From e7d4fbf5cbe8f7b89df1a047ce891ecd4ecef55a Mon Sep 17 00:00:00 2001 From: Anton Gerasimov Date: Mon, 13 Nov 2017 15:00:44 +0100 Subject: Add managing targets.json by garage-sign --- classes/image_types_ostree.bbclass | 56 +++++++++++++++++++++++++++++++++ classes/sota.bbclass | 9 +++++- recipes-sota/garage-sign/garage-sign.bb | 6 ++-- 3 files changed, 67 insertions(+), 4 deletions(-) diff --git a/classes/image_types_ostree.bbclass b/classes/image_types_ostree.bbclass index dcc6fc9..172f2c8 100644 --- a/classes/image_types_ostree.bbclass +++ b/classes/image_types_ostree.bbclass @@ -5,6 +5,7 @@ inherit image IMAGE_DEPENDS_ostree = "ostree-native:do_populate_sysroot \ openssl-native:do_populate_sysroot \ coreutils-native:do_populate_sysroot \ + unzip-native:do_populate_sysroot \ virtual/kernel:do_deploy \ ${OSTREE_INITRAMFS_IMAGE}:do_image_complete" @@ -104,6 +105,7 @@ IMAGE_CMD_ostree () { if [ -d root ] && [ ! -L root ]; then if [ "$(ls -A root)" ]; then bberror "Data in /root directory is not preserved by OSTree." + exit 1 fi if [ -n "$SYSTEMD_USED" ]; then @@ -176,4 +178,58 @@ IMAGE_CMD_ostreepush () { fi } +IMAGE_TYPEDEP_garagesign = "ostreepush" +IMAGE_DEPENDS_garagesign = "garage-sign-native:do_populate_sysroot" +IMAGE_CMD_garagesign () { + if [ -n "${SOTA_PACKED_CREDENTIALS}" ]; then + # if credentials are issued by a server that doesn't support offline signing, exit silently + unzip -p ${SOTA_PACKED_CREDENTIALS} root.json targets.pub targets.sec 2>&1 >/dev/null || exit 0 + + java_version=$( java -version 2>&1 | awk -F '"' '/version/ {print $2}' ) + if [ "${java_version}" = "" ]; then + bberror "Java is required for synchronization with update backend, but is not installed on the host machine" + exit 1 + elif [ "${java_version}" \< "1.8" ]; then + bberror "Java version >= 8 is required for synchronization with update backend" + exit 1 + fi + + if [ ! -d "${GARAGE_SIGN_REPO}" ]; then + garage-sign init --repo ${GARAGE_SIGN_REPO} --home-dir ${GARAGE_SIGN_REPO} --credentials ${SOTA_PACKED_CREDENTIALS} + fi + + if [ -n "${GARAGE_SIGN_REPOSERVER}" ]; then + reposerver_args="--reposerver ${GARAGE_SIGN_REPOSERVER}" + else + reposerver_args="" + fi + + ostree_target_hash=$(cat ${OSTREE_REPO}/refs/heads/${OSTREE_BRANCHNAME}) + + # Push may fail due to race condition when multiple build machines try to push simultaneously + # in which case targets.json should be pulled again and the whole procedure repeated + push_success=0 + for push_retries in $( seq 3 ); do + garage-sign targets pull --repo ${GARAGE_SIGN_REPO} --home-dir ${GARAGE_SIGN_REPO} ${reposerver_args} + garage-sign targets add --repo ${GARAGE_SIGN_REPO} --home-dir ${GARAGE_SIGN_REPO} --name ${OSTREE_BRANCHNAME} --format OSTREE --version ${OSTREE_BRANCHNAME} --length 0 --url "https://example.com/" --sha256 ${ostree_target_hash} --hardwareids ${MACHINE} + garage-sign targets sign --repo ${GARAGE_SIGN_REPO} --home-dir ${GARAGE_SIGN_REPO} --key-name=targets + errcode=0 + garage-sign targets push --repo ${GARAGE_SIGN_REPO} --home-dir ${GARAGE_SIGN_REPO} ${reposerver_args} || errcode=$? + if [ "$errcode" -eq "0" ]; then + push_success=1 + break + else + bbwarn "Push to garage repository has failed, retrying" + fi + done + + if [ "$push_success" -ne "1" ]; then + bberror "Couldn't push to garage repository" + exit 1 + fi + else + bbwarn "SOTA_PACKED_CREDENTIALS not set. Please add SOTA_PACKED_CREDENTIALS." + fi +} + # vim:set ts=4 sw=4 sts=4 expandtab: diff --git a/classes/sota.bbclass b/classes/sota.bbclass index 1865356..f5a42c1 100644 --- a/classes/sota.bbclass +++ b/classes/sota.bbclass @@ -5,11 +5,13 @@ python __anonymous() { OVERRIDES .= "${@bb.utils.contains('DISTRO_FEATURES', 'sota', ':sota', '', d)}" +HOSTTOOLS_NONFATAL += "java" + SOTA_CLIENT ??= "aktualizr" SOTA_CLIENT_PROV ??= "aktualizr-auto-prov" IMAGE_INSTALL_append_sota = " ostree os-release ${SOTA_CLIENT} ${SOTA_CLIENT_PROV}" IMAGE_CLASSES += " image_types_ostree image_types_ota" -IMAGE_FSTYPES += "${@bb.utils.contains('DISTRO_FEATURES', 'sota', 'ostreepush otaimg wic', ' ', d)}" +IMAGE_FSTYPES += "${@bb.utils.contains('DISTRO_FEATURES', 'sota', 'ostreepush garagesign otaimg wic', ' ', d)}" PACKAGECONFIG_append_pn-curl = "${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'hsm', " ssl", " ", d)}" PACKAGECONFIG_remove_pn-curl = "${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'hsm', " gnutls", " ", d)}" @@ -25,6 +27,11 @@ OSTREE_BRANCHNAME ?= "${MACHINE}" OSTREE_OSNAME ?= "poky" OSTREE_INITRAMFS_IMAGE ?= "initramfs-ostree-image" + +GARAGE_SIGN_REPO ?= "${DEPLOY_DIR_IMAGE}/garage_sign_repo" +GARAGE_SIGN_KEYNAME ?= "garage-key" +GARAGE_TARGET_NAME ?= "${OSTREE_BRANCHNAME}" + SOTA_MACHINE ??="none" SOTA_MACHINE_raspberrypi2 ?= "raspberrypi" SOTA_MACHINE_raspberrypi3 ?= "raspberrypi" diff --git a/recipes-sota/garage-sign/garage-sign.bb b/recipes-sota/garage-sign/garage-sign.bb index 355a949..d5388bc 100644 --- a/recipes-sota/garage-sign/garage-sign.bb +++ b/recipes-sota/garage-sign/garage-sign.bb @@ -6,14 +6,14 @@ LICENSE = "CLOSED" LIC_FILES_CHKSUM = "file://${S}/docs/LICENSE;md5=3025e77db7bd3f1d616b3ffd11d54c94" DEPENDS = "" -PV = "0.2.0-29-gf6f095a" +PV = "0.2.0-35-g0544c33" SRC_URI = " \ https://ats-tuf-cli-releases.s3-eu-central-1.amazonaws.com/cli-${PV}.tgz \ " -SRC_URI[md5sum] = "49ee4389570992f0cebb16d5943e4405" -SRC_URI[sha256sum] = "59f902e6507adec3176bdf470fe5dea31996810a6300bd61583638d4ffe37ab3" +SRC_URI[md5sum] = "1546e06d1e747f67aee5ed7096bf1c74" +SRC_URI[sha256sum] = "1432348bca8ca5ad75df1218f348f480d429d7509d6454deb6e16ff31c5e08fc" S = "${WORKDIR}/${BPN}" -- cgit v1.2.3-54-g00ecf