#!/bin/bash # Add file signature to RPMs # # This script will add file signature to rpms in a given directory. # The directory containing the RPMs must be passed as a parameter. There is no default location. # # usage () { echo "" echo "Usage: " echo " sign-rpms -d|--pkg-dir " echo " -d --pkg-dir directory contain the RPMs to sign" echo " -h|--help this message" echo "" } # number of processors. The process will use all available processors by default. NPROCS=$(nproc) export MOCK=/usr/bin/mock # check input variables function check_vars { # need access to repo, which should normally be defined as MY_REPO in the env if [ ! -z "$MY_REPO" ] && [ -d "$MY_REPO" ] ; then INTERNAL_REPO_ROOT=$MY_REPO fi if [ -z "$INTERNAL_REPO_ROOT" ] ; then printf " unable to use \$MY_REPO (value \"$MY_REPO\")\n" printf " -- checking \$MY_REPO_ROOT_DIR (value \"$MY_REPO_ROOT_DIR\")\n" if [ ! -z "$MY_REPO_ROOT_DIR" ] && [ -d "$MY_REPO_ROOT_DIR/cgcs-root" ] ; then INTERNAL_REPO_ROOT=$MY_REPO_ROOT_DIR/cgcs-root printf " Found!\n" fi fi if [ -z "$INTERNAL_REPO_ROOT" ] ; then printf " No joy -- checking for \$MY_WORKSPACE/cgcs-root\n" if [ -d "$MY_WORKSPACE/cgcs-root" ] ; then INTERNAL_REPO_ROOT=$MY_WORKSPACE/cgcs-root printf " Found!\n" fi fi if [ -z "$INTERNAL_REPO_ROOT" ] ; then printf " Error -- could not locate cgcs-root repo.\n" exit 1 fi if [ -z "$MY_BUILD_ENVIRONMENT" ] ; then printf " Error -- missing environment variable MY_BUILD_ENVIRONMENT" exit 1 fi if [ -z "$MY_BUILD_DIR" ] ; then printf " Error -- missing environment variable MY_BUILD_DIR" exit 1 fi } # # this function will add IMA file signatures to all rpms in the Packages directory # # the process will copy the signing key and a makefile in the mock env under /tmp # it will also mount the Packages directory under /mnt/Packages # then mock will be invoked to sign the packages # # This process is using mock because the build servers do not have the same rpm / rpmsign version # function _local_cleanup { printf "Cleaning mock environment\n" $MOCK -q -r $_MOCK_CFG --scrub=all } function __local_trapdoor { printf "caught signal while attempting to sign files. Cleaning up." _local_cleanup exit 1 } function sign_packages { OLD_PWD=$PWD _MOCK_PKG_DIR=/mnt/Packages _IMA_PRIV_KEY=ima_signing_key.priv _KEY_DIR=$MY_REPO/build-tools/signing _MOCK_KEY_DIR=/mnt/keys _SIGN_MAKEFILE=_sign_pkgs.mk _MK_DIR=$MY_REPO/build-tools/mk _MOCK_MK_DIR=/mnt/mk # mock confgiuration file _MOCK_CFG=$MY_BUILD_DIR/${MY_BUILD_ENVIRONMENT}-sign.cfg # recreate configuration file rm $_MOCK_CFG export BUILD_TYPE=std export MY_BUILD_DIR_TOP=$MY_BUILD_DIR modify-build-cfg $_MOCK_CFG # and customize echo "config_opts['chroot_setup_cmd'] = 'install shadow-utils make rpm-sign'" >> $_MOCK_CFG echo "config_opts['root'] = 'mock-sign'" >> $_MOCK_CFG echo "config_opts['basedir'] = '${MY_WORKSPACE}'" >> $_MOCK_CFG echo "config_opts['cache_topdir'] = '${MY_WORKSPACE}/mock-cache'" >> $_MOCK_CFG echo "Signing packages in $_PKG_DIR with $NPROCS threads" echo "using development key $_KEY_DIR/$_IMA_PRIV_KEY" printf "Initializing mock environment\n" trap __local_trapdoor SIGHUP SIGINT SIGABRT SIGTERM # invoke make in mock to sign packages. # this call will also create and initialize the mock env eval $MOCK -q -r $_MOCK_CFG \'--plugin-option=bind_mount:dirs=[\(\"$_PKG_DIR\", \"$_MOCK_PKG_DIR\"\),\(\"$_MK_DIR\",\"$_MOCK_MK_DIR\"\),\(\"$_KEY_DIR\",\"$_MOCK_KEY_DIR\"\)]\' --shell \"cd $_MOCK_PKG_DIR\; make -j $NPROCS -f $_MOCK_MK_DIR/$_SIGN_MAKEFILE KEY=$_MOCK_KEY_DIR/$_IMA_PRIV_KEY\" retval=$? trap - SIGHUP SIGINT SIGABRT SIGTERM _local_cleanup if [ $retval -ne 0 ] ; then echo "failed to add file signatures to RPMs in mock environment." return $retval fi cd $OLD_PWD } function _copy_and_sign { # upload rpms to server scp $_PKG_DIR/*.rpm $SIGNING_USER@$SIGNING_SERVER:$_UPLOAD_DIR retval=$? if [ $retval -ne 0 ] ; then echo "ERROR: failed to copy RPM files to signing server." return $retval fi # get server to sign packages. ssh $SIGNING_USER@$SIGNING_SERVER -- sudo $SIGNING_SERVER_SCRIPT -s -d $sub retval=$? if [ $retval -ne 0 ] ; then echo "ERROR: failed to sign RPM files." return $retval fi # download results back. This overwrites the original files. scp $SIGNING_USER@$SIGNING_SERVER:$_UPLOAD_DIR/*.rpm $_PKG_DIR retval=$? if [ $retval -ne 0 ] ; then echo "ERROR: failed to copy signed RPM files back from signing server." return $retval fi return $retval } function _server_cleanup { # cleanup ssh $SIGNING_USER@$SIGNING_SERVER rm $_UPLOAD_DIR/*.rpm if [ $? -ne 0 ] ; then echo "Warning : failed to remove rpms from temporary upload directory ${SIGNING_SERVER}:${_UPLOAD_DIR}." fi ssh $SIGNING_USER@$SIGNING_SERVER rmdir $_UPLOAD_DIR if [ $? -ne 0 ] ; then echo "Warning : failed to remove temporary upload directory ${SIGNING_SERVER}:${_UPLOAD_DIR}." fi } function __server_trapdoor { printf "caught signal while attempting to sign files. Cleaning up." _server_cleanup exit 1 } function sign_packages_on_server { retval=0 # obtain temporary diretory to upload RPMs on signing server _UPLOAD_DIR=`ssh $SIGNING_USER@$SIGNING_SERVER -- sudo $SIGNING_SERVER_SCRIPT -r` retval=$? if [ $retval -ne 0 ] ; then echo "failed to obtain upload directory from signing server." return $retval fi # extract base chroot dir and rpm dir within chroot read base com sub <<< $_UPLOAD_DIR # this is the upload temp dir, outside of chroot env _UPLOAD_DIR=$base$sub trap __server_trapdoor SIGHUP SIGINT SIGABRT SIGTERM _copy_and_sign retval=$? trap - SIGHUP SIGINT SIGABRT SIGTERM _server_cleanup return $retval } ############################################# # Main code ############################################# # Check args HELP=0 # return value retval=0 # read the options TEMP=`getopt -o hd: --long help,pkg-dir: -n 'test.sh' -- "$@"` if [ $? -ne 0 ] ; then echo "Invalid parameters - exiting" exit 1 fi eval set -- "$TEMP" # extract options and their arguments into variables. while true ; do case "$1" in -h|--help) HELP=1 ; shift ;; -d|--pkg-dir) _PKG_DIR="$2"; shift; shift ;; --) shift ; break ;; *) echo "Internal error : unexpected parameter $2" ; exit 1 ;; esac done if [ $HELP -eq 1 ]; then usage exit 0 fi # package directory must be defined if [ -z "$_PKG_DIR" ]; then echo "Need package directory. Use -d/--pkg-dir option" usage exit 1 fi # ... and must exist if [ ! -d "$_PKG_DIR" ]; then echo "Package directory $_PKG_DIR does not exist" exit 1 fi # Init variables check_vars echo signing $_PKG_DIR # sign all rpms if [ "$USER" == "jenkins" ] && [ ! -z "${SIGNING_USER}" ] && [ ! -z "${SIGNING_SERVER}" ] && [ ! -z "${SIGNING_SERVER_SCRIPT}" ]; then sign_packages_on_server retval=$? else sign_packages retval=$? fi exit $retval