From: Jo-Philipp Wich <jo@mein.io>
Date: Sun, 30 Jun 2019 16:13:57 +0000 (+0200)
Subject: phase2: move usign handling to master
X-Git-Tag: v1~100
X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=d3304ec3c987779f6ffe9dfc3bbd8d3b38d2fde0;p=buildbot.git

phase2: move usign handling to master

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
---

diff --git a/phase2/config.ini.example b/phase2/config.ini.example
index 991a835..25f4213 100644
--- a/phase2/config.ini.example
+++ b/phase2/config.ini.example
@@ -37,6 +37,10 @@ keyid = 626471F1
 passfile = ./gpg-passphrase.txt
 comment = Unattended build signature
 
+[usign]
+key = RWRCSwAAA...OihABfuLvGRVfVaJ6wLf0=
+comment = Unattended build signature
+
 [slave 1]
 name = slave-example-1
 password = example
diff --git a/phase2/master.cfg b/phase2/master.cfg
index bb0afaf..11e3f0f 100644
--- a/phase2/master.cfg
+++ b/phase2/master.cfg
@@ -3,6 +3,7 @@
 
 import os
 import re
+import base64
 import subprocess
 import ConfigParser
 
@@ -124,6 +125,15 @@ if ini.has_option("gpg", "comment"):
 if ini.has_option("gpg", "passfile"):
 	gpg_passfile = ini.get("gpg", "passfile")
 
+usign_key = None
+usign_comment = "untrusted comment: " + repo_branch.replace("-", " ").title() + " key"
+
+if ini.has_option("usign", "key"):
+	usign_key = ini.get("usign", "key")
+
+if ini.has_option("usign", "comment"):
+	usign_comment = ini.get("usign", "comment")
+
 repo_url = ini.get("repo", "url")
 repo_branch = "master"
 
@@ -241,6 +251,15 @@ def GetCwd(props):
 	else:
 		return "/"
 
+def UsignSec2Pub(seckey, comment="untrusted comment: secret key"):
+	try:
+		seckey = base64.b64decode(seckey)
+	except:
+		return None
+
+	return "{}\n{}".format(re.sub(r"\bsecret key$", "public key", comment),
+		base64.b64encode(seckey[0:2] + seckey[32:40] + seckey[72:]))
+
 
 c['builders'] = []
 
@@ -335,8 +354,25 @@ for arch in arches:
 		workdir = "build/sdk",
 		command = ["make", "-f", "getversion.mk"]))
 
-	factory.addStep(FileDownload(mastersrc=home_dir+'/key-build', slavedest="sdk/key-build", mode=0600))
-	factory.addStep(FileDownload(mastersrc=home_dir+'/key-build.pub', slavedest="sdk/key-build.pub", mode=0600))
+	# install build key
+	if usign_key is not None:
+		factory.addStep(StringDownload(
+			name = "dlkeybuildpub",
+			s = UsignSec2Pub(usign_key, usign_comment),
+			slavedest = "sdk/key-build.pub",
+			mode = 0600))
+
+		factory.addStep(StringDownload(
+			name = "dlkeybuild",
+			s = "# fake private key",
+			slavedest = "sdk/key-build",
+			mode = 0600))
+
+		factory.addStep(StringDownload(
+			name = "dlkeybuilducert",
+			s = "# fake certificate",
+			slavedest = "sdk/key-build.ucert",
+			mode = 0600))
 
 	factory.addStep(ShellCommand(
 		name = "mkdldir",
@@ -412,7 +448,7 @@ for arch in arches:
 		description = "Building packages",
 		workdir = "build/sdk",
 		timeout = 3600,
-		command = ["make", WithProperties("-j%(jobs)d", jobs=GetNumJobs), "IGNORE_ERRORS=n m y", "BUILD_LOG=1", "CONFIG_SIGNED_PACKAGES=y", "CONFIG_AUTOREMOVE=y"],
+		command = ["make", WithProperties("-j%(jobs)d", jobs=GetNumJobs), "IGNORE_ERRORS=n m y", "BUILD_LOG=1", "CONFIG_AUTOREMOVE=y"],
 		env = {'CCACHE_BASEDIR': WithProperties("%(cwd)s", cwd=GetCwd)},
 		haltOnFailure = True))
 
@@ -448,7 +484,8 @@ for arch in arches:
 			name = "signfiles",
 			description = "Signing files",
 			command = ["%s/signall.sh" %(scripts_dir), "%s/signing/%s.tar.gz" %(home_dir, arch[0]), gpg_keyid, gpg_comment],
-			env = {'GNUPGHOME': gpg_home, 'PASSFILE': gpg_passfile},
+			env = {'GNUPGHOME': gpg_home, 'PASSFILE': gpg_passfile, 'USIGNKEY': usign_key, 'USIGNCOMMENT': usign_comment},
+			logEnviron = False,
 			haltOnFailure = True
 		))