cleanup signing scripts

the scripts contained hardcoded references to resources that are not visible outside of the environment where the scripts were originally created and used The scripts sign-rpms was also updated with the original version that was intended to be submitted. The initial submission contained the wrong version. Closes-Bug: #1791343 Change-Id: I8ce5884ad75156d3730cf30a451051d32445e136 Signed-off-by: Paul-Emile Element <Paul-Emile.Element@windriver.com>
2018-09-07 13:09:07 -04:00 · 2018-09-07 13:09:07 -04:00 · 2f9d9a5672
commit 2f9d9a5672
parent d05c4c3d31
4 changed files with 167 additions and 138 deletions
--- a/build-tools/sign-rpms
+++ b/build-tools/sign-rpms
@ -73,6 +73,20 @@ function check_vars {
 # This process is using mock because the build servers do not have the same rpm / rpmsign version
 #

+function _local_cleanup {
+
+    printf "Cleaning mock environment\n"
+    $MOCK -q -r $_MOCK_CFG --scrub=all
+
+}
+
+function __local_trapdoor {
+    printf "caught signal while attempting to sign files. Cleaning up."
+    _local_cleanup
+
+    exit 1
+}
+

 function sign_packages {
    OLD_PWD=$PWD
@ -104,14 +118,17 @@ function sign_packages {

    printf "Initializing mock environment\n"

+    trap __local_trapdoor SIGHUP SIGINT SIGABRT SIGTERM
+
    # invoke make in mock to sign packages.
    # this call will also create and initialize the mock env
    eval $MOCK -q -r $_MOCK_CFG \'--plugin-option=bind_mount:dirs=[\(\"$_PKG_DIR\", \"$_MOCK_PKG_DIR\"\),\(\"$_MK_DIR\",\"$_MOCK_MK_DIR\"\),\(\"$_KEY_DIR\",\"$_MOCK_KEY_DIR\"\)]\' --shell \"cd $_MOCK_PKG_DIR\; make -j $NPROCS -f $_MOCK_MK_DIR/$_SIGN_MAKEFILE KEY=$_MOCK_KEY_DIR/$_IMA_PRIV_KEY\"

    retval=$?

-   printf "Cleaning mock environment\n"
-   $MOCK -q -r $_MOCK_CFG --scrub=all
+    trap - SIGHUP SIGINT SIGABRT SIGTERM
+
+    _local_cleanup

    if [ $retval -ne 0 ] ; then
        echo "failed to add file signatures to RPMs in mock environment."
@ -153,6 +170,29 @@ function _copy_and_sign {
 }


+function _server_cleanup {
+
+    # cleanup
+    ssh $SIGNING_USER@$SIGNING_SERVER rm $_UPLOAD_DIR/*.rpm
+    if [ $? -ne 0 ] ; then
+        echo "Warning : failed to remove rpms from temporary upload directory ${SIGNING_SERVER}:${_UPLOAD_DIR}."
+    fi
+    ssh $SIGNING_USER@$SIGNING_SERVER rmdir $_UPLOAD_DIR
+    if [ $? -ne 0 ] ; then
+        echo "Warning : failed to remove temporary upload directory ${SIGNING_SERVER}:${_UPLOAD_DIR}."
+    fi
+
+}
+
+function __server_trapdoor {
+
+    printf "caught signal while attempting to sign files. Cleaning up."
+    _server_cleanup
+
+    exit 1
+}
+
+
 function sign_packages_on_server {

    retval=0
@ -172,18 +212,14 @@ function sign_packages_on_server {
    # this is the upload temp dir, outside of chroot env
    _UPLOAD_DIR=$base$sub

+    trap __server_trapdoor SIGHUP SIGINT SIGABRT SIGTERM
+
    _copy_and_sign
    retval=$?

-   # cleanup
-   ssh $SIGNING_USER@$SIGNING_SERVER rm $_UPLOAD_DIR/*.rpm
-   if [ $? -ne 0 ] ; then
-      echo "Warning : failed to remove rpms from temporary upload directory."
-   fi
-   ssh $SIGNING_USER@$SIGNING_SERVER rmdir $_UPLOAD_DIR
-   if [ $? -ne 0 ] ; then
-      echo "Warning : failed to remove temporary upload directory."
-   fi
+    trap - SIGHUP SIGINT SIGABRT SIGTERM
+
+    _server_cleanup

    return $retval
 }
@ -196,9 +232,6 @@ function sign_packages_on_server {

 # Check args
 HELP=0
-SIGNING_SERVER=yow-tiks01
-SIGNING_USER=signing
-SIGNING_SERVER_SCRIPT=/opt/signing/sign_rpms_18.03.sh

 # return value
 retval=0
--- a/build-tools/sign-secure-boot
+++ b/build-tools/sign-secure-boot
@ -454,8 +454,6 @@ if [ "x$MY_WORKSPACE" == "x" ]; then
 fi

 ARCH="x86_64"
-SIGNING_SERVER=yow-tiks01
-SIGNING_USER=signing
 SIGNING_SCRIPT=/opt/signing/sign.sh
 UPLOAD_PATH=`ssh $SIGNING_USER@$SIGNING_SERVER sudo $SIGNING_SCRIPT -r`
 SIGNED_PKG_DB=${MY_WORKSPACE}/signed_pkg_list.txt
--- a/build-tools/sign_iso_formal.sh
+++ b/build-tools/sign_iso_formal.sh
@ -16,7 +16,6 @@ ISO_FILE_PATH=$1
 ISO_FILE_NAME=$(basename ${ISO_FILE_PATH})
 ISO_FILE_ROOT=$(dirname ${ISO_FILE_PATH})
 ISO_FILE_NOEXT="${ISO_FILE_NAME%.*}"
-SIGNING_SERVER="signing@yow-tiks01"
 GET_UPLOAD_PATH="sudo /opt/signing/sign.sh -r"
 REQUEST_SIGN="sudo /opt/signing/sign_iso.sh"
 SIGNATURE_FILE="$ISO_FILE_NOEXT.sig"
@ -24,7 +23,7 @@ SIGNATURE_FILE="$ISO_FILE_NOEXT.sig"
 # Make a request for an upload path
 # Output is a path where we can upload stuff, of the form
 # "Upload: /tmp/sign_upload.5jR11pS0"
-UPLOAD_PATH=`ssh ${SIGNING_SERVER} ${GET_UPLOAD_PATH}`
+UPLOAD_PATH=`ssh ${SIGNING_USER}@${SIGNING_SERVER} ${GET_UPLOAD_PATH}`
 if [ $? -ne 0 ]; then
    echo "Could not get upload path.  Do you have permissions on the signing server?"
    exit 1
@ -32,7 +31,7 @@ fi
 UPLOAD_PATH=`echo ${UPLOAD_PATH} | cut -d ' ' -f 2`

 echo "Uploading file"
-scp -q ${ISO_FILE_PATH} ${SIGNING_SERVER}:${UPLOAD_PATH}
+scp -q ${ISO_FILE_PATH} ${SIGNING_USER}@${SIGNING_SERVER}:${UPLOAD_PATH}
 if [ $? -ne 0 ]; then
    echo "Could not upload ISO"
    exit 1
@ -41,22 +40,22 @@ echo "File uploaded to signing server -- signing"

 # Make the signing request.
 # Output is path of detached signature
-RESULT=`ssh ${SIGNING_SERVER} ${REQUEST_SIGN} ${UPLOAD_PATH}/${ISO_FILE_NAME}`
+RESULT=`ssh ${SIGNING_USER}@${SIGNING_SERVER} ${REQUEST_SIGN} ${UPLOAD_PATH}/${ISO_FILE_NAME}`
 if [ $? -ne 0 ]; then
    echo "Could not perform signing -- output $RESULT"
-    ssh ${SIGNING_SERVER} rm -f ${UPLOAD_PATH}/${ISO_FILE_NAME}
+    ssh ${SIGNING_USER}@${SIGNING_SERVER} rm -f ${UPLOAD_PATH}/${ISO_FILE_NAME}
    exit 1
 fi

 echo "Signing complete.  Downloading detached signature"
-scp -q ${SIGNING_SERVER}:${RESULT} ${ISO_FILE_ROOT}/${SIGNATURE_FILE}
+scp -q ${SIGNING_USER}@${SIGNING_SERVER}:${RESULT} ${ISO_FILE_ROOT}/${SIGNATURE_FILE}
 if [ $? -ne 0 ]; then
    echo "Could not download newly signed file"
-    ssh ${SIGNING_SERVER} rm -f ${UPLOAD_PATH}/${ISO_FILE_NAME}
+    ssh ${SIGNING_USER}@${SIGNING_SERVER} rm -f ${UPLOAD_PATH}/${ISO_FILE_NAME}
    exit 1
 fi

 # Clean up (ISOs are big)
-ssh ${SIGNING_SERVER} rm -f ${UPLOAD_PATH}/${ISO_FILE_NAME}
+ssh ${SIGNING_USER}@${SIGNING_SERVER} rm -f ${UPLOAD_PATH}/${ISO_FILE_NAME}

 echo "${ISO_FILE_ROOT}/${SIGNATURE_FILE} detached signature"
--- a/build-tools/sign_patch_formal.sh
+++ b/build-tools/sign_patch_formal.sh
@ -13,21 +13,20 @@ fi

 PATCH_FILE_PATH=$1
 PATCH_FILE_NAME=$(basename ${PATCH_FILE_PATH})
-SIGNING_SERVER="signing@yow-tiks01"
 GET_UPLOAD_PATH="sudo /opt/signing/sign.sh -r"
 REQUEST_SIGN="sudo /opt/signing/sign_patch.sh"

 # Make a request for an upload path
 # Output is a path where we can upload stuff, of the form
 # "Upload: /tmp/sign_upload.5jR11pS0"
-UPLOAD_PATH=`ssh ${SIGNING_SERVER} ${GET_UPLOAD_PATH}`
+UPLOAD_PATH=`ssh ${SIGNING_USER}@${SIGNING_SERVER} ${GET_UPLOAD_PATH}`
 if [ $? -ne 0 ]; then
    echo "Could not get upload path.  Do you have permissions on the signing server?"
    exit 1
 fi
 UPLOAD_PATH=`echo ${UPLOAD_PATH} | cut -d ' ' -f 2`

-scp -q ${PATCH_FILE_PATH} ${SIGNING_SERVER}:${UPLOAD_PATH}
+scp -q ${PATCH_FILE_PATH} ${SIGNING_USER}@${SIGNING_SERVER}:${UPLOAD_PATH}
 if [ $? -ne 0 ]; then
    echo "Could upload patch"
    exit 1
@ -36,14 +35,14 @@ echo "File uploaded to signing server"

 # Make the signing request.
 # Output is path of newly signed file
-RESULT=`ssh ${SIGNING_SERVER} ${REQUEST_SIGN} ${UPLOAD_PATH}/${PATCH_FILE_NAME}`
+RESULT=`ssh ${SIGNING_USER}@${SIGNING_SERVER} ${REQUEST_SIGN} ${UPLOAD_PATH}/${PATCH_FILE_NAME}`
 if [ $? -ne 0 ]; then
    echo "Could not perform signing -- output $RESULT"
    exit 1
 fi

 echo "Signing complete.  Downloading"
-scp -q ${SIGNING_SERVER}:${RESULT} ${PATCH_FILE_PATH}
+scp -q ${SIGNING_USER}@${SIGNING_SERVER}:${RESULT} ${PATCH_FILE_PATH}
 if [ $? -ne 0 ]; then
    echo "Could not download newly signed file"
    exit 1