[gnome-build-meta/valentindavid/eos-installer: 5/12] Add developer script to sign bootable image for eos-installer
- From: Valentin David <valentindavid src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [gnome-build-meta/valentindavid/eos-installer: 5/12] Add developer script to sign bootable image for eos-installer
- Date: Wed, 26 Feb 2020 21:14:51 +0000 (UTC)
commit 9a6a7b1efc90994049d9bf560d403c96edfd7b69
Author: Valentin David <valentin david codethink co uk>
Date: Wed Feb 26 11:39:18 2020 +0100
Add developer script to sign bootable image for eos-installer
Image must be signed to be accepted by eos-installer.
The signing has to be done outside of BuildStream as long as
BuildStream does not provide support for GPG socket. If someone wants
to sign with a hardware key for example, BuildStream cannot provide
that support inside the sandbox.
elements/iso/image-signature.bst | 5 +++++
elements/iso/public-key.bst | 31 +++++++++++++++++++++++++++++++
elements/iso/verify-signature.bst | 34 ++++++++++++++++++++++++++++++++++
project.conf | 4 ++++
utils/sign-image.sh | 28 ++++++++++++++++++++++++++++
5 files changed, 102 insertions(+)
---
diff --git a/elements/iso/image-signature.bst b/elements/iso/image-signature.bst
new file mode 100644
index 00000000..2b77979d
--- /dev/null
+++ b/elements/iso/image-signature.bst
@@ -0,0 +1,5 @@
+kind: import
+
+sources:
+- kind: local
+ path: image-signatures
diff --git a/elements/iso/public-key.bst b/elements/iso/public-key.bst
new file mode 100644
index 00000000..7e30f68a
--- /dev/null
+++ b/elements/iso/public-key.bst
@@ -0,0 +1,31 @@
+kind: manual
+
+build-depends:
+- freedesktop-sdk.bst:components/gnupg.bst
+
+config:
+ build-commands:
+ - gpg --no-default-keyring --keyring ./eos-image-keyring.gpg --import *.gpg
+ - |
+ for key in $(gpg --list-keys --with-colons \
+ | grep "^fpr:" | cut -d: -f10); do
+ gpg --command-fd 0 \
+ --no-default-keyring \
+ --keyring ./eos-image-keyring.gpg \
+ --edit-key "${key}" \
+ trust <<EOF
+ 4
+ y
+ EOF
+ done
+
+ install-commands:
+ - install -Dm644 -t "%{install-root}%{datadir}/keyrings" eos-image-keyring.gpg
+
+sources:
+- kind: local
+ (?):
+ - not signed:
+ path: public-key.gpg
+ - signed:
+ path: files/vm/gnome.gpg
diff --git a/elements/iso/verify-signature.bst b/elements/iso/verify-signature.bst
new file mode 100644
index 00000000..4cc15e95
--- /dev/null
+++ b/elements/iso/verify-signature.bst
@@ -0,0 +1,34 @@
+kind: script
+
+build-depends:
+- iso/xz-image.bst
+- iso/image-signature.bst
+- iso/public-key.bst
+- freedesktop-sdk.bst:components/gnupg.bst
+
+config:
+ layout:
+ - element: components/gnupg.bst
+ destination: /
+ - element: iso/public-key.bst
+ destination: /
+ - element: iso/xz-image.bst
+ destination: /eosimages
+ - element: iso/image-signature.bst
+ destination: /eosimages
+
+ commands:
+ # We need to verify we imported the public key for the signed image.
+ - |
+ for image in /eosimages/*; do
+ case "${image}" in
+ *.asc)
+ ;;
+ *)
+ gpg --no-default-keyring \
+ --trust-model always \
+ --keyring "%{datadir}/keyrings/eos-image-keyring.gpg" \
+ --verify "${image}".asc
+ ;;
+ esac
+ done
diff --git a/project.conf b/project.conf
index 7479ef91..55c03832 100644
--- a/project.conf
+++ b/project.conf
@@ -32,6 +32,10 @@ options:
- i686
- x86_64
+ signed:
+ type: bool
+ description: Whether the image should be signed for the installer.
+ default: false
# Source aliases.
#
diff --git a/utils/sign-image.sh b/utils/sign-image.sh
new file mode 100755
index 00000000..ee509704
--- /dev/null
+++ b/utils/sign-image.sh
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+set -eu
+
+utils/ensure-local-key.sh
+gpg --homedir=ostree-gpg --export --armor >public-key.gpg
+
+: ${BST:=bst}
+
+${BST} build iso/xz-image.bst
+
+checkout="$(mktemp --suffix="-update-repo" -d -p .)"
+
+on_exit() {
+ rm -rf "${checkout}"
+}
+trap on_exit EXIT
+
+${BST} checkout iso/xz-image.bst --hardlinks "${checkout}"
+
+[ -d image-signatures ] || mkdir image-signatures
+rm -f image-signatures/*.asc
+
+for img in "${checkout}"/*.img.xz; do
+ gpg --batch --yes --homedir=ostree-gpg -sbao \
+ "image-signatures/$(basename "${img}.asc")" "${img}"
+done
+gpg --homedir=ostree-gpg --export --armor >public-key.gpg
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]