Add option to sign using gpg key

When running the apt-ostree to generate the commit for the prepatched
ISO we can use the gpg key from the LAT container to sign the commit.
This change allow us to choose when we want to do this with the
argument '--sign-gpg'.

Test plan:
    PASS: Run create-prepatched-iso without --sign-gpg, test full
        install of AIO-SX.
    PASS: Run create-prepatched-iso with --sign-gpg, test full install
        of AIO-SX.
    PASS: Run patch-iso sub-job from patch pipeline.

Story: 2010676
Task: 51485

Change-Id: I90650c5550c812955fa57baae3044c89e427a34d
Signed-off-by: Dostoievski Batista <dostoievski.albinobatista@windriver.com>
This commit is contained in:
Dostoievski Batista 2024-12-18 15:28:17 -03:00
parent 4d731b86dd
commit f9823bffcd

View File

@ -335,7 +335,9 @@ def main():
parser.add_argument('-b','--base',type=str,
help="Full path to ostree repository to be used as base to the \
pre-patched iso. Default value is: $DEPLOY_DIR/ostree_repo")
parser.add_argument('-g','--sign-gpg',action='store_true',
help="Sign the commit created by apt-ostree using the default \
GPG_HOME from LAT container.")
args = parser.parse_args()
# Config logging
@ -472,7 +474,8 @@ def main():
logger.info(f'Patch {sw_version} unpacked sucessfully.')
# Here we setup our gpg client
# Here we setup our gpg client if needed
if args.sign_gpg:
setup_gpg_client()
# We delete the patches folder from the base iso and recreate it
@ -502,11 +505,15 @@ def main():
# apt-ostree requires an http connection to access the host files
# so we give the full http path using the ip
full_feed_path = f'\"{HTTP_FULL_ADDR}{FEED_PATH} bullseye\"'
cmd = ["apt-ostree", "compose", "install", "--repo", f"{iso_folder}/ostree_repo"]
# If we have ostree setup we will use the gpg key
if args.sign_gpg:
gpg_key = get_yaml_value("gpg.ostree.gpgid")
cmd += ["--gpg-key", gpg_key]
pkgs = " ".join(patch["packages"])
cmd = ["apt-ostree", "compose", "install", "--repo", f"{iso_folder}/ostree_repo",
"--gpg-key", gpg_key, "--branch", "starlingx", "--feed", full_feed_path,
"--component", patch['sw_version'], pkgs]
cmd += ["--branch", "starlingx", "--feed", full_feed_path, "--component",
patch['sw_version'], pkgs]
logger.debug('Running command: %s', cmd)
subprocess.check_call(cmd, shell=False)