cleanup signing scripts

the scripts contained hardcoded references to resources that are not visible outside of the environment where the scripts were originally created and used The scripts sign-rpms was also updated with the original version that was intended to be submitted. The initial submission contained the wrong version. Closes-Bug: #1791343 Change-Id: I8ce5884ad75156d3730cf30a451051d32445e136 Signed-off-by: Paul-Emile Element <Paul-Emile.Element@windriver.com>
2018-09-07 13:09:07 -04:00 · 2018-09-07 13:09:07 -04:00 · 2f9d9a5672
parent d05c4c3d31
commit 2f9d9a5672
4 changed files with 167 additions and 138 deletions
--- a/build-tools/sign-rpms
+++ b/build-tools/sign-rpms
@ -23,43 +23,43 @@ export MOCK=/usr/bin/mock
 # check input variables
 function check_vars {
-   # need access to repo, which should normally be defined as MY_REPO in the env
+    # need access to repo, which should normally be defined as MY_REPO in the env
-   if [ ! -z "$MY_REPO" ] && [ -d "$MY_REPO" ] ; then
+    if [ ! -z "$MY_REPO" ] && [ -d "$MY_REPO" ] ; then
-      INTERNAL_REPO_ROOT=$MY_REPO
+        INTERNAL_REPO_ROOT=$MY_REPO
-   fi
+    fi
-   if [ -z "$INTERNAL_REPO_ROOT" ] ; then
+    if [ -z "$INTERNAL_REPO_ROOT" ] ; then
-      printf "  unable to use \$MY_REPO (value \"$MY_REPO\")\n"
+        printf "  unable to use \$MY_REPO (value \"$MY_REPO\")\n"
-      printf "  -- checking \$MY_REPO_ROOT_DIR (value \"$MY_REPO_ROOT_DIR\")\n"
+        printf "  -- checking \$MY_REPO_ROOT_DIR (value \"$MY_REPO_ROOT_DIR\")\n"
-      if [ ! -z "$MY_REPO_ROOT_DIR" ] && [ -d "$MY_REPO_ROOT_DIR/cgcs-root" ] ; then
+        if [ ! -z "$MY_REPO_ROOT_DIR" ] && [ -d "$MY_REPO_ROOT_DIR/cgcs-root" ] ; then
-          INTERNAL_REPO_ROOT=$MY_REPO_ROOT_DIR/cgcs-root
+            INTERNAL_REPO_ROOT=$MY_REPO_ROOT_DIR/cgcs-root
-          printf "  Found!\n"
+            printf "  Found!\n"
-      fi
+        fi
-   fi
+    fi
-   if [ -z "$INTERNAL_REPO_ROOT" ] ; then
+    if [ -z "$INTERNAL_REPO_ROOT" ] ; then
-      printf "  No joy -- checking for \$MY_WORKSPACE/cgcs-root\n"
+        printf "  No joy -- checking for \$MY_WORKSPACE/cgcs-root\n"
-      if [ -d "$MY_WORKSPACE/cgcs-root" ] ; then
+        if [ -d "$MY_WORKSPACE/cgcs-root" ] ; then
-          INTERNAL_REPO_ROOT=$MY_WORKSPACE/cgcs-root
+            INTERNAL_REPO_ROOT=$MY_WORKSPACE/cgcs-root
-          printf "  Found!\n"
+            printf "  Found!\n"
-      fi
+        fi
-   fi
+    fi
-   if [ -z "$INTERNAL_REPO_ROOT" ] ; then
+    if [ -z "$INTERNAL_REPO_ROOT" ] ; then
-      printf "  Error -- could not locate cgcs-root repo.\n"
+        printf "  Error -- could not locate cgcs-root repo.\n"
-      exit 1
+        exit 1
-   fi
+    fi
-   if [ -z "$MY_BUILD_ENVIRONMENT" ] ; then
+    if [ -z "$MY_BUILD_ENVIRONMENT" ] ; then
-      printf "  Error -- missing environment variable MY_BUILD_ENVIRONMENT"
+        printf "  Error -- missing environment variable MY_BUILD_ENVIRONMENT"
-      exit 1
+        exit 1
-   fi
+    fi
-   if [ -z "$MY_BUILD_DIR" ] ; then
+    if [ -z "$MY_BUILD_DIR" ] ; then
-      printf "  Error -- missing environment variable MY_BUILD_DIR"
+        printf "  Error -- missing environment variable MY_BUILD_DIR"
-      exit 1
+        exit 1
-   fi
+    fi
 }
@ -73,119 +73,155 @@ function check_vars {
 # This process is using mock because the build servers do not have the same rpm / rpmsign version
 #
 function _local_cleanup {
    printf "Cleaning mock environment\n"
    $MOCK -q -r $_MOCK_CFG --scrub=all
 }
 function __local_trapdoor {
    printf "caught signal while attempting to sign files. Cleaning up."
    _local_cleanup
    exit 1
 }
 function sign_packages {
-   OLD_PWD=$PWD
+    OLD_PWD=$PWD
-   _MOCK_PKG_DIR=/mnt/Packages
+    _MOCK_PKG_DIR=/mnt/Packages
-   _IMA_PRIV_KEY=ima_signing_key.priv
+    _IMA_PRIV_KEY=ima_signing_key.priv
-   _KEY_DIR=$MY_REPO/build-tools/signing
+    _KEY_DIR=$MY_REPO/build-tools/signing
-   _MOCK_KEY_DIR=/mnt/keys
+    _MOCK_KEY_DIR=/mnt/keys
-   _SIGN_MAKEFILE=_sign_pkgs.mk
+    _SIGN_MAKEFILE=_sign_pkgs.mk
-   _MK_DIR=$MY_REPO/build-tools/mk
+    _MK_DIR=$MY_REPO/build-tools/mk
-   _MOCK_MK_DIR=/mnt/mk
+    _MOCK_MK_DIR=/mnt/mk
-   # mock confgiuration file
+    # mock confgiuration file
-   _MOCK_CFG=$MY_BUILD_DIR/${MY_BUILD_ENVIRONMENT}-sign.cfg
+    _MOCK_CFG=$MY_BUILD_DIR/${MY_BUILD_ENVIRONMENT}-sign.cfg
-   # recreate configuration file 
+    # recreate configuration file 
-   rm $_MOCK_CFG
+    rm $_MOCK_CFG
-   export BUILD_TYPE=std
+    export BUILD_TYPE=std
-   export MY_BUILD_DIR_TOP=$MY_BUILD_DIR
+    export MY_BUILD_DIR_TOP=$MY_BUILD_DIR
-   modify-build-cfg $_MOCK_CFG
+    modify-build-cfg $_MOCK_CFG
-   #  and customize
+    #  and customize
-   echo "config_opts['chroot_setup_cmd'] = 'install shadow-utils make rpm-sign'" >> $_MOCK_CFG
+    echo "config_opts['chroot_setup_cmd'] = 'install shadow-utils make rpm-sign'" >> $_MOCK_CFG
-   echo "config_opts['root'] = 'mock-sign'" >> $_MOCK_CFG
+    echo "config_opts['root'] = 'mock-sign'" >> $_MOCK_CFG
-   echo "config_opts['basedir'] = '${MY_WORKSPACE}'" >> $_MOCK_CFG
+    echo "config_opts['basedir'] = '${MY_WORKSPACE}'" >> $_MOCK_CFG
-   echo "config_opts['cache_topdir'] = '${MY_WORKSPACE}/mock-cache'" >> $_MOCK_CFG
+    echo "config_opts['cache_topdir'] = '${MY_WORKSPACE}/mock-cache'" >> $_MOCK_CFG
-   echo "Signing packages in $_PKG_DIR with $NPROCS threads"
+    echo "Signing packages in $_PKG_DIR with $NPROCS threads"
-   echo "using development key $_KEY_DIR/$_IMA_PRIV_KEY"
+    echo "using development key $_KEY_DIR/$_IMA_PRIV_KEY"
-   printf "Initializing mock environment\n"
+    printf "Initializing mock environment\n"
-   # invoke make in mock to sign packages.
+    trap __local_trapdoor SIGHUP SIGINT SIGABRT SIGTERM
   # this call will also create and initialize the mock env
   eval $MOCK -q -r $_MOCK_CFG \'--plugin-option=bind_mount:dirs=[\(\"$_PKG_DIR\", \"$_MOCK_PKG_DIR\"\),\(\"$_MK_DIR\",\"$_MOCK_MK_DIR\"\),\(\"$_KEY_DIR\",\"$_MOCK_KEY_DIR\"\)]\' --shell \"cd $_MOCK_PKG_DIR\; make -j $NPROCS -f $_MOCK_MK_DIR/$_SIGN_MAKEFILE KEY=$_MOCK_KEY_DIR/$_IMA_PRIV_KEY\"
-   retval=$?
+    # invoke make in mock to sign packages.
    # this call will also create and initialize the mock env
    eval $MOCK -q -r $_MOCK_CFG \'--plugin-option=bind_mount:dirs=[\(\"$_PKG_DIR\", \"$_MOCK_PKG_DIR\"\),\(\"$_MK_DIR\",\"$_MOCK_MK_DIR\"\),\(\"$_KEY_DIR\",\"$_MOCK_KEY_DIR\"\)]\' --shell \"cd $_MOCK_PKG_DIR\; make -j $NPROCS -f $_MOCK_MK_DIR/$_SIGN_MAKEFILE KEY=$_MOCK_KEY_DIR/$_IMA_PRIV_KEY\"
-   printf "Cleaning mock environment\n"
+    retval=$?
   $MOCK -q -r $_MOCK_CFG --scrub=all
-   if [ $retval -ne 0 ] ; then
+    trap - SIGHUP SIGINT SIGABRT SIGTERM
      echo "failed to add file signatures to RPMs in mock environment."
      return $retval
   fi
-   cd $OLD_PWD
+    _local_cleanup
    if [ $retval -ne 0 ] ; then
        echo "failed to add file signatures to RPMs in mock environment."
        return $retval
    fi
    cd $OLD_PWD
 }
 function _copy_and_sign {
-   # upload rpms to server
+    # upload rpms to server
-   scp $_PKG_DIR/*.rpm $SIGNING_USER@$SIGNING_SERVER:$_UPLOAD_DIR
+    scp $_PKG_DIR/*.rpm $SIGNING_USER@$SIGNING_SERVER:$_UPLOAD_DIR
-   retval=$?
+    retval=$?
-   if [ $retval -ne 0 ] ; then
+    if [ $retval -ne 0 ] ; then
-      echo "ERROR: failed to copy RPM files to signing server."
+        echo "ERROR: failed to copy RPM files to signing server."
-      return $retval
+        return $retval
-   fi
+    fi
-   # get server to sign packages.
+    # get server to sign packages.
-   ssh $SIGNING_USER@$SIGNING_SERVER -- sudo $SIGNING_SERVER_SCRIPT -s -d $sub
+    ssh $SIGNING_USER@$SIGNING_SERVER -- sudo $SIGNING_SERVER_SCRIPT -s -d $sub
-   retval=$?
+    retval=$?
-   if [ $retval -ne 0 ] ; then
+    if [ $retval -ne 0 ] ; then
-      echo "ERROR: failed to sign RPM files."
+        echo "ERROR: failed to sign RPM files."
-      return $retval
+        return $retval
-   fi
+    fi
-   # download results back. This overwrites the original files.
+    # download results back. This overwrites the original files.
-   scp $SIGNING_USER@$SIGNING_SERVER:$_UPLOAD_DIR/*.rpm $_PKG_DIR
+    scp $SIGNING_USER@$SIGNING_SERVER:$_UPLOAD_DIR/*.rpm $_PKG_DIR
-   retval=$?
+    retval=$?
-   if [ $retval -ne 0 ] ; then
+    if [ $retval -ne 0 ] ; then
-      echo "ERROR: failed to copy signed RPM files back from signing server."
+        echo "ERROR: failed to copy signed RPM files back from signing server."
-      return $retval
+        return $retval
-   fi
+    fi
-   return $retval
+    return $retval
 }
 function _server_cleanup {
    # cleanup
    ssh $SIGNING_USER@$SIGNING_SERVER rm $_UPLOAD_DIR/*.rpm
    if [ $? -ne 0 ] ; then
        echo "Warning : failed to remove rpms from temporary upload directory ${SIGNING_SERVER}:${_UPLOAD_DIR}."
    fi
    ssh $SIGNING_USER@$SIGNING_SERVER rmdir $_UPLOAD_DIR
    if [ $? -ne 0 ] ; then
        echo "Warning : failed to remove temporary upload directory ${SIGNING_SERVER}:${_UPLOAD_DIR}."
    fi
 }
 function __server_trapdoor {
    printf "caught signal while attempting to sign files. Cleaning up."
    _server_cleanup
    exit 1
 }
 function sign_packages_on_server {
-   retval=0
+    retval=0
-   # obtain temporary diretory to upload RPMs on signing server
+    # obtain temporary diretory to upload RPMs on signing server
-   _UPLOAD_DIR=`ssh $SIGNING_USER@$SIGNING_SERVER -- sudo $SIGNING_SERVER_SCRIPT -r`
+    _UPLOAD_DIR=`ssh $SIGNING_USER@$SIGNING_SERVER -- sudo $SIGNING_SERVER_SCRIPT -r`
-   retval=$?
+    retval=$?
-   if [ $retval -ne 0 ] ; then
+    if [ $retval -ne 0 ] ; then
-      echo "failed to obtain upload directory from signing server."
+        echo "failed to obtain upload directory from signing server."
-      return $retval
+        return $retval
-   fi
+    fi
-   # extract base chroot dir and rpm dir within chroot
+    # extract base chroot dir and rpm dir within chroot
-   read base com sub <<< $_UPLOAD_DIR
+    read base com sub <<< $_UPLOAD_DIR
-   # this is the upload temp dir, outside of chroot env
+    # this is the upload temp dir, outside of chroot env
-   _UPLOAD_DIR=$base$sub
+    _UPLOAD_DIR=$base$sub
-   _copy_and_sign
+    trap __server_trapdoor SIGHUP SIGINT SIGABRT SIGTERM
   retval=$?
-   # cleanup
+    _copy_and_sign
-   ssh $SIGNING_USER@$SIGNING_SERVER rm $_UPLOAD_DIR/*.rpm
+    retval=$?
   if [ $? -ne 0 ] ; then
      echo "Warning : failed to remove rpms from temporary upload directory."
   fi
   ssh $SIGNING_USER@$SIGNING_SERVER rmdir $_UPLOAD_DIR
   if [ $? -ne 0 ] ; then
      echo "Warning : failed to remove temporary upload directory."
   fi
-   return $retval
+    trap - SIGHUP SIGINT SIGABRT SIGTERM
    _server_cleanup
    return $retval
 }
@ -196,9 +232,6 @@ function sign_packages_on_server {
 # Check args
 HELP=0
 SIGNING_SERVER=yow-tiks01
 SIGNING_USER=signing
 SIGNING_SERVER_SCRIPT=/opt/signing/sign_rpms_18.03.sh
 # return value
 retval=0
@ -206,8 +239,8 @@ retval=0
 # read the options
 TEMP=`getopt -o hd: --long help,pkg-dir: -n 'test.sh' -- "$@"`
 if [ $? -ne 0 ] ; then
-   echo "Invalid parameters - exiting"
+    echo "Invalid parameters - exiting"
-   exit 1
+    exit 1
 fi
 eval set -- "$TEMP"
@ -223,21 +256,21 @@ while true ; do
 done
 if [ $HELP -eq 1 ]; then
-   usage
+    usage
-   exit 0
+    exit 0
 fi
 # package directory must be defined
 if [ -z "$_PKG_DIR" ]; then
-   echo "Need package directory. Use -d/--pkg-dir option"
+    echo "Need package directory. Use -d/--pkg-dir option"
-   usage
+    usage
-   exit 1
+    exit 1
 fi
 # ... and must exist
 if [ ! -d "$_PKG_DIR" ]; then
-   echo "Package directory $_PKG_DIR does not exist"
+    echo "Package directory $_PKG_DIR does not exist"
-   exit 1
+    exit 1
 fi
 # Init variables
--- a/build-tools/sign-secure-boot
+++ b/build-tools/sign-secure-boot
@ -454,8 +454,6 @@ if [ "x$MY_WORKSPACE" == "x" ]; then
 fi
 ARCH="x86_64"
 SIGNING_SERVER=yow-tiks01
 SIGNING_USER=signing
 SIGNING_SCRIPT=/opt/signing/sign.sh
 UPLOAD_PATH=`ssh $SIGNING_USER@$SIGNING_SERVER sudo $SIGNING_SCRIPT -r`
 SIGNED_PKG_DB=${MY_WORKSPACE}/signed_pkg_list.txt
--- a/build-tools/sign_iso_formal.sh
+++ b/build-tools/sign_iso_formal.sh
@ -16,7 +16,6 @@ ISO_FILE_PATH=$1
 ISO_FILE_NAME=$(basename ${ISO_FILE_PATH})
 ISO_FILE_ROOT=$(dirname ${ISO_FILE_PATH})
 ISO_FILE_NOEXT="${ISO_FILE_NAME%.*}"
 SIGNING_SERVER="signing@yow-tiks01"
 GET_UPLOAD_PATH="sudo /opt/signing/sign.sh -r"
 REQUEST_SIGN="sudo /opt/signing/sign_iso.sh"
 SIGNATURE_FILE="$ISO_FILE_NOEXT.sig"
@ -24,7 +23,7 @@ SIGNATURE_FILE="$ISO_FILE_NOEXT.sig"
 # Make a request for an upload path
 # Output is a path where we can upload stuff, of the form
 # "Upload: /tmp/sign_upload.5jR11pS0"
-UPLOAD_PATH=`ssh ${SIGNING_SERVER} ${GET_UPLOAD_PATH}`
+UPLOAD_PATH=`ssh ${SIGNING_USER}@${SIGNING_SERVER} ${GET_UPLOAD_PATH}`
 if [ $? -ne 0 ]; then
    echo "Could not get upload path.  Do you have permissions on the signing server?"
    exit 1
@ -32,7 +31,7 @@ fi
 UPLOAD_PATH=`echo ${UPLOAD_PATH} | cut -d ' ' -f 2`
 echo "Uploading file"
-scp -q ${ISO_FILE_PATH} ${SIGNING_SERVER}:${UPLOAD_PATH}
+scp -q ${ISO_FILE_PATH} ${SIGNING_USER}@${SIGNING_SERVER}:${UPLOAD_PATH}
 if [ $? -ne 0 ]; then
    echo "Could not upload ISO"
    exit 1
@ -41,22 +40,22 @@ echo "File uploaded to signing server -- signing"
 # Make the signing request.
 # Output is path of detached signature
-RESULT=`ssh ${SIGNING_SERVER} ${REQUEST_SIGN} ${UPLOAD_PATH}/${ISO_FILE_NAME}`
+RESULT=`ssh ${SIGNING_USER}@${SIGNING_SERVER} ${REQUEST_SIGN} ${UPLOAD_PATH}/${ISO_FILE_NAME}`
 if [ $? -ne 0 ]; then
    echo "Could not perform signing -- output $RESULT"
-    ssh ${SIGNING_SERVER} rm -f ${UPLOAD_PATH}/${ISO_FILE_NAME}
+    ssh ${SIGNING_USER}@${SIGNING_SERVER} rm -f ${UPLOAD_PATH}/${ISO_FILE_NAME}
    exit 1
 fi
 echo "Signing complete.  Downloading detached signature"
-scp -q ${SIGNING_SERVER}:${RESULT} ${ISO_FILE_ROOT}/${SIGNATURE_FILE}
+scp -q ${SIGNING_USER}@${SIGNING_SERVER}:${RESULT} ${ISO_FILE_ROOT}/${SIGNATURE_FILE}
 if [ $? -ne 0 ]; then
    echo "Could not download newly signed file"
-    ssh ${SIGNING_SERVER} rm -f ${UPLOAD_PATH}/${ISO_FILE_NAME}
+    ssh ${SIGNING_USER}@${SIGNING_SERVER} rm -f ${UPLOAD_PATH}/${ISO_FILE_NAME}
    exit 1
 fi
 # Clean up (ISOs are big)
-ssh ${SIGNING_SERVER} rm -f ${UPLOAD_PATH}/${ISO_FILE_NAME}
+ssh ${SIGNING_USER}@${SIGNING_SERVER} rm -f ${UPLOAD_PATH}/${ISO_FILE_NAME}
 echo "${ISO_FILE_ROOT}/${SIGNATURE_FILE} detached signature"
--- a/build-tools/sign_patch_formal.sh
+++ b/build-tools/sign_patch_formal.sh
@ -13,21 +13,20 @@ fi
 PATCH_FILE_PATH=$1
 PATCH_FILE_NAME=$(basename ${PATCH_FILE_PATH})
 SIGNING_SERVER="signing@yow-tiks01"
 GET_UPLOAD_PATH="sudo /opt/signing/sign.sh -r"
 REQUEST_SIGN="sudo /opt/signing/sign_patch.sh"
 # Make a request for an upload path
 # Output is a path where we can upload stuff, of the form
 # "Upload: /tmp/sign_upload.5jR11pS0"
-UPLOAD_PATH=`ssh ${SIGNING_SERVER} ${GET_UPLOAD_PATH}`
+UPLOAD_PATH=`ssh ${SIGNING_USER}@${SIGNING_SERVER} ${GET_UPLOAD_PATH}`
 if [ $? -ne 0 ]; then
    echo "Could not get upload path.  Do you have permissions on the signing server?"
    exit 1
 fi
 UPLOAD_PATH=`echo ${UPLOAD_PATH} | cut -d ' ' -f 2`
-scp -q ${PATCH_FILE_PATH} ${SIGNING_SERVER}:${UPLOAD_PATH}
+scp -q ${PATCH_FILE_PATH} ${SIGNING_USER}@${SIGNING_SERVER}:${UPLOAD_PATH}
 if [ $? -ne 0 ]; then
    echo "Could upload patch"
    exit 1
@ -36,14 +35,14 @@ echo "File uploaded to signing server"
 # Make the signing request.
 # Output is path of newly signed file
-RESULT=`ssh ${SIGNING_SERVER} ${REQUEST_SIGN} ${UPLOAD_PATH}/${PATCH_FILE_NAME}`
+RESULT=`ssh ${SIGNING_USER}@${SIGNING_SERVER} ${REQUEST_SIGN} ${UPLOAD_PATH}/${PATCH_FILE_NAME}`
 if [ $? -ne 0 ]; then
    echo "Could not perform signing -- output $RESULT"
    exit 1
 fi
 echo "Signing complete.  Downloading"
-scp -q ${SIGNING_SERVER}:${RESULT} ${PATCH_FILE_PATH}
+scp -q ${SIGNING_USER}@${SIGNING_SERVER}:${RESULT} ${PATCH_FILE_PATH}
 if [ $? -ne 0 ]; then
    echo "Could not download newly signed file"
    exit 1