "$MY_REPO" ] && [ -d "$MY_REPO" ] ; then
INTERNAL_REPO_ROOT=$MY_REPO
fi
if [ -z "$INTERNAL_REPO_ROOT" ] ; then
printf " unable to use \$MY_REPO (value \"$MY_REPO\")\n"
printf " -- checking \$MY_REPO_ROOT_DIR (value \"$MY_REPO_ROOT_DIR\")\n"
if [ ! -z "$MY_REPO_ROOT_DIR" ] && [ -d "$MY_REPO_ROOT_DIR/cgcs-root" ] ; then
INTERNAL_REPO_ROOT=$MY_REPO_ROOT_DIR/cgcs-root
printf " Found!\n"
fi
fi
if [ -z "$INTERNAL_REPO_ROOT" ] ; then
printf " No joy -- checking for \$MY_WORKSPACE/cgcs-root\n"
if [ -d "$MY_WORKSPACE/cgcs-root" ] ; then
INTERNAL_REPO_ROOT=$MY_WORKSPACE/cgcs-root
printf " Found!\n"
fi
fi
if [ -z "$INTERNAL_REPO_ROOT" ] ; then
printf " Error -- could not locate cgcs-root repo.\n"
exit 1
fi
if [ -z "$MY_BUILD_ENVIRONMENT" ] ; then
printf " Error -- missing environment variable MY_BUILD_ENVIRONMENT"
exit 1
fi
if [ -z "$MY_BUILD_DIR" ] ; then
printf " Error -- missing environment variable MY_BUILD_DIR"
exit 1
fi
}
#
# this function will add IMA file signatures to all rpms in the Packages directory
#
# the process will copy the signing key and a makefile in the mock env under /tmp
# it will also mount the Packages directory under /mnt/Packages
# then mock will be invoked to sign the packages
#
# This process is using mock because the build servers do not have the same rpm / rpmsign version
#
function _local_cleanup {
printf "Cleaning mock environment\n"
$MOCK -q -r $_MOCK_CFG --scrub=all
}
function __local_trapdoor {
printf "caught signal while attempting to sign files. Cleaning up."
_local_cleanup
exit 1
}
function sign_packages {
OLD_PWD=$PWD
_MOCK_PKG_DIR=/mnt/Packages
_IMA_PRIV_KEY=ima_signing_key.priv
_KEY_DIR=$MY_REPO/build-tools/signing
_MOCK_KEY_DIR=/mnt/keys
_SIGN_MAKEFILE=_sign_pkgs.mk
_MK_DIR=$MY_REPO/build-tools/mk
_MOCK_MK_DIR=/mnt/mk
# mock confgiuration file
_MOCK_CFG=$MY_BUILD_DIR/${MY_BUILD_ENVIRONMENT}-sign.cfg
# recreate configuration file
rm $_MOCK_CFG
export BUILD_TYPE=std
export MY_BUILD_DIR_TOP=$MY_BUILD_DIR
modify-build-cfg $_MOCK_CFG
# and customize
echo "config_opts['chroot_setup_cmd'] = 'install shadow-utils make rpm-sign'" >> $_MOCK_CFG
echo "config_opts['root'] = 'mock-sign'" >> $_MOCK_CFG
echo "config_opts['basedir'] = '${MY_WORKSPACE}'" >> $_MOCK_CFG
echo "config_opts['cache_topdir'] = '${MY_WORKSPACE}/mock-cache'" >> $_MOCK_CFG
echo "Signing packages in $_PKG_DIR with $NPROCS threads"
echo "using development key $_KEY_DIR/$_IMA_PRIV_KEY"
printf "Initializing mock environment\n"
trap __local_trapdoor SIGHUP SIGINT SIGABRT SIGTERM
# invoke make in mock to sign packages.
# this call will also create and initialize the mock env
eval $MOCK -q -r $_MOCK_CFG \'--plugin-option=bind_mount:dirs=[\(\"$_PKG_DIR\", \"$_MOCK_PKG_DIR\"\),\(\"$_MK_DIR\",\"$_MOCK_MK_DIR\"\),\(\"$_KEY_DIR\",\"$_MOCK_KEY_DIR\"\)]\' --shell \"cd $_MOCK_PKG_DIR\; make -j $NPROCS -f $_MOCK_MK_DIR/$_SIGN_MAKEFILE KEY=$_MOCK_KEY_DIR/$_IMA_PRIV_KEY\"
retval=$?
trap - SIGHUP SIGINT SIGABRT SIGTERM
_local_cleanup
if [ $retval -ne 0 ] ; then
echo "failed to add file signatures to RPMs in mock environment."
return $retval
fi
cd $OLD_PWD
}
function _copy_and_sign {
# upload rpms to server
scp $_PKG_DIR/*.rpm $SIGNING_USER@$SIGNING_SERVER:$_UPLOAD_DIR
retval=$?
if [ $retval -ne 0 ] ; then
echo "ERROR: failed to copy RPM files to signing server."
return $retval
fi
# get server to sign packages.
ssh $SIGNING_USER@$SIGNING_SERVER -- sudo $SIGNING_SERVER_SCRIPT -s -d $sub
retval=$?
if [ $retval -ne 0 ] ; then
echo "ERROR: failed to sign RPM files."
return $retval
fi
# download results back. This overwrites the original files.
scp $SIGNING_USER@$SIGNING_SERVER:$_UPLOAD_DIR/*.rpm $_PKG_DIR
retval=$?
if [ $retval -ne 0 ] ; then
echo "ERROR: failed to copy signed RPM files back from signing server."
return $retval
fi
return $retval
}
function _server_cleanup {
# cleanup
ssh $SIGNING_USER@$SIGNING_SERVER rm $_UPLOAD_DIR/*.rpm
if [ $? -ne 0 ] ; then
echo "Warning : failed to remove rpms from temporary upload directory ${SIGNING_SERVER}:${_UPLOAD_DIR}."
fi
ssh $SIGNING_USER@$SIGNING_SERVER rmdir $_UPLOAD_DIR
if [ $? -ne 0 ] ; then
echo "Warning : failed to remove temporary upload directory ${SIGNING_SERVER}:${_UPLOAD_DIR}."
fi
}
function __server_trapdoor {
printf "caught signal while attempting to sign files. Cleaning up."
_server_cleanup
exit 1
}
function sign_packages_on_server {
retval=0
# obtain temporary diretory to upload RPMs on signing server
_UPLOAD_DIR=`ssh $SIGNING_USER@$SIGNING_SERVER -- sudo $SIGNING_SERVER_SCRIPT -r`
retval=$?
if [ $retval -ne 0 ] ; then
echo "failed to obtain upload directory from signing server."
return $retval
fi
# extract base chroot dir and rpm dir within chroot
read base com sub <<< $_UPLOAD_DIR
# this is the upload temp dir, outside of chroot env
_UPLOAD_DIR=$base$sub
trap __server_trapdoor SIGHUP SIGINT SIGABRT SIGTERM
_copy_and_sign
retval=$?
trap - SIGHUP SIGINT SIGABRT SIGTERM
_server_cleanup
return $retval
}
#############################################
# Main code
#############################################
# Check args
HELP=0
# return value
retval=0
# read the options
TEMP=`getopt -o hd: --long help,pkg-dir: -n 'test.sh' -- "$@"`
if [ $? -ne 0 ] ; then
echo "Invalid parameters - exiting"
exit 1
fi
eval set -- "$TEMP"
# extract options and their arguments into variables.
while true ; do
case "$1" in
-h|--help) HELP=1 ; shift ;;
-d|--pkg-dir) _PKG_DIR="$2"; shift; shift ;;
--) shift ; break ;;
*) echo "Internal error : unexpected parameter $2" ; exit 1 ;;
esac
done
if [ $HELP -eq 1 ]; then
usage
exit 0
fi
# package directory must be defined
if [ -z "$_PKG_DIR" ]; then
echo "Need package directory. Use -d/--pkg-dir option"
usage
exit 1
fi
# ... and must exist
if [ ! -d "$_PKG_DIR" ]; then
echo "Package directory $_PKG_DIR does not exist"
exit 1
fi
# Init variables
check_vars
echo signing $_PKG_DIR
# sign all rpms
if [ "$USER" == "jenkins" ] && [ ! -z "${SIGNING_USER}" ] && [ ! -z "${SIGNING_SERVER}" ] && [ ! -z "${SIGNING_SERVER_SCRIPT}" ]; then
sign_packages_on_server
retval=$?
else
sign_packages
retval=$?
fi
exit $retval