This repository has been archived by the owner on Dec 19, 2023. It is now read-only.
forked from coreos/scripts
-
Notifications
You must be signed in to change notification settings - Fork 0
/
core_dev_sign_update
executable file
·86 lines (72 loc) · 2.94 KB
/
core_dev_sign_update
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
#!/usr/bin/env bash
SCRIPT_ROOT=$(dirname $(readlink -f "$0"))
. "${SCRIPT_ROOT}/common.sh" || exit 1
assert_inside_chroot
DEFINE_string data_dir "" "Directory containing downloaded release artifacts"
DEFINE_string board "amd64-usr" "Board to sign artifacts for"
DEFINE_string version "" "Version to sign artifacts for"
DEFINE_integer n_signatures "2" "Number of signatures this release will be signed with"
DEFINE_string output_dir "" "Output directory"
DEFINE_string gpg_key "" "Value for '--default-key' argument to gpg --sign"
FLAGS "$@" || exit 1
eval set -- "${FLAGS_ARGV}"
set -e
data_dir="${FLAGS_data_dir}/${FLAGS_board}/${FLAGS_version}"
output_dir="${FLAGS_output_dir}/${FLAGS_board}/${FLAGS_version}"
mkdir -p "$output_dir"
cleanup() {
# core_sign_update expects to unpack this too, so we'll clean it up.
rm -f "${data_dir}/coreos_production_update.bin"
rm -f "${data_dir}/update"
rm -f "${data_dir}/update.hash"
}
trap cleanup INT TERM EXIT
# delta_generator expects a list of colon-separated sizes for signature hash algorithms in order to
# build the update payload protobuf properly. Since we already assume sha256 elsewhere in
# core_sign_update, do it here as well.
signature_sizes=""
for i in $(seq 1 $FLAGS_n_signatures); do
signature_sizes="${signature_sizes}:256"
done
signature_sizes="${signature_sizes:1:${#signature_sizes}}"
echo "=== Verifying update payload... ==="
gpg2 --verify "${data_dir}/coreos_production_update.bin.bz2.sig"
gpg2 --verify "${data_dir}/coreos_production_image.vmlinuz.sig"
gpg2 --verify "${data_dir}/coreos_production_update.zip.sig"
echo "=== Decompressing update payload... ==="
bunzip2 --keep "${data_dir}/coreos_production_update.bin.bz2"
echo "=== Creating signable update payload... ==="
delta_generator \
-new_image "${data_dir}/coreos_production_update.bin" \
-new_kernel "${data_dir}/coreos_production_image.vmlinuz" \
-out_file "${data_dir}/update"
delta_generator \
--signature_size ${signature_sizes} \
--in_file "${data_dir}/update" \
--out_hash_file "${data_dir}/update.hash"
echo "=== Signing update payload... ==="
if [[ -z "${FLAGS_gpg_key}" ]]; then
gpg2 \
--output "${output_dir}/update.sig.$(whoami)" \
--armor --detach-sign "${data_dir}/update.hash"
else
gpg2 \
--local-user "$FLAGS_gpg_key" \
--output "${output_dir}/update.sig.$(whoami)" \
--armor --detach-sign "${data_dir}/update.hash"
fi
echo "=== Update payload signed successfully. ==="
echo "=== Verifying torcx manifest... ==="
gpg2 --verify "${data_dir}/torcx_manifest.json.sig"
echo "=== Signing torcx manifest... ==="
if [[ -z "${FLAGS_gpg_key}" ]]; then
gpg2 \
--output "${output_dir}/torcx_manifest.json.sig.$(whoami)" \
--detach-sign --armor "${data_dir}/torcx_manifest.json"
else
gpg2 \
--local-user "$FLAGS_gpg_key" \
--output "${output_dir}/torcx_manifest.json.sig.$(whoami)" \
--detach-sign --armor "${data_dir}/torcx_manifest.json"
fi
echo "=== Torcx manifest signed successfully. ==="