From 3bb412da0048d81adb8bcd87e8fa87e075669a46 Mon Sep 17 00:00:00 2001
From: Jo-Philipp Wich <jo@mein.io>
Date: Sun, 30 Jun 2019 18:13:44 +0200
Subject: [PATCH] phase1: move usign handling to master

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
---
 phase1/config.ini.example |  4 +++
 phase1/master.cfg         | 52 ++++++++++++++++++++++++++++++++++-----
 2 files changed, 50 insertions(+), 6 deletions(-)

diff --git a/phase1/config.ini.example b/phase1/config.ini.example
index 7032806..2eeb537 100644
--- a/phase1/config.ini.example
+++ b/phase1/config.ini.example
@@ -43,6 +43,10 @@ keyid = 626471F1
 passfile = ./gpg-passphrase.txt
 comment = Unattended build signature
 
+[usign]
+key = RWRCSwAAA...OihABfuLvGRVfVaJ6wLf0=
+comment = Unattended build signature
+
 [slave 1]
 name = example-slave-1
 password = example
diff --git a/phase1/master.cfg b/phase1/master.cfg
index 7521011..dcba17e 100644
--- a/phase1/master.cfg
+++ b/phase1/master.cfg
@@ -3,6 +3,7 @@
 
 import os
 import re
+import base64
 import subprocess
 import ConfigParser
 
@@ -159,6 +160,15 @@ if ini.has_option("gpg", "comment"):
 if ini.has_option("gpg", "passfile"):
 	gpg_passfile = ini.get("gpg", "passfile")
 
+usign_key = None
+usign_comment = "untrusted comment: " + repo_branch.replace("-", " ").title() + " key"
+
+if ini.has_option("usign", "key"):
+	usign_key = ini.get("usign", "key")
+
+if ini.has_option("usign", "comment"):
+	usign_comment = ini.get("usign", "comment")
+
 enable_kmod_archive = True
 
 
@@ -382,6 +392,16 @@ def NetLockUl(props):
 	else:
 		return []
 
+def UsignSec2Pub(seckey, comment="untrusted comment: secret key"):
+	try:
+		seckey = base64.b64decode(seckey)
+	except:
+		return None
+
+	return "{}\n{}".format(re.sub(r"\bsecret key$", "public key", comment),
+		base64.b64encode(seckey[0:2] + seckey[32:40] + seckey[72:]))
+
+
 c['builders'] = []
 
 dlLock = locks.SlaveLock("slave_dl")
@@ -688,7 +708,7 @@ for target in targets:
 	factory.addStep(ShellCommand(
 		name = "newconfig",
 		description = "Seeding .config",
-		command = "printf 'CONFIG_TARGET_%s=y\\nCONFIG_TARGET_%s_%s=y\\n' >> .config" %(ts[0], ts[0], ts[1])
+		command = "printf 'CONFIG_TARGET_%s=y\\nCONFIG_TARGET_%s_%s=y\\nCONFIG_SIGNED_PACKAGES=%s\\n' >> .config" %(ts[0], ts[0], ts[1], 'y' if usign_key is not None else 'n')
 	))
 
 	factory.addStep(ShellCommand(
@@ -723,8 +743,27 @@ for target in targets:
 		command = ["sed", "-ne", '/^CONFIG_LIBC=/ { s!^CONFIG_LIBC="\\(.*\\)"!\\1!; s!^musl$!!; s!.\\+!-&!p }', ".config"]))
 
 	# install build key
-	factory.addStep(FileDownload(name="dlkeybuild", mastersrc=home_dir+'/key-build', slavedest="key-build", mode=0600))
-	factory.addStep(FileDownload(name="dlkeybuildpub", mastersrc=home_dir+'/key-build.pub', slavedest="key-build.pub", mode=0600))
+	if usign_key is not None:
+		factory.addStep(StringDownload(
+			name = "dlkeybuildpub",
+			s = UsignSec2Pub(usign_key, usign_comment),
+			slavedest = "key-build.pub",
+			mode = 0600,
+		))
+
+		factory.addStep(StringDownload(
+			name = "dlkeybuild",
+			s = "# fake private key",
+			slavedest = "key-build",
+			mode = 0600,
+		))
+
+		factory.addStep(StringDownload(
+			name = "dlkeybuilducert",
+			s = "# fake certificate",
+			slavedest = "key-build.ucert",
+			mode = 0600,
+		))
 
 	# prepare dl
 	factory.addStep(ShellCommand(
@@ -822,7 +861,7 @@ for target in targets:
 	factory.addStep(ShellCommand(
 		name = "pkgindex",
 		description = "Indexing packages",
-		command=["make", Interpolate("-j%(kw:jobs)s", jobs=GetNumJobs), "package/index", "V=s"],
+		command=["make", Interpolate("-j%(kw:jobs)s", jobs=GetNumJobs), "package/index", "V=s", "CONFIG_SIGNED_PACKAGES="],
 		env = MakeEnv(),
 		haltOnFailure = True
 	))
@@ -899,7 +938,7 @@ for target in targets:
 		factory.addStep(ShellCommand(
 			name = "kmodindex",
 			description = "Indexing kmod archive",
-			command=["make", Interpolate("-j%(kw:jobs)s", jobs=GetNumJobs), "package/index", "V=s",
+			command=["make", Interpolate("-j%(kw:jobs)s", jobs=GetNumJobs), "package/index", "V=s", "CONFIG_SIGNED_PACKAGES=",
 			         Interpolate("PACKAGE_SUBDIRS=bin/targets/%(kw:target)s/%(kw:subtarget)s%(prop:libc)s/kmods/%(prop:kernelversion)s/", target=ts[0], subtarget=ts[1])],
 			env = MakeEnv(),
 			haltOnFailure = True
@@ -931,7 +970,8 @@ for target in targets:
 			name = "signfiles",
 			description = "Signing files",
 			command = ["%s/signall.sh" %(scripts_dir), "%s/signing/%s.%s.tar.gz" %(home_dir, ts[0], ts[1]), gpg_keyid, gpg_comment],
-			env = {'GNUPGHOME': gpg_home, 'PASSFILE': gpg_passfile},
+			env = {'GNUPGHOME': gpg_home, 'PASSFILE': gpg_passfile, 'USIGNKEY': usign_key, 'USIGNCOMMENT': usign_comment},
+			logEnviron = False,
 			haltOnFailure = True
 		))
 
-- 
2.30.2