-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathota-publish.sh
executable file
·136 lines (114 loc) · 4.11 KB
/
ota-publish.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
#!/bin/bash
#
# Copyright (c) 2018 Open Source Foundries Ltd.
# SPDX-License-Identifier: BSD-3-Clause
#
# Script to publish and sign a pre-built OSTree repository to an OTA+ server.
#
set -e
function usage() {
cat << EOF >&2
usage: $(basename $0) options
OPTIONS:
-c OTA+ credentials zip file (e.g. credentials.zip)
-h Shows this message
-m Name for the machine target in OTA+ (e.g. raspberrypi3-64)
-v Optional version to add to the image information
-u Optional url to add to the image information
-r OSTree repository (e.g. ostree_repo directory or ostree_repo.tar.bz2 archive)
-a Optional dockerapp to include with image
EOF
}
function error() {
echo "ERROR: $@"
exit -1
}
function fail() {
usage
exit -1
}
apps=""
function get_opts() {
declare -r optstr="a:c:m:r:u:v:h"
while getopts ${optstr} opt; do
case ${opt} in
c) credentials=${OPTARG} ;;
m) machine=${OPTARG} ;;
r) ostree_repo=${OPTARG} ;;
u) url=${OPTARG} ;;
v) version=${OPTARG} ;;
a) apps="${apps} ${OPTARG}" ;;
h) usage; exit 0 ;;
*) fail ;;
esac
done
if [ -z "${credentials}" ] || [ -z "${machine}" ] ||
[ -z "${ostree_repo}" ]; then
fail
fi
}
get_opts $@
if [ ! -f "${credentials}" ]; then
error "Credentials ${credentials} file not found"
fi
if [ -d "${ostree_repo}" ]; then
if [ ! -f "${ostree_repo}/config" ]; then
error "directory is not a valid OSTree repo: ${ostree_repo}"
fi
elif [ -f "${ostree_repo}" ]; then
echo "Validating OSTree archive"
if tar -tvjf ${ostree_repo} ostree_repo/config >/dev/null 2>&1; then
echo "Decompressing OSTree repository"
tmpdir=$(mktemp -d)
tar -jxf ${ostree_repo} --totals --checkpoint=.1000 -C ${tmpdir}
ostree_repo=${tmpdir}/ostree_repo
else
error "file is not a valid OSTree repo: $ostree_repo"
fi
fi
ostree_branch=$(ostree refs --repo ${ostree_repo} | head -n1)
ostree_hash=$(cat ${ostree_repo}/refs/heads/${ostree_branch})
version="${version-${ostree_hash}}"
url="${url-http://example.com}"
tufrepo=$(mktemp -u -d)
otarepo=$(mktemp -u -d)
echo "Publishing OSTree branch ${ostree_branch} hash ${ostree_hash} to treehub"
garage-push --repo ${ostree_repo} --ref ${ostree_branch} --credentials ${credentials}
echo "Initializing local TUF repository"
garage-sign init --repo ${tufrepo} --home-dir ${otarepo} --credentials ${credentials}
echo "Pulling TUF targets from the remote TUF repository"
garage-sign targets pull --repo ${tufrepo} --home-dir ${otarepo}
sha=$(sha256sum ${tufrepo}/roles/unsigned/targets.json)
for app in $apps ; do
echo "Adding docker app to tuf repo: $app"
ota-dockerapp publish ${app} ${credentials} ${version} ${tufrepo}/roles/unsigned/targets.json
done
newsha=$(sha256sum ${tufrepo}/roles/unsigned/targets.json)
if [[ "$sha" = "$newsha" ]] && [[ -n "$apps" ]] ; then
# there are two outcomes when pushing apps:
# 1) the repo has online keys and the targets.json on the server was
# updated
# 2) we have offline keys, and the script updated the local copy
# of targets.json
# If we are here, #1 happened and we need to pull in the new version
# of targets.json
echo "Pulling updated TUF targets from the remote TUF repository"
garage-sign targets pull --repo ${tufrepo} --home-dir ${otarepo}
fi
echo "Adding OSTree target to the local TUF repository"
garage-sign targets add --repo ${tufrepo} --home-dir ${otarepo} --name ${ostree_branch} \
--format OSTREE --version "${version}" --length 0 --url "${url}" \
--sha256 ${ostree_hash} --hardwareids ${machine}
for app in $apps ; do
echo "Merging dockerapp into target custom data: $app"
ota-dockerapp merge ${tufrepo}/roles/unsigned/targets.json ${app} ${version} ${ostree_branch}
done
echo "Signing local TUF targets"
garage-sign targets sign --repo ${tufrepo} --home-dir ${otarepo} --key-name targets
echo "Publishing local TUF targets to the remote TUF repository"
garage-sign targets push --repo ${tufrepo} --home-dir ${otarepo}
echo "Verifying remote OSTree + TUF repositories"
garage-check --ref ${ostree_hash} --credentials ${credentials}
echo "Cleaning up local TUF repository"
rm -rf ${tufrepo} ${otarepo}
echo "Local OSTree repository successfully published to the remote OTA+ treehub / TUF repositories"