[gnome-build-meta/valentindavid/eos-installer: 9/17] Add developer script to sign bootable image for eos-installer

From: Valentin David <valentindavid src gnome org>
To: commits-list gnome org
Cc:
Subject: [gnome-build-meta/valentindavid/eos-installer: 9/17] Add developer script to sign bootable image for eos-installer
Date: Tue, 10 Mar 2020 19:37:10 +0000 (UTC)
commit a4a530780777fd0baa86c8263b80d792b0bb5ca2
Author: Valentin David <valentin david codethink co uk>
Date:   Wed Feb 26 11:39:18 2020 +0100

    Add developer script to sign bootable image for eos-installer
    
    Image must be signed to be accepted by eos-installer.
    
    The signing has to be done outside of BuildStream as long as
    BuildStream does not provide support for GPG socket. If someone wants
    to sign with a hardware key for example, BuildStream cannot provide
    that support inside the sandbox.

 elements/iso/image-signature.bst  |  5 +++++
 elements/iso/public-key.bst       | 31 +++++++++++++++++++++++++++++++
 elements/iso/verify-signature.bst | 34 ++++++++++++++++++++++++++++++++++
 project.conf                      |  4 ++++
 utils/sign-image.sh               | 28 ++++++++++++++++++++++++++++
 5 files changed, 102 insertions(+)
---
diff --git a/elements/iso/image-signature.bst b/elements/iso/image-signature.bst
new file mode 100644
index 00000000..2b77979d
--- /dev/null
+++ b/elements/iso/image-signature.bst
@@ -0,0 +1,5 @@
+kind: import
+
+sources:
+- kind: local
+  path: image-signatures
diff --git a/elements/iso/public-key.bst b/elements/iso/public-key.bst
new file mode 100644
index 00000000..7e30f68a
--- /dev/null
+++ b/elements/iso/public-key.bst
@@ -0,0 +1,31 @@
+kind: manual
+
+build-depends:
+- freedesktop-sdk.bst:components/gnupg.bst
+
+config:
+  build-commands:
+  - gpg --no-default-keyring --keyring ./eos-image-keyring.gpg --import *.gpg
+  - |
+    for key in $(gpg --list-keys --with-colons \
+                 | grep "^fpr:" | cut -d: -f10); do
+      gpg --command-fd 0 \
+          --no-default-keyring \
+          --keyring ./eos-image-keyring.gpg \
+          --edit-key "${key}" \
+          trust <<EOF
+    4
+    y
+    EOF
+    done
+
+  install-commands:
+  - install -Dm644 -t "%{install-root}%{datadir}/keyrings" eos-image-keyring.gpg
+
+sources:
+- kind: local
+  (?):
+  - not signed:
+      path: public-key.gpg
+  - signed:
+      path: files/vm/gnome.gpg
diff --git a/elements/iso/verify-signature.bst b/elements/iso/verify-signature.bst
new file mode 100644
index 00000000..4cc15e95
--- /dev/null
+++ b/elements/iso/verify-signature.bst
@@ -0,0 +1,34 @@
+kind: script
+
+build-depends:
+- iso/xz-image.bst
+- iso/image-signature.bst
+- iso/public-key.bst
+- freedesktop-sdk.bst:components/gnupg.bst
+
+config:
+  layout:
+  - element: components/gnupg.bst
+    destination: /
+  - element: iso/public-key.bst
+    destination: /
+  - element: iso/xz-image.bst
+    destination: /eosimages
+  - element: iso/image-signature.bst
+    destination: /eosimages
+
+  commands:
+  # We need to verify we imported the public key for the signed image.
+  - |
+    for image in /eosimages/*; do
+      case "${image}" in
+        *.asc)
+        ;;
+        *)
+        gpg --no-default-keyring \
+            --trust-model always \
+            --keyring "%{datadir}/keyrings/eos-image-keyring.gpg" \
+            --verify "${image}".asc
+        ;;
+      esac
+    done
diff --git a/project.conf b/project.conf
index 7479ef91..55c03832 100644
--- a/project.conf
+++ b/project.conf
@@ -32,6 +32,10 @@ options:
     - i686
     - x86_64
 
+  signed:
+    type: bool
+    description: Whether the image should be signed for the installer.
+    default: false
 
 # Source aliases.
 #
diff --git a/utils/sign-image.sh b/utils/sign-image.sh
new file mode 100755
index 00000000..ee509704
--- /dev/null
+++ b/utils/sign-image.sh
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+set -eu
+
+utils/ensure-local-key.sh
+gpg --homedir=ostree-gpg --export --armor >public-key.gpg
+
+: ${BST:=bst}
+
+${BST} build iso/xz-image.bst
+
+checkout="$(mktemp --suffix="-update-repo" -d -p .)"
+
+on_exit() {
+    rm -rf "${checkout}"
+}
+trap on_exit EXIT
+
+${BST} checkout iso/xz-image.bst --hardlinks "${checkout}"
+
+[ -d image-signatures ] || mkdir image-signatures
+rm -f image-signatures/*.asc
+
+for img in "${checkout}"/*.img.xz; do
+    gpg --batch --yes --homedir=ostree-gpg -sbao \
+        "image-signatures/$(basename "${img}.asc")" "${img}"
+done
+gpg --homedir=ostree-gpg --export --armor >public-key.gpg
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]