From 8434da1a579dc15090cbd1dc57cd8d83c6de613e Mon Sep 17 00:00:00 2001 From: Patrick Vacek Date: Tue, 20 Aug 2019 16:59:49 +0200 Subject: aktualizr: latest garage-sign with expiration support. Use GARAGE_TARGET_EXPIRES or GARAGE_TARGET_EXPIRE_AFTER (but not both!) to set the garage-sign parameters. Signed-off-by: Patrick Vacek --- classes/image_types_ostree.bbclass | 17 +++++++++++++---- classes/sota.bbclass | 2 ++ 2 files changed, 15 insertions(+), 4 deletions(-) (limited to 'classes') diff --git a/classes/image_types_ostree.bbclass b/classes/image_types_ostree.bbclass index 2e8e8f5..fd67865 100644 --- a/classes/image_types_ostree.bbclass +++ b/classes/image_types_ostree.bbclass @@ -237,10 +237,18 @@ IMAGE_CMD_garagesign () { # Push may fail due to race condition when multiple build machines try to push simultaneously # in which case targets.json should be pulled again and the whole procedure repeated push_success=0 - target_url="" - if [ -n "${GARAGE_TARGET_URL}" ]; then - target_url='--url ${GARAGE_TARGET_URL}' - fi + target_url="" + if [ -n "${GARAGE_TARGET_URL}" ]; then + target_url="--url ${GARAGE_TARGET_URL}" + fi + target_expiry="" + if [ -n "${GARAGE_TARGET_EXPIRES}" ] && [ -n "${GARAGE_TARGET_EXPIRE_AFTER}" ]; then + bbfatal "Both GARAGE_TARGET_EXPIRES and GARAGE_TARGET_EXPIRE_AFTER are set. Only one can be set at a time." + elif [ -n "${GARAGE_TARGET_EXPIRES}" ]; then + target_expiry="--expires ${GARAGE_TARGET_EXPIRES}" + elif [ -n "${GARAGE_TARGET_EXPIRE_AFTER}" ]; then + target_expiry="--expire-after ${GARAGE_TARGET_EXPIRE_AFTER}" + fi for push_retries in $( seq 3 ); do garage-sign targets pull --repo tufrepo \ @@ -262,6 +270,7 @@ IMAGE_CMD_garagesign () { fi garage-sign targets sign --repo tufrepo \ --home-dir ${GARAGE_SIGN_REPO} \ + ${target_expiry} \ --key-name=targets errcode=0 garage-sign targets push --repo tufrepo \ diff --git a/classes/sota.bbclass b/classes/sota.bbclass index 86863d9..5b06397 100644 --- a/classes/sota.bbclass +++ b/classes/sota.bbclass @@ -51,6 +51,8 @@ GARAGE_SIGN_KEYNAME ?= "garage-key" GARAGE_TARGET_NAME ?= "${OSTREE_BRANCHNAME}" GARAGE_TARGET_VERSION ?= "" GARAGE_TARGET_URL ?= "" +GARAGE_TARGET_EXPIRES ?= "" +GARAGE_TARGET_EXPIRE_AFTER ?= "" GARAGE_CUSTOMIZE_TARGET ?= "" SOTA_MACHINE ??="none" -- cgit v1.2.3-54-g00ecf From 08759ff12ea7a3881870f991ffbeb416b45e2793 Mon Sep 17 00:00:00 2001 From: Patrick Vacek Date: Wed, 21 Aug 2019 09:48:35 +0200 Subject: Use a default expiry of one month if nothing is specified. This mimics the intended behavior of the default in garage-sign, but doesn't rely on the date in the unsigned targets. Signed-off-by: Patrick Vacek --- classes/image_types_ostree.bbclass | 2 ++ 1 file changed, 2 insertions(+) (limited to 'classes') diff --git a/classes/image_types_ostree.bbclass b/classes/image_types_ostree.bbclass index fd67865..795e01b 100644 --- a/classes/image_types_ostree.bbclass +++ b/classes/image_types_ostree.bbclass @@ -248,6 +248,8 @@ IMAGE_CMD_garagesign () { target_expiry="--expires ${GARAGE_TARGET_EXPIRES}" elif [ -n "${GARAGE_TARGET_EXPIRE_AFTER}" ]; then target_expiry="--expire-after ${GARAGE_TARGET_EXPIRE_AFTER}" + else + target_expiry="--expire-after 1M" fi for push_retries in $( seq 3 ); do -- cgit v1.2.3-54-g00ecf