[buildbot] add APK signing logic
LEDE Commits
lede-commits at lists.infradead.org
Tue Sep 10 12:10:51 PDT 2024
ynezz pushed a commit to buildbot.git, branch main:
https://git.openwrt.org/a94d4e15fdc1e9715d7d0cfdcc62227186d0fc45
commit a94d4e15fdc1e9715d7d0cfdcc62227186d0fc45
Author: Paul Spooren <mail at aparcar.org>
AuthorDate: Tue Aug 6 18:03:21 2024 +0200
add APK signing logic
With this commit it's possible to sign APK package indexes
(packages.adb) via the `signall.sh` script, which is run on the
buildmaster. As a consequence `apk` must be available on the
buildmaster. This is the final step to replace OPKG with APK.
Signed-off-by: Paul Spooren <mail at aparcar.org>
---
docker/config.ini | 6 ++++++
phase1/config.ini.example | 4 ++++
phase1/master.cfg | 3 ++-
phase2/config.ini.example | 7 ++++++-
phase2/master.cfg | 2 +-
scripts/signall.sh | 13 +++++++++++++
6 files changed, 32 insertions(+), 3 deletions(-)
diff --git a/docker/config.ini b/docker/config.ini
index 6278d3d..9da83eb 100644
--- a/docker/config.ini
+++ b/docker/config.ini
@@ -131,6 +131,12 @@ comment = Example GPG key
key = RWRCSwAAAADUvtjCkFEF4bWWxpPBo9o8R5FK6Rz5aPUsaZONLu8kxIjud9Fd+Mgu7J2fFJDVyKFAXNH6pKS+AuBW3v+TQT5m1J0W/JYTjqzIrgAZhRtm5v3vSKRl3HUD2zEEbG5j3tg=
comment = Example usign key
+[apk]
+key = -----BEGIN EC PRIVATE KEY-----
+ MHcCAQEEIIP54p1G0UgCleLObh07Gxq0S0Iz22OQpkUj8S1AzXB9oAoGCCqGSM49
+ ...
+ -----END EC PRIVATE KEY-----
+
[worker 1]
phase = 1
name = buildworker-phase1
diff --git a/phase1/config.ini.example b/phase1/config.ini.example
index ced5ccb..455507e 100644
--- a/phase1/config.ini.example
+++ b/phase1/config.ini.example
@@ -36,6 +36,10 @@ gpg_passphrase = secret password
gpg_comment = Unattended build signature
usign_key = RWRCSwAAA...OihABfuLvGRVfVaJ6wLf0=
usign_comment = Unattended build signature
+apk_key = -----BEGIN EC PRIVATE KEY-----
+ MHcCAQEEIIP54p1G0UgCleLObh07Gxq0S0Iz22OQpkUj8S1AzXB9oAoGCCqGSM49
+ ...
+ -----END EC PRIVATE KEY-----
binary_url = user at example.org::upload-binary
binary_password = example
source_url = user at example.org::upload-sources
diff --git a/phase1/master.cfg b/phase1/master.cfg
index cefeaf0..3203d9d 100644
--- a/phase1/master.cfg
+++ b/phase1/master.cfg
@@ -1370,7 +1370,8 @@ def prepareFactory(target):
"find bin/targets/%(kw:target)s/%(kw:subtarget)s%(prop:libc)s/ "
"bin/targets/%(kw:target)s/%(kw:subtarget)s%(prop:libc)s/kmods/ "
"-mindepth 1 -maxdepth 2 -type f -name sha256sums -print0 -or "
- "-name Packages -print0 | xargs -0 tar -czf sign.tar.gz",
+ "-name Packages -print0 -or -name packages.adb -print0 "
+ "| xargs -0 tar -czf sign.tar.gz",
target=target,
subtarget=subtarget,
),
diff --git a/phase2/config.ini.example b/phase2/config.ini.example
index ec0e6db..eda9763 100644
--- a/phase2/config.ini.example
+++ b/phase2/config.ini.example
@@ -46,6 +46,12 @@ comment = Unattended build signature
key = RWRCSwAAA...OihABfuLvGRVfVaJ6wLf0=
comment = Unattended build signature
+[apk]
+key = -----BEGIN EC PRIVATE KEY-----
+ MHcCAQEEIIP54p1G0UgCleLObh07Gxq0S0Iz22OQpkUj8S1AzXB9oAoGCCqGSM49
+ ...
+ -----END EC PRIVATE KEY-----
+
[worker 1]
phase = 2
name = worker-example-1
@@ -57,4 +63,3 @@ phase = 2
name = worker-example-2
password = example2
builds = 3
-
diff --git a/phase2/master.cfg b/phase2/master.cfg
index c399c66..940831b 100644
--- a/phase2/master.cfg
+++ b/phase2/master.cfg
@@ -591,7 +591,7 @@ for arch in arches:
name = "signpack",
description = "Packing files to sign",
workdir = "build/sdk",
- command = "find bin/packages/%s/ -mindepth 2 -maxdepth 2 -type f -name Packages -print0 | xargs -0 tar -czf sign.tar.gz" %(arch[0]),
+ command = "find bin/packages/%s/ -mindepth 2 -maxdepth 2 -type f -name Packages -print0 -or -name packages.adb -print0 | xargs -0 tar -czf sign.tar.gz" %(arch[0]),
haltOnFailure = True
))
diff --git a/scripts/signall.sh b/scripts/signall.sh
index b06844d..c15c9f2 100755
--- a/scripts/signall.sh
+++ b/scripts/signall.sh
@@ -58,6 +58,8 @@ GPGCOMMENT="$(iniget "${CONFIG_INI:-config.ini}" gpg comment)"
USIGNKEY="$(iniget "${CONFIG_INI:-config.ini}" usign key)"
USIGNCOMMENT="$(iniget "${CONFIG_INI:-config.ini}" usign comment)"
+
+APKSIGNKEY="$(iniget "${CONFIG_INI:-config.ini}" apk key)"
else
GPGKEY="$(iniget "${CONFIG_INI:-config.ini}" "branch $branch" "gpg_key")"
GPGPASS="$(iniget "${CONFIG_INI:-config.ini}" "branch $branch" "gpg_passphrase")"
@@ -65,6 +67,8 @@ GPGCOMMENT="$(iniget "${CONFIG_INI:-config.ini}" "branch $branch" "gpg_comment")
USIGNKEY="$(iniget "${CONFIG_INI:-config.ini}" "branch $branch" "usign_key")"
USIGNCOMMENT="$(iniget "${CONFIG_INI:-config.ini}" "branch $branch" "usign_comment")"
+
+APKSIGNKEY="$(iniget "${CONFIG_INI:-config.ini}" "branch $branch" "apk_key")"
fi
if echo "$GPGKEY" | grep -q "BEGIN PGP PRIVATE KEY BLOCK"; then
@@ -101,6 +105,15 @@ if [ -n "$USIGNKEY" ]; then
signify-openbsd -S -s "$(readlink -f "$tmpdir/usign.sec")" -m "{}" \; || finish 5
fi
+if [ -n "$APKSIGNKEY" ]; then
+ umask 077
+ echo "$APKSIGNKEY" > "$tmpdir/apk.pem"
+
+ umask 022
+ find "$tmpdir/tar/" -type f -name "packages.adb" -exec \
+ "${APK_BIN:-apk}" adbsign --allow-untrusted --sign-key "$(readlink -f "$tmpdir/apk.pem")" "{}" \; || finish 6
+fi
+
tar -C "$tmpdir/tar/" -czf "$tarball" . || finish 6
finish 0
More information about the lede-commits
mailing list