Skip to content

Commit

Permalink
image_types_balena.bbclass: Move image signing code here
Browse files Browse the repository at this point in the history
This fixes the following error:

cp: cannot stat '/work/build/tmp/deploy/images/generic-amd64/balena-image-generic-amd64.balenaos-img.sig': No such file or directory

The signed image symlink is not generated before the flasher needs it so we avoid this dependency issue by
defining a new image type for which the build system will automatically create the appropriate symlink.

Change-type: patch
Signed-off-by: Florin Sarbu <[email protected]>
  • Loading branch information
floion committed Jan 16, 2025
1 parent d752abb commit a8d15f6
Show file tree
Hide file tree
Showing 4 changed files with 48 additions and 61 deletions.
43 changes: 43 additions & 0 deletions meta-balena-common/classes/image_types_balena.bbclass
Original file line number Diff line number Diff line change
Expand Up @@ -400,3 +400,46 @@ IMAGE_CMD:hostapp-ext4 () {
truncate -s "$(expr ${ROOTFS_SIZE} \* 1024)" "${BALENA_HOSTAPP_IMG}"
mkfs.hostapp -t "${TMPDIR}" -s "${STAGING_DIR_NATIVE}" -i ${BALENA_DOCKER_IMG} -o ${BALENA_HOSTAPP_IMG}
}

IMAGE_TYPEDEP:sign = "balenaos-img"

IMAGE_CMD:sign () {
if [ "x${SIGN_API}" = "x" ]; then
bbnote "Signing API not defined"
return 0
fi
if [ "x${SIGN_API_KEY}" = "x" ]; then
bbfatal "Signing API key must be defined"
fi

for SIGNING_ARTIFACT in ${SIGNING_ARTIFACTS}
do
if [ -z "${SIGNING_ARTIFACT}" ] || [ ! -f "${SIGNING_ARTIFACT}" ]; then
bbfatal "Nothing to sign"
fi

DIGEST=$(openssl dgst -hex -sha256 "${SIGNING_ARTIFACT}" | awk '{print $2}')

REQUEST_FILE=$(mktemp)
RESPONSE_FILE=$(mktemp)
echo "{\"cert_id\": \"${SIGN_KMOD_KEY_ID}\", \"digest\": \"${DIGEST}\"}" > "${REQUEST_FILE}"
CURL_CA_BUNDLE="${STAGING_DIR_NATIVE}/etc/ssl/certs/ca-certificates.crt" curl --retry 5 --fail --silent "${SIGN_API}/cert/sign" -X POST -H "Content-Type: application/json" -H "X-API-Key: ${SIGN_API_KEY}" -d "@${REQUEST_FILE}" > "${RESPONSE_FILE}"
jq -r ".signature" < "${RESPONSE_FILE}" | base64 -d > "${SIGNING_ARTIFACT}.sig"
rm -f "${REQUEST_FILE}" "${RESPONSE_FILE}"
done
}

do_image_sign[network] = "1"
do_image_sign[depends] += " \
openssl-native:do_populate_sysroot \
curl-native:do_populate_sysroot \
jq-native:do_populate_sysroot \
ca-certificates-native:do_populate_sysroot \
coreutils-native:do_populate_sysroot \
gnupg-native:do_populate_sysroot \
"

do_image_sign[vardeps] += " \
SIGN_API \
SIGN_KMOD_KEY_ID \
"
40 changes: 0 additions & 40 deletions meta-balena-common/classes/sign-digest.bbclass

This file was deleted.

Original file line number Diff line number Diff line change
Expand Up @@ -13,10 +13,10 @@ IMAGE_FSTYPES = "balenaos-img"
BALENA_ROOT_FSTYPE = "ext4"

# Make sure you have the resin image ready
do_image_balenaos_img[depends] += "balena-image:do_image_complete"
do_image_balenaos_img[depends] += "balena-image:do_rootfs"

# Ensure we have the raw balena image ready in DEPLOY_DIR_IMAGE
do_image[depends] += "balena-image:do_image_complete"
# Ensure we have the raw balena image and the optional signed image ready in DEPLOY_DIR_IMAGE
do_image[depends] += "balena-image:do_sign"

IMAGE_FEATURES:append = " \
splash \
Expand Down
20 changes: 2 additions & 18 deletions meta-balena-common/recipes-core/images/balena-image.bb
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ IMAGE_ROOTFS_MAXSIZE = "${IMAGE_ROOTFS_SIZE}"

IMAGE_FSTYPES = "balenaos-img"

inherit core-image image-balena features_check sign-digest
inherit core-image image-balena features_check

SPLASH += "plymouth-balena-theme"

Expand Down Expand Up @@ -58,25 +58,10 @@ generate_hostos_version () {
echo "${HOSTOS_VERSION}" > ${DEPLOY_DIR_IMAGE}/VERSION_HOSTOS
}

symlink_image_signature () {
# This is probably not the correct way to do it, but it works.
# We sign BALENA_RAW_IMG, which ends up in IMGDEPLOYDIR
# and has a timestamp in the file name. We need to get rid
# of the timestamp for the final deploy, so that the file
# ends up in a predictable location.

if [ -n "${SIGN_API}" ]; then
ln -sf "${BALENA_RAW_IMG}.sig" "${DEPLOY_DIR_IMAGE}/balena-image-${MACHINE}.balenaos-img.sig"
fi
}

DEPENDS += "jq-native"

IMAGE_PREPROCESS_COMMAND:append = " generate_rootfs_fingerprints ; "
IMAGE_POSTPROCESS_COMMAND += " \
generate_hostos_version ; \
symlink_image_signature ; \
"
IMAGE_POSTPROCESS_COMMAND += " generate_hostos_version ; "

BALENA_BOOT_PARTITION_FILES:append = " \
balena-logo.png:/splash/balena-logo.png \
Expand Down Expand Up @@ -113,4 +98,3 @@ addtask image_size_check after do_image_balenaos_img before do_image_complete
do_resin_boot_dirgen_and_deploy[depends] += "redsocks:do_deploy"

SIGNING_ARTIFACTS = "${BALENA_RAW_IMG}"
addtask sign_digest after do_image_balenaos_img before do_image_complete

0 comments on commit a8d15f6

Please sign in to comment.