diff options
Diffstat (limited to 'crtSignedContainer.sh')
-rwxr-xr-x | crtSignedContainer.sh | 179 |
1 files changed, 125 insertions, 54 deletions
diff --git a/crtSignedContainer.sh b/crtSignedContainer.sh index 26d5cfb..b176336 100755 --- a/crtSignedContainer.sh +++ b/crtSignedContainer.sh @@ -110,6 +110,26 @@ get_date_string () { } exportArchive () { + # If project basename is set, prepare the export for import to a system + # using the same project basename. + if [ "$SIGN_MODE" == "local" ] || \ + [ "$SIGN_MODE" == "independent" ] && \ + [ "$SF_HW_SIGNING_PROJECT_BASE" ] + then + cd "$T" || die "Cannot cd to $T" + for KEY in a b c; do + cp -p &>/dev/null "HW_key_$KEY.pub" \ + "project.${SF_HW_SIGNING_PROJECT_BASE}_${KEY}.HW_key_${KEY}.pub" + cp -p &>/dev/null "HW_key_$KEY.raw" \ + "project.${SF_HW_SIGNING_PROJECT_BASE}_${KEY}.HW_key_${KEY}.raw" + cp -p &>/dev/null "HW_key_$KEY.sig" \ + "project.${SF_HW_SIGNING_PROJECT_BASE}_${KEY}.HW_sig_${KEY}.sig" + cp -p &>/dev/null "HW_key_$KEY.raw" \ + "project.${SF_HW_SIGNING_PROJECT_BASE}_${KEY}.HW_sig_${KEY}.raw" + done + fi + + # Create the archive. cd "$SB_SCRATCH_DIR" || die "Cannot cd to $SB_SCRATCH_DIR" if tar -zcf "$SB_ARCHIVE_OUT" "$buildID/$LABEL/"; then echo "--> $P: Archive saved to: $SB_ARCHIVE_OUT" @@ -476,9 +496,12 @@ test "$SB_DEBUG" && SF_DEBUG_ARGS="$SF_DEBUG_ARGS -d -stdout" # # Set defaults for signframework project basenames # +if [ "$SIGN_MODE" == "production" ] +then : "${SF_HW_SIGNING_PROJECT_BASE:=sign_ecc_pwr_hw_key}" : "${SF_FW_SIGNING_PROJECT_BASE:=sign_ecc_pwr_fw_key_op_bld}" : "${SF_GETPUBKEY_PROJECT_BASE:=getpubkeyecc}" +fi # # Get the public keys @@ -497,6 +520,17 @@ then # Add to HW_KEY_ARGS HW_KEY_ARGS="$HW_KEY_ARGS -$KEY $KEYFILE" + + # Copy the pubkey to the cache. + if [ -f "$KEYFILE" ]; then + if is_private_key "$KEYFILE"; then + openssl ec -in "$KEYFILE" -pubout -out "$T/HW_key_$KEY.pub" &>/dev/null + elif is_public_key "$KEYFILE"; then + cp -p "$KEYFILE" "$T/HW_key_$KEY.pub" + elif is_raw_key "$KEYFILE"; then + cp -p "$KEYFILE" "$T/HW_key_$KEY.raw" + fi + fi done for KEY in p q r; do @@ -526,33 +560,48 @@ then # Currently we use it only to check if __skip was specified. SF_PROJECT=${SF_HW_SIGNING_PROJECT_BASE}_${KEY} - KEYFILE=project.$SF_PROJECT.HW_key_$KEY.raw + KEYFILE_BASE=project.$SF_PROJECT.HW_key_$KEY + + KEYFOUND="" + while [ -z "$KEYFOUND" ] + do + for KEYFILE in "$KEYFILE_BASE.pub" "$KEYFILE_BASE.raw" + do + # Look for key in the component cache. + KEYFOUND=$(find "$T" -name $KEYFILE | head -1) + if [ "$KEYFOUND" ]; then + test "$SB_VERBOSE" && msg=" ($KEYFILE)" + echo "--> $P: Found key for HW key $(to_upper $KEY).${msg}" + break 2 + fi - # If no keyfile in the current dir, try to find one. If none found, try to get one. - if [ -f "$T/$KEYFILE" ] - then - echo "--> $P: Found key for HW key $(to_upper $KEY)." - else - KEYFOUND=$(find "$TOPDIR" -name $KEYFILE | head -1) + # If not in the component cache, look elsewhere in the cache. + KEYFOUND=$(find "$TOPDIR" -name $KEYFILE | head -1) + if [ "$KEYFOUND" ]; then + test "$SB_VERBOSE" && msg=" ($KEYFILE)" + echo "--> $P: Found key for HW key $(to_upper $KEY).${msg}" + cp -p "$KEYFOUND" "$T/" + break 2 + fi + done + + # No key found, request one. + KEYFILE="$KEYFILE_BASE.raw" + echo "--> $P: Requesting public key for HW key $(to_upper $KEY)..." + sf_client $SF_DEBUG_ARGS -project "$SF_GETPUBKEY_PROJECT_BASE" \ + -param "-signproject $SF_PROJECT" \ + -epwd "$SF_EPWD" -comments "Requesting $SF_PROJECT" \ + -url sftp://$SF_USER@$SF_SERVER -pkey "$SF_SSHKEY" \ + -o "$T/$KEYFILE" + rc=$? - if [ "$KEYFOUND" ] - then - echo "--> $P: Found key for HW key $(to_upper $KEY)." - cp -p "$KEYFOUND" "$T/" - else - echo "--> $P: Requesting public key for HW key $(to_upper $KEY)..." - sf_client $SF_DEBUG_ARGS -project "$SF_GETPUBKEY_PROJECT_BASE" \ - -param "-signproject $SF_PROJECT" \ - -epwd "$SF_EPWD" -comments "Requesting $SF_PROJECT" \ - -url sftp://$SF_USER@$SF_SERVER -pkey "$SF_SSHKEY" \ - -o "$T/$KEYFILE" - rc=$? + test $rc -ne 0 && die "Call to sf_client failed with error: $rc" - test $rc -ne 0 && die "Call to sf_client failed with error: $rc" + KEYFOUND=$(find "$T" -name $KEYFILE) + test -z "$KEYFOUND" && die "Unable to retrieve HW key $(to_upper $KEY)." - echo "--> $P: Retrieved public key for HW key $(to_upper $KEY)." - fi - fi + echo "--> $P: Retrieved public key for HW key $(to_upper $KEY)." + done # Add to HW_KEY_ARGS HW_KEY_ARGS="$HW_KEY_ARGS -$KEY $T/$KEYFILE" @@ -571,13 +620,15 @@ then if [ -f "$T/$KEYFILE" ] then - echo "--> $P: Found key for SW key $(to_upper $KEY)." + test "$SB_VERBOSE" && msg=" ($KEYFILE)" + echo "--> $P: Found key for SW key $(to_upper $KEY).${msg}" else KEYFOUND=$(find "$TOPDIR" -name $KEYFILE | head -1) if [ "$KEYFOUND" ] then - echo "--> $P: Found key for SW key $(to_upper $KEY)." + test "$SB_VERBOSE" && msg=" ($KEYFILE)" + echo "--> $P: Found key for SW key $(to_upper $KEY).${msg}" cp -p "$KEYFOUND" "$T/" else echo "--> $P: Requesting public key for SW key $(to_upper $KEY)..." @@ -642,7 +693,8 @@ then # Look for signature in the local cache dir. if [ -f "$T/$SIGFILE" ] then - echo "--> $P: Found signature for HW key $(to_upper $KEY)." + test "$SB_VERBOSE" && msg=" ($SIGFILE)" + echo "--> $P: Found signature for HW key $(to_upper $KEY).${msg}" else # Check elsewhere in the cache. if [ "$SIGN_MODE" == "independent" ] && [ "$SB_ARCHIVE_IN" ] @@ -654,7 +706,8 @@ then if [ "$SIGFOUND" ] then - echo "--> $P: Found signature for HW key $(to_upper $KEY)." + test "$SB_VERBOSE" && msg=" ($SIGFILE)" + echo "--> $P: Found signature for HW key $(to_upper $KEY).${msg}" cp -p "$SIGFOUND" "$T/" else # If no signature found, try to generate one. @@ -691,7 +744,8 @@ then [ "$(to_upper "$LABEL")" != SBKT ] && \ [ "$(to_upper "$LABEL")" != SBKTRAND ] then - echo "--> $P: Found signature for SW key $(to_upper $KEY)." + test "$SB_VERBOSE" && msg=" ($SIGFILE)" + echo "--> $P: Found signature for SW key $(to_upper $KEY).${msg}" elif test -f "$KEYFILE" && is_private_key "$KEYFILE" then # No signature found, try to generate one. @@ -711,9 +765,6 @@ then elif [ "$SIGN_MODE" == "production" ] then for KEY in a b c; do - SF_PROJECT=${SF_HW_SIGNING_PROJECT_BASE}_${KEY} - SIGFILE=project.$SF_PROJECT.HW_sig_$KEY.raw - varname=HW_KEY_$(to_upper $KEY); KEYFILE=${!varname} # Handle the special values, or empty value @@ -722,31 +773,50 @@ then # TODO: Add full support for user-specified keys in Production mode. # Currently we use it only to check if __skip or __getkey was specified. - # If no signature in the current dir, try to find one. If none found, request one. - if [ -f "$T/$SIGFILE" ] - then - echo "--> $P: Found signature for HW key $(to_upper $KEY)." - else - SIGFOUND=$(find "$TOPDIR" -type f -name $SIGFILE | head -1) + SF_PROJECT=${SF_HW_SIGNING_PROJECT_BASE}_${KEY} + SIGFILE_BASE=project.$SF_PROJECT.HW_sig_$KEY + + SIGFOUND="" + while [ -z "$SIGFOUND" ] + do + for SIGFILE in "$SIGFILE_BASE.sig" "$SIGFILE_BASE.raw" + do + # Look for sig in the component cache. + SIGFOUND=$(find "$T" -name $SIGFILE | head -1) + if [ "$SIGFOUND" ]; then + test "$SB_VERBOSE" && msg=" ($SIGFILE)" + echo "--> $P: Found sig for HW key $(to_upper $KEY).${msg}" + break 2 + fi - if [ "$SIGFOUND" ] - then - echo "--> $P: Found signature for HW key $(to_upper $KEY)." - cp -p "$SIGFOUND" "$T/" - else - test "$KEYFILE" == __getkey && continue - echo "--> $P: Requesting signature for HW key $(to_upper $KEY)..." - sf_client $SF_DEBUG_ARGS -project $SF_PROJECT -epwd "$SF_EPWD" \ - -comments "Requesting sig for $SF_PROJECT" \ - -url sftp://$SF_USER@$SF_SERVER -pkey "$SF_SSHKEY" \ - -payload "$T/prefix_hdr" -o "$T/$SIGFILE" - rc=$? + # If not in the component cache, look elsewhere in the cache. + SIGFOUND=$(find "$TOPDIR" -name $SIGFILE | head -1) + if [ "$SIGFOUND" ]; then + test "$SB_VERBOSE" && msg=" ($SIGFILE)" + echo "--> $P: Found sig for HW key $(to_upper $KEY).${msg}" + cp -p "$SIGFOUND" "$T/" + break 2 + fi + done - test $rc -ne 0 && die "Call to sf_client failed with error: $rc" + # No signature found, request one. + test "$KEYFILE" == __getkey && break - echo "--> $P: Retrieved signature for HW key $(to_upper $KEY)." - fi - fi + SIGFILE="$SIGFILE_BASE.raw" + echo "--> $P: Requesting signature for HW key $(to_upper $KEY)..." + sf_client $SF_DEBUG_ARGS -project $SF_PROJECT -epwd "$SF_EPWD" \ + -comments "Requesting sig for $SF_PROJECT" \ + -url sftp://$SF_USER@$SF_SERVER -pkey "$SF_SSHKEY" \ + -payload "$T/prefix_hdr" -o "$T/$SIGFILE" + rc=$? + + test $rc -ne 0 && die "Call to sf_client failed with error: $rc" + + SIGFOUND=$(find "$T" -name $SIGFILE) + test -z "$SIGFOUND" && die "Unable to retrieve sig for HW key $(to_upper $KEY)." + + echo "--> $P: Retrieved signature for HW key $(to_upper $KEY)." + done FOUND="${FOUND}$(to_upper $KEY)," HW_SIG_ARGS="$HW_SIG_ARGS -$(to_upper $KEY) $T/$SIGFILE" @@ -767,7 +837,8 @@ then [ "$(to_upper "$LABEL")" != SBKT ] && \ [ "$(to_upper "$LABEL")" != SBKTRAND ] then - echo "--> $P: Found signature for SW key $(to_upper $KEY)." + test "$SB_VERBOSE" && msg=" ($SIGFILE)" + echo "--> $P: Found signature for SW key $(to_upper $KEY).${msg}" else # No signature found, request one. test "$KEYFILE" == __getkey && continue |