From: Jo-Philipp Wich Date: Tue, 2 Jul 2019 09:13:11 +0000 (+0200) Subject: treewide: rework signall.sh to read keys from config directly X-Git-Tag: v1~91 X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=32f102962aa9f5c280442fc0b1e617f5ba9af046;p=buildbot.git treewide: rework signall.sh to read keys from config directly Signed-off-by: Jo-Philipp Wich --- diff --git a/phase1/master.cfg b/phase1/master.cfg index 5eb3f9a..4161302 100644 --- a/phase1/master.cfg +++ b/phase1/master.cfg @@ -148,19 +148,6 @@ if ini.has_option("rsync", "source_url"): rsync_defopts = ["-4", "-v", "--timeout=120", "--contimeout=20"] -gpg_key = None -gpg_passphrase = None -gpg_comment = repo_branch.replace("-", " ").title() + " key" - -if ini.has_option("gpg", "key"): - gpg_key = ini.get("gpg", "key") - -if ini.has_option("gpg", "passphrase"): - gpg_passphrase = ini.get("gpg", "passphrase") - -if ini.has_option("gpg", "comment"): - gpg_comment = ini.get("gpg", "comment") - usign_key = None usign_comment = "untrusted comment: " + repo_branch.replace("-", " ").title() + " key" @@ -954,7 +941,7 @@ for target in targets: )) # sign - if gpg_key is not None or usign_key is not None: + if ini.has_option("gpg", "key") or usign_key is not None: factory.addStep(MasterShellCommand( name = "signprepare", description = "Preparing temporary signing directory", @@ -979,13 +966,7 @@ for target in targets: name = "signfiles", description = "Signing files", command = ["%s/signall.sh" %(scripts_dir), "%s/signing/%s.%s.tar.gz" %(work_dir, ts[0], ts[1])], - env = { - 'GPGKEY': gpg_key, - 'GPGPASS': gpg_passphrase, - 'GPGCOMMENT': gpg_comment, - 'USIGNKEY': usign_key, - 'USIGNCOMMENT': usign_comment - }, + env = { 'CONFIG_INI': os.getenv("BUILDMASTER_CONFIG", "./config.ini") }, haltOnFailure = True )) diff --git a/phase2/master.cfg b/phase2/master.cfg index d668b1f..071bf31 100644 --- a/phase2/master.cfg +++ b/phase2/master.cfg @@ -114,19 +114,6 @@ repo_branch = "master" if ini.has_option("repo", "branch"): repo_branch = ini.get("repo", "branch") -gpg_key = None -gpg_passphrase = None -gpg_comment = repo_branch.replace("-", " ").title() + " key" - -if ini.has_option("gpg", "key"): - gpg_key = ini.get("gpg", "key") - -if ini.has_option("gpg", "passphrase"): - gpg_passphrase = ini.get("gpg", "passphrase") - -if ini.has_option("gpg", "comment"): - gpg_comment = ini.get("gpg", "comment") - usign_key = None usign_comment = "untrusted comment: " + repo_branch.replace("-", " ").title() + " key" @@ -457,7 +444,7 @@ for arch in arches: workdir = "build/sdk", command = "./scripts/feeds list -s -f > bin/packages/%s/feeds.conf" %(arch[0]))) - if gpg_key is not None or usign_key is not None: + if ini.has_option("gpg", "key") or usign_key is not None: factory.addStep(MasterShellCommand( name = "signprepare", description = "Preparing temporary signing directory", @@ -483,13 +470,7 @@ for arch in arches: name = "signfiles", description = "Signing files", command = ["%s/signall.sh" %(scripts_dir), "%s/signing/%s.tar.gz" %(work_dir, arch[0])], - env = { - 'GPGKEY': gpg_key, - 'GPGPASS': gpg_passphrase, - 'GPGCOMMENT': gpg_comment, - 'USIGNKEY': usign_key, - 'USIGNCOMMENT': usign_comment - }, + env = { 'CONFIG_INI': os.getenv("BUILDMASTER_CONFIG", "./config.ini") }, haltOnFailure = True )) diff --git a/scripts/signall.sh b/scripts/signall.sh index 1c36074..ea692bf 100755 --- a/scripts/signall.sh +++ b/scripts/signall.sh @@ -7,10 +7,28 @@ tarball="$(readlink -f "$tarball")" finish() { rm -rf "$tmpdir"; exit $1; } +iniget() { + local file="$1" section="$2" option="$3" + + sed -rne ' + /\['"$section"'\]/,$ { + /^[ \t]*'"$option"'[ \t]*=[ \t]*/ { + s/^[^=]+=[ \t]*//; h; + :c; n; + /^([ \t]|$)/ { + s/^[ \t]+//; H; + b c + }; + x; p; q + } + } + ' "$file" | sed -e :a -e '/^\n*$/{$d;N;ba' -e '}' +} + trap "finish 255" HUP INT TERM -if [ ! -f "$tarball" ]; then - echo "Usage: [GPGKEY=... [GPGCOMMENT=... [GPGPASS=...]]] [USIGNKEY=... [USIGNCOMMENT=...]] $0 " >&2 +if [ ! -f "$tarball" ] || [ ! -f "${CONFIG_INI:-config.ini}" ]; then + echo "Usage: [CONFIG_INI=...] $0 " >&2 finish 1 fi @@ -32,6 +50,13 @@ case "$(gpg --version | head -n1)" in *\ 2.*) loopback=1 ;; esac +GPGKEY="$(iniget "${CONFIG_INI:-config.ini}" gpg key)" +GPGPASS="$(iniget "${CONFIG_INI:-config.ini}" gpg passphrase)" +GPGCOMMENT="$(iniget "${CONFIG_INI:-config.ini}" gpg comment)" + +USIGNKEY="$(iniget "${CONFIG_INI:-config.ini}" usign key)" +USIGNCOMMENT="$(iniget "${CONFIG_INI:-config.ini}" usign comment)" + if echo "$GPGKEY" | grep -q "BEGIN PGP PRIVATE KEY BLOCK"; then umask 077 echo "$GPGPASS" > "$tmpdir/gpg.pass" @@ -50,9 +75,14 @@ if echo "$GPGKEY" | grep -q "BEGIN PGP PRIVATE KEY BLOCK"; then -o "{}.asc" "{}" \; || finish 4 fi -USIGNID="$(echo "$USIGNKEY" | base64 -d -i | dd bs=1 skip=32 count=8 2>/dev/null | od -v -t x1 | sed -rne 's/^0+ //p' | tr -d ' ')" +if [ -n "$USIGNKEY" ]; then + USIGNID="$(echo "$USIGNKEY" | base64 -d -i | dd bs=1 skip=32 count=8 2>/dev/null | od -v -t x1 | sed -rne 's/^0+ //p' | tr -d ' ')" + + if ! echo "$USIGNID" | grep -qxE "[0-9a-f]{16}"; then + echo "Invalid usign key specified" >&2 + finish 5 + fi -if echo "$USIGNID" | grep -qxE "[0-9a-f]{16}"; then umask 077 printf "untrusted comment: %s\n%s\n" "${USIGNCOMMENT:-key ID $USIGNID}" "$USIGNKEY" > "$tmpdir/usign.key"