| Message ID | 20231124141326.2661397-1-Quirin.Gylstorff@siemens.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [isar-cip-core,RFC] swupdate: Move signing to seperate script | expand |
On 24.11.23 22:12, Quirin Gylstorff wrote: > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > > This allows to use third party service to sign the swupate packages > during build. > > Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> > --- > classes/swupdate.bbclass | 13 +------------ > .../swupdate-certificates/files/sign-swu-cms | 9 +++++++++ > .../swupdate-certificates/files/sign-swu-rsa | 6 ++++++ > .../swupdate-certificates-key.inc | 12 +++++++++--- > 4 files changed, 25 insertions(+), 15 deletions(-) > create mode 100644 recipes-devtools/swupdate-certificates/files/sign-swu-cms > create mode 100644 recipes-devtools/swupdate-certificates/files/sign-swu-rsa > > diff --git a/classes/swupdate.bbclass b/classes/swupdate.bbclass > index 38c2e0a..117f9fe 100644 > --- a/classes/swupdate.bbclass > +++ b/classes/swupdate.bbclass > @@ -120,18 +120,7 @@ IMAGE_CMD:swu() { > fi > echo "$file" > if [ -n "$sign" -a "${SWU_DESCRIPTION_FILE}" = "$file" ]; then > - if [ "${SWU_SIGNATURE_TYPE}" = "rsa" ]; then > - openssl dgst \ > - -sha256 -sign "/usr/share/swupdate-signing/swupdate-sign.key" "$file" \ > - > "$file.${SWU_SIGNATURE_EXT}" > - elif [ "${SWU_SIGNATURE_TYPE}" = "cms" ]; then > - openssl cms \ > - -sign -in "$file" \ > - -out "$file"."${SWU_SIGNATURE_EXT}" \ > - -signer "/usr/share/swupdate-signing/swupdate-sign.crt" \ > - -inkey "/usr/share/swupdate-signing/swupdate-sign.key" \ > - -outform DER -noattr -binary > - fi > + sign-swu "$file" "$file.${SWU_SIGNATURE_EXT}" > # Set file timestamps for reproducible builds > if [ -n "${SOURCE_DATE_EPOCH}" ]; then > touch -d@"${SOURCE_DATE_EPOCH}" "$file.${SWU_SIGNATURE_EXT}" > diff --git a/recipes-devtools/swupdate-certificates/files/sign-swu-cms b/recipes-devtools/swupdate-certificates/files/sign-swu-cms > new file mode 100644 > index 0000000..7bd04ef > --- /dev/null > +++ b/recipes-devtools/swupdate-certificates/files/sign-swu-cms > @@ -0,0 +1,9 @@ > +#!/bin/sh > +in_file=$1 > +out_file=$2 > +openssl cms \ > + -sign -in "$in_file" \ > + -out "$out_file" \ > + -signer "/usr/share/swupdate-signing/swupdate-sign.crt" \ > + -inkey "/usr/share/swupdate-signing/swupdate-sign.key" \ > + -outform DER -noattr -binary > diff --git a/recipes-devtools/swupdate-certificates/files/sign-swu-rsa b/recipes-devtools/swupdate-certificates/files/sign-swu-rsa > new file mode 100644 > index 0000000..fad3004 > --- /dev/null > +++ b/recipes-devtools/swupdate-certificates/files/sign-swu-rsa > @@ -0,0 +1,6 @@ > +#!/bin/sh > +in_file=$1 > +out_file=$2 > +openssl dgst \ > + -sha256 -sign "/usr/share/swupdate-signing/swupdate-sign.key" "$in_file" \ > + > "$out_file" > diff --git a/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc b/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc > index 1b6b6dd..0b3e045 100644 > --- a/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc > +++ b/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc > @@ -14,16 +14,22 @@ inherit dpkg-raw > PROVIDES += "swupdate-certificates-key" > > SWU_SIGN_KEY ??= "" > - > +SWU_SIGN_SCRIPT ??= "sign-swu-cms" > SRC_URI:append = " ${@ "file://"+d.getVar('SWU_SIGN_KEY') if d.getVar('SWU_SIGN_KEY') else '' }" > +SRC_URI:append = " ${@ "file://"+d.getVar('SWU_SIGN_SCRIPT') if d.getVar('SWU_SIGN_SCRIPT') else '' }" > > +do_install[cleandirs] = "${D}/usr/share/swupdate-signing/ \ > + ${D}/usr/bin/" > do_install() { > + if [ ! -f ${WORKDIR}/${SWU_SIGN_SCRIPT} ] ]; then > + bbfatal "You must add a '${SWU_SIGN_SCRIPT}' to execute the signing process" > + fi > + install -m 0700 ${WORKDIR}/${SWU_SIGN_SCRIPT} ${D}/usr/bin/sign-swu > if [ -z ${SWU_SIGN_KEY} ] ]; then > bbfatal "You must set SWU_SIGN_KEY and provide the required file as artifacts to this recipe" > fi > TARGET=${D}/usr/share/swupdate-signing/ > - install -d -m 0700 ${TARGET} We no longer need to set the permissions of that folder restrictively? Practically, the key is still protected, just wondering why that was done so far. > - install -m 0700 ${WORKDIR}/${SWU_SIGN_KEY} ${TARGET}/swupdate-sign.key > + install -m 0600 ${WORKDIR}/${SWU_SIGN_KEY} ${TARGET}/swupdate-sign.key > } > > do_prepare_build:append() { Looks good to me. Jan
On 11/27/23 02:49, Jan Kiszka wrote: > On 24.11.23 22:12, Quirin Gylstorff wrote: >> From: Quirin Gylstorff <quirin.gylstorff@siemens.com> >> >> This allows to use third party service to sign the swupate packages >> during build. >> >> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> >> --- >> classes/swupdate.bbclass | 13 +------------ >> .../swupdate-certificates/files/sign-swu-cms | 9 +++++++++ >> .../swupdate-certificates/files/sign-swu-rsa | 6 ++++++ >> .../swupdate-certificates-key.inc | 12 +++++++++--- >> 4 files changed, 25 insertions(+), 15 deletions(-) >> create mode 100644 recipes-devtools/swupdate-certificates/files/sign-swu-cms >> create mode 100644 recipes-devtools/swupdate-certificates/files/sign-swu-rsa >> >> diff --git a/classes/swupdate.bbclass b/classes/swupdate.bbclass >> index 38c2e0a..117f9fe 100644 >> --- a/classes/swupdate.bbclass >> +++ b/classes/swupdate.bbclass >> @@ -120,18 +120,7 @@ IMAGE_CMD:swu() { >> fi >> echo "$file" >> if [ -n "$sign" -a "${SWU_DESCRIPTION_FILE}" = "$file" ]; then >> - if [ "${SWU_SIGNATURE_TYPE}" = "rsa" ]; then >> - openssl dgst \ >> - -sha256 -sign "/usr/share/swupdate-signing/swupdate-sign.key" "$file" \ >> - > "$file.${SWU_SIGNATURE_EXT}" >> - elif [ "${SWU_SIGNATURE_TYPE}" = "cms" ]; then >> - openssl cms \ >> - -sign -in "$file" \ >> - -out "$file"."${SWU_SIGNATURE_EXT}" \ >> - -signer "/usr/share/swupdate-signing/swupdate-sign.crt" \ >> - -inkey "/usr/share/swupdate-signing/swupdate-sign.key" \ >> - -outform DER -noattr -binary >> - fi >> + sign-swu "$file" "$file.${SWU_SIGNATURE_EXT}" >> # Set file timestamps for reproducible builds >> if [ -n "${SOURCE_DATE_EPOCH}" ]; then >> touch -d@"${SOURCE_DATE_EPOCH}" "$file.${SWU_SIGNATURE_EXT}" >> diff --git a/recipes-devtools/swupdate-certificates/files/sign-swu-cms b/recipes-devtools/swupdate-certificates/files/sign-swu-cms >> new file mode 100644 >> index 0000000..7bd04ef >> --- /dev/null >> +++ b/recipes-devtools/swupdate-certificates/files/sign-swu-cms >> @@ -0,0 +1,9 @@ >> +#!/bin/sh >> +in_file=$1 >> +out_file=$2 >> +openssl cms \ >> + -sign -in "$in_file" \ >> + -out "$out_file" \ >> + -signer "/usr/share/swupdate-signing/swupdate-sign.crt" \ >> + -inkey "/usr/share/swupdate-signing/swupdate-sign.key" \ >> + -outform DER -noattr -binary >> diff --git a/recipes-devtools/swupdate-certificates/files/sign-swu-rsa b/recipes-devtools/swupdate-certificates/files/sign-swu-rsa >> new file mode 100644 >> index 0000000..fad3004 >> --- /dev/null >> +++ b/recipes-devtools/swupdate-certificates/files/sign-swu-rsa >> @@ -0,0 +1,6 @@ >> +#!/bin/sh >> +in_file=$1 >> +out_file=$2 >> +openssl dgst \ >> + -sha256 -sign "/usr/share/swupdate-signing/swupdate-sign.key" "$in_file" \ >> + > "$out_file" >> diff --git a/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc b/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc >> index 1b6b6dd..0b3e045 100644 >> --- a/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc >> +++ b/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc >> @@ -14,16 +14,22 @@ inherit dpkg-raw >> PROVIDES += "swupdate-certificates-key" >> >> SWU_SIGN_KEY ??= "" >> - >> +SWU_SIGN_SCRIPT ??= "sign-swu-cms" >> SRC_URI:append = " ${@ "file://"+d.getVar('SWU_SIGN_KEY') if d.getVar('SWU_SIGN_KEY') else '' }" >> +SRC_URI:append = " ${@ "file://"+d.getVar('SWU_SIGN_SCRIPT') if d.getVar('SWU_SIGN_SCRIPT') else '' }" >> >> +do_install[cleandirs] = "${D}/usr/share/swupdate-signing/ \ >> + ${D}/usr/bin/" >> do_install() { >> + if [ ! -f ${WORKDIR}/${SWU_SIGN_SCRIPT} ] ]; then >> + bbfatal "You must add a '${SWU_SIGN_SCRIPT}' to execute the signing process" >> + fi >> + install -m 0700 ${WORKDIR}/${SWU_SIGN_SCRIPT} ${D}/usr/bin/sign-swu >> if [ -z ${SWU_SIGN_KEY} ] ]; then >> bbfatal "You must set SWU_SIGN_KEY and provide the required file as artifacts to this recipe" >> fi >> TARGET=${D}/usr/share/swupdate-signing/ >> - install -d -m 0700 ${TARGET} > > We no longer need to set the permissions of that folder restrictively? > Practically, the key is still protected, just wondering why that was > done so far. This package should only be installed during the swu image generation. > >> - install -m 0700 ${WORKDIR}/${SWU_SIGN_KEY} ${TARGET}/swupdate-sign.key >> + install -m 0600 ${WORKDIR}/${SWU_SIGN_KEY} ${TARGET}/swupdate-sign.key >> } >> >> do_prepare_build:append() { > > Looks good to me. > > Jan > Quirin
On 24.11.23 22:12, Quirin Gylstorff wrote: > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > > This allows to use third party service to sign the swupate packages > during build. > > Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> > --- > classes/swupdate.bbclass | 13 +------------ > .../swupdate-certificates/files/sign-swu-cms | 9 +++++++++ > .../swupdate-certificates/files/sign-swu-rsa | 6 ++++++ > .../swupdate-certificates-key.inc | 12 +++++++++--- > 4 files changed, 25 insertions(+), 15 deletions(-) > create mode 100644 recipes-devtools/swupdate-certificates/files/sign-swu-cms > create mode 100644 recipes-devtools/swupdate-certificates/files/sign-swu-rsa > > diff --git a/classes/swupdate.bbclass b/classes/swupdate.bbclass > index 38c2e0a..117f9fe 100644 > --- a/classes/swupdate.bbclass > +++ b/classes/swupdate.bbclass > @@ -120,18 +120,7 @@ IMAGE_CMD:swu() { > fi > echo "$file" > if [ -n "$sign" -a "${SWU_DESCRIPTION_FILE}" = "$file" ]; then > - if [ "${SWU_SIGNATURE_TYPE}" = "rsa" ]; then > - openssl dgst \ > - -sha256 -sign "/usr/share/swupdate-signing/swupdate-sign.key" "$file" \ > - > "$file.${SWU_SIGNATURE_EXT}" > - elif [ "${SWU_SIGNATURE_TYPE}" = "cms" ]; then > - openssl cms \ > - -sign -in "$file" \ > - -out "$file"."${SWU_SIGNATURE_EXT}" \ > - -signer "/usr/share/swupdate-signing/swupdate-sign.crt" \ > - -inkey "/usr/share/swupdate-signing/swupdate-sign.key" \ > - -outform DER -noattr -binary > - fi > + sign-swu "$file" "$file.${SWU_SIGNATURE_EXT}" > # Set file timestamps for reproducible builds > if [ -n "${SOURCE_DATE_EPOCH}" ]; then > touch -d@"${SOURCE_DATE_EPOCH}" "$file.${SWU_SIGNATURE_EXT}" > diff --git a/recipes-devtools/swupdate-certificates/files/sign-swu-cms b/recipes-devtools/swupdate-certificates/files/sign-swu-cms > new file mode 100644 > index 0000000..7bd04ef > --- /dev/null > +++ b/recipes-devtools/swupdate-certificates/files/sign-swu-cms > @@ -0,0 +1,9 @@ > +#!/bin/sh > +in_file=$1 > +out_file=$2 > +openssl cms \ > + -sign -in "$in_file" \ > + -out "$out_file" \ > + -signer "/usr/share/swupdate-signing/swupdate-sign.crt" \ > + -inkey "/usr/share/swupdate-signing/swupdate-sign.key" \ > + -outform DER -noattr -binary > diff --git a/recipes-devtools/swupdate-certificates/files/sign-swu-rsa b/recipes-devtools/swupdate-certificates/files/sign-swu-rsa > new file mode 100644 > index 0000000..fad3004 > --- /dev/null > +++ b/recipes-devtools/swupdate-certificates/files/sign-swu-rsa > @@ -0,0 +1,6 @@ > +#!/bin/sh > +in_file=$1 > +out_file=$2 > +openssl dgst \ > + -sha256 -sign "/usr/share/swupdate-signing/swupdate-sign.key" "$in_file" \ > + > "$out_file" > diff --git a/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc b/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc > index 1b6b6dd..0b3e045 100644 > --- a/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc > +++ b/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc > @@ -14,16 +14,22 @@ inherit dpkg-raw > PROVIDES += "swupdate-certificates-key" > > SWU_SIGN_KEY ??= "" > - > +SWU_SIGN_SCRIPT ??= "sign-swu-cms" > SRC_URI:append = " ${@ "file://"+d.getVar('SWU_SIGN_KEY') if d.getVar('SWU_SIGN_KEY') else '' }" > +SRC_URI:append = " ${@ "file://"+d.getVar('SWU_SIGN_SCRIPT') if d.getVar('SWU_SIGN_SCRIPT') else '' }" > > +do_install[cleandirs] = "${D}/usr/share/swupdate-signing/ \ > + ${D}/usr/bin/" > do_install() { > + if [ ! -f ${WORKDIR}/${SWU_SIGN_SCRIPT} ] ]; then > + bbfatal "You must add a '${SWU_SIGN_SCRIPT}' to execute the signing process" > + fi > + install -m 0700 ${WORKDIR}/${SWU_SIGN_SCRIPT} ${D}/usr/bin/sign-swu > if [ -z ${SWU_SIGN_KEY} ] ]; then > bbfatal "You must set SWU_SIGN_KEY and provide the required file as artifacts to this recipe" > fi > TARGET=${D}/usr/share/swupdate-signing/ > - install -d -m 0700 ${TARGET} > - install -m 0700 ${WORKDIR}/${SWU_SIGN_KEY} ${TARGET}/swupdate-sign.key > + install -m 0600 ${WORKDIR}/${SWU_SIGN_KEY} ${TARGET}/swupdate-sign.key > } > > do_prepare_build:append() { Thanks, applied. Jan
diff --git a/classes/swupdate.bbclass b/classes/swupdate.bbclass index 38c2e0a..117f9fe 100644 --- a/classes/swupdate.bbclass +++ b/classes/swupdate.bbclass @@ -120,18 +120,7 @@ IMAGE_CMD:swu() { fi echo "$file" if [ -n "$sign" -a "${SWU_DESCRIPTION_FILE}" = "$file" ]; then - if [ "${SWU_SIGNATURE_TYPE}" = "rsa" ]; then - openssl dgst \ - -sha256 -sign "/usr/share/swupdate-signing/swupdate-sign.key" "$file" \ - > "$file.${SWU_SIGNATURE_EXT}" - elif [ "${SWU_SIGNATURE_TYPE}" = "cms" ]; then - openssl cms \ - -sign -in "$file" \ - -out "$file"."${SWU_SIGNATURE_EXT}" \ - -signer "/usr/share/swupdate-signing/swupdate-sign.crt" \ - -inkey "/usr/share/swupdate-signing/swupdate-sign.key" \ - -outform DER -noattr -binary - fi + sign-swu "$file" "$file.${SWU_SIGNATURE_EXT}" # Set file timestamps for reproducible builds if [ -n "${SOURCE_DATE_EPOCH}" ]; then touch -d@"${SOURCE_DATE_EPOCH}" "$file.${SWU_SIGNATURE_EXT}" diff --git a/recipes-devtools/swupdate-certificates/files/sign-swu-cms b/recipes-devtools/swupdate-certificates/files/sign-swu-cms new file mode 100644 index 0000000..7bd04ef --- /dev/null +++ b/recipes-devtools/swupdate-certificates/files/sign-swu-cms @@ -0,0 +1,9 @@ +#!/bin/sh +in_file=$1 +out_file=$2 +openssl cms \ + -sign -in "$in_file" \ + -out "$out_file" \ + -signer "/usr/share/swupdate-signing/swupdate-sign.crt" \ + -inkey "/usr/share/swupdate-signing/swupdate-sign.key" \ + -outform DER -noattr -binary diff --git a/recipes-devtools/swupdate-certificates/files/sign-swu-rsa b/recipes-devtools/swupdate-certificates/files/sign-swu-rsa new file mode 100644 index 0000000..fad3004 --- /dev/null +++ b/recipes-devtools/swupdate-certificates/files/sign-swu-rsa @@ -0,0 +1,6 @@ +#!/bin/sh +in_file=$1 +out_file=$2 +openssl dgst \ + -sha256 -sign "/usr/share/swupdate-signing/swupdate-sign.key" "$in_file" \ + > "$out_file" diff --git a/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc b/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc index 1b6b6dd..0b3e045 100644 --- a/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc +++ b/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc @@ -14,16 +14,22 @@ inherit dpkg-raw PROVIDES += "swupdate-certificates-key" SWU_SIGN_KEY ??= "" - +SWU_SIGN_SCRIPT ??= "sign-swu-cms" SRC_URI:append = " ${@ "file://"+d.getVar('SWU_SIGN_KEY') if d.getVar('SWU_SIGN_KEY') else '' }" +SRC_URI:append = " ${@ "file://"+d.getVar('SWU_SIGN_SCRIPT') if d.getVar('SWU_SIGN_SCRIPT') else '' }" +do_install[cleandirs] = "${D}/usr/share/swupdate-signing/ \ + ${D}/usr/bin/" do_install() { + if [ ! -f ${WORKDIR}/${SWU_SIGN_SCRIPT} ] ]; then + bbfatal "You must add a '${SWU_SIGN_SCRIPT}' to execute the signing process" + fi + install -m 0700 ${WORKDIR}/${SWU_SIGN_SCRIPT} ${D}/usr/bin/sign-swu if [ -z ${SWU_SIGN_KEY} ] ]; then bbfatal "You must set SWU_SIGN_KEY and provide the required file as artifacts to this recipe" fi TARGET=${D}/usr/share/swupdate-signing/ - install -d -m 0700 ${TARGET} - install -m 0700 ${WORKDIR}/${SWU_SIGN_KEY} ${TARGET}/swupdate-sign.key + install -m 0600 ${WORKDIR}/${SWU_SIGN_KEY} ${TARGET}/swupdate-sign.key } do_prepare_build:append() {