[buildbot] phase2: fix signing steps when only apk_key is defined
LEDE Commits
lede-commits at lists.infradead.org
Sat Dec 13 21:05:22 PST 2025
ynezz pushed a commit to buildbot.git, branch main:
https://git.openwrt.org/b0a3bf3f9b2acf5be391ed1d684e135f1161af19
commit b0a3bf3f9b2acf5be391ed1d684e135f1161af19
Author: Petr Štetiar <ynezz at true.cz>
AuthorDate: Sat Dec 13 08:02:33 2025 +0000
phase2: fix signing steps when only apk_key is defined
Signing steps are currently skipped if only APK signing is configured,
because phase2 effectively enables signing only when `usign` is present.
Fix this by making `IsSignEnabled` explicitly cover APK signing too.
While at it, refactor the signing checks into dedicated helper functions
`IsUsignEnabled`, `IsApkSigningEnabled`, and `IsGpgSigningEnabled`, and
use them consistently to align phase2 with the phase1 implementation.
Signed-off-by: Petr Štetiar <ynezz at true.cz>
---
phase2/master.cfg | 143 +++++++++++++++++++++++++++++++-----------------------
1 file changed, 83 insertions(+), 60 deletions(-)
diff --git a/phase2/master.cfg b/phase2/master.cfg
index 3fb117e..7af1b30 100644
--- a/phase2/master.cfg
+++ b/phase2/master.cfg
@@ -303,6 +303,22 @@ def UsignSec2Pub(seckey, comment="untrusted comment: secret key"):
def IsSharedWorkdir(step):
return bool(step.getProperty("shared_wd"))
+def IsUsignEnabled(step):
+ return ini.has_option("usign", "key")
+
+def IsApkSigningEnabled(step):
+ return ini.has_option("apk", "key")
+
+# gpg_key - contains the key in PGP format
+# gpg_keyid - contains the keyid of the key on the nk3
+def IsGpgSigningEnabled(step):
+ return ini.has_option("gpg", "key") or ini.has_option("gpg", "keyid")
+
+def IsSignEnabled(step):
+ return (
+ IsUsignEnabled(step) or IsApkSigningEnabled(step) or IsGpgSigningEnabled(step)
+ )
+
@defer.inlineCallbacks
def getNewestCompleteTime(bldr):
"""Returns the complete_at of the latest completed and not SKIPPED
@@ -485,24 +501,26 @@ for arch in arches:
command = ["make", "-f", "getversion.mk"]))
# install build key
- if usign_key is not None:
- factory.addStep(StringDownload(
- name = "dlkeybuildpub",
- s = UsignSec2Pub(usign_key, usign_comment),
- workerdest = "sdk/key-build.pub",
- mode = 0o600))
-
- factory.addStep(StringDownload(
- name = "dlkeybuild",
- s = "# fake private key",
- workerdest = "sdk/key-build",
- mode = 0o600))
-
- factory.addStep(StringDownload(
- name = "dlkeybuilducert",
- s = "# fake certificate",
- workerdest = "sdk/key-build.ucert",
- mode = 0o600))
+ factory.addStep(StringDownload(
+ name = "dlkeybuildpub",
+ s = UsignSec2Pub(usign_key, usign_comment),
+ workerdest = "sdk/key-build.pub",
+ mode = 0o600,
+ doStepIf = IsUsignEnabled))
+
+ factory.addStep(StringDownload(
+ name = "dlkeybuild",
+ s = "# fake private key",
+ workerdest = "sdk/key-build",
+ mode = 0o600,
+ doStepIf = IsUsignEnabled))
+
+ factory.addStep(StringDownload(
+ name = "dlkeybuilducert",
+ s = "# fake certificate",
+ workerdest = "sdk/key-build.ucert",
+ mode = 0o600,
+ doStepIf = IsUsignEnabled))
factory.addStep(ShellCommand(
name = "mkdldir",
@@ -579,53 +597,58 @@ for arch in arches:
haltOnFailure = True
))
- if ini.has_option("gpg", "key") or usign_key is not None:
- factory.addStep(MasterShellCommand(
- name = "signprepare",
- description = "Preparing temporary signing directory",
- command = ["mkdir", "-p", "%s/signing" %(work_dir)],
- haltOnFailure = True
- ))
+ factory.addStep(MasterShellCommand(
+ name = "signprepare",
+ description = "Preparing temporary signing directory",
+ command = ["mkdir", "-p", "%s/signing" %(work_dir)],
+ haltOnFailure = True,
+ doStepIf = IsSignEnabled
+ ))
- factory.addStep(ShellCommand(
- name = "signpack",
- description = "Packing files to sign",
- workdir = "build/sdk",
- command = "find bin/packages/%s/ -mindepth 1 -maxdepth 2 -type f " %(arch[0])
- + "-name sha256sums -print0 -or "
- + "-name Packages -print0 -or "
- + "-name packages.adb -print0 | "
- + "xargs -0 tar -czf sign.tar.gz",
- haltOnFailure = True
- ))
+ factory.addStep(ShellCommand(
+ name = "signpack",
+ description = "Packing files to sign",
+ workdir = "build/sdk",
+ command = "find bin/packages/%s/ -mindepth 1 -maxdepth 2 -type f " %(arch[0])
+ + "-name sha256sums -print0 -or "
+ + "-name Packages -print0 -or "
+ + "-name packages.adb -print0 | "
+ + "xargs -0 tar -czf sign.tar.gz",
+ haltOnFailure = True,
+ doStepIf = IsSignEnabled
+ ))
- factory.addStep(FileUpload(
- workersrc = "sdk/sign.tar.gz",
- masterdest = "%s/signing/%s.tar.gz" %(work_dir, arch[0]),
- haltOnFailure = True
- ))
+ factory.addStep(FileUpload(
+ workersrc = "sdk/sign.tar.gz",
+ masterdest = "%s/signing/%s.tar.gz" %(work_dir, arch[0]),
+ haltOnFailure = True,
+ doStepIf = IsSignEnabled
+ ))
- factory.addStep(MasterShellCommand(
- name = "signfiles",
- description = "Signing files",
- command = ["%s/signall.sh" %(scripts_dir), "%s/signing/%s.tar.gz" %(work_dir, arch[0])],
- env = { 'CONFIG_INI': os.getenv("BUILDMASTER_CONFIG", "./config.ini") },
- haltOnFailure = True
- ))
+ factory.addStep(MasterShellCommand(
+ name = "signfiles",
+ description = "Signing files",
+ command = ["%s/signall.sh" %(scripts_dir), "%s/signing/%s.tar.gz" %(work_dir, arch[0])],
+ env = { 'CONFIG_INI': os.getenv("BUILDMASTER_CONFIG", "./config.ini") },
+ haltOnFailure = True,
+ doStepIf = IsSignEnabled
+ ))
- factory.addStep(FileDownload(
- mastersrc = "%s/signing/%s.tar.gz" %(work_dir, arch[0]),
- workerdest = "sdk/sign.tar.gz",
- haltOnFailure = True
- ))
+ factory.addStep(FileDownload(
+ mastersrc = "%s/signing/%s.tar.gz" %(work_dir, arch[0]),
+ workerdest = "sdk/sign.tar.gz",
+ haltOnFailure = True,
+ doStepIf = IsSignEnabled
+ ))
- factory.addStep(ShellCommand(
- name = "signunpack",
- description = "Unpacking signed files",
- workdir = "build/sdk",
- command = ["tar", "-xzf", "sign.tar.gz"],
- haltOnFailure = True
- ))
+ factory.addStep(ShellCommand(
+ name = "signunpack",
+ description = "Unpacking signed files",
+ workdir = "build/sdk",
+ command = ["tar", "-xzf", "sign.tar.gz"],
+ haltOnFailure = True,
+ doStepIf = IsSignEnabled
+ ))
# download remote sha256sums to 'target-sha256sums'
factory.addStep(ShellCommand(
More information about the lede-commits
mailing list