0090785d63
The issue was:
Currently building the ISO and signing the ISO are part of the same Jenkins (sub-)job. This makes it difficult to re-run or troubleshoot failures related to signing.
Solution:
Pipeline Jobs
pipelines/parts/build-iso.Jenkinsfile - MODIFIED
- Removed the sign-iso stage (now a separate job)
- Keeps only the build-iso stage
pipelines/parts/sign-iso.Jenkinsfile - NEW
- Independent job for signing only
- Validates ISOs before signing calling signing-preflight.sh
- Executes signing with the original script
Scripts
scripts/build-iso.sh - MODIFIED
- Added detailed build logging
- Keeps SECUREBOOT_FORMAL for packages
- Compatible with all existing configurations
scripts/sign-iso.sh - MODIFIED
- A log line was informing a wrong message that could dificult the interpretation
- Line 30 SECUREBOOT_FORMAL requires SIGNING_SERVER changed to SIGN_ISO_FORMAL requires SIGNING_SERVER
scripts/signing-preflight.sh - NEW
- Full validation before signing
- Checks ISOs, configuration, connectivity
- Detailed validation logs
Main Pipeline
pipelines/monolithic.Jenkinsfile - MODIFIED
- Lines 325–327: Changed to use build-iso + sign-iso
- Flow: build-iso → sign-iso → publish-iso
TEST PLAN: Create a new Job in Jenkins to validate the new pipeline structure pointing to a fork of the main repository where we can push and adjust the new pipeline structure separatedly from the original pipeline
Closes-Bug: 2122544
Change-Id: I3d44702063974ae23ea3a4f54a82b526f1df5b22
Signed-off-by: Ladislau <Ladislau.Felisbino@windriver.com>
90 lines
2.8 KiB
Bash
Executable File
90 lines
2.8 KiB
Bash
Executable File
#!/bin/bash
|
||
|
||
#
|
||
# Copyright (c) 2022 Wind River Systems, Inc.
|
||
#
|
||
# SPDX-License-Identifier: Apache-2.0
|
||
#
|
||
|
||
set -e
|
||
source $(dirname "$0")/lib/job_utils.sh
|
||
|
||
require_job_env BUILD_HOME
|
||
require_job_env BUILD_ISO
|
||
|
||
load_build_env
|
||
|
||
require_job_env SECUREBOOT_FORMAL
|
||
require_job_env SIGN_ISO_FORMAL
|
||
|
||
$BUILD_ISO || bail "BUILD_ISO=false, bailing out"
|
||
|
||
if $SECUREBOOT_FORMAL ; then
|
||
notice "signing secureboot packages"
|
||
[[ -n "$SIGNING_SERVER" ]] || die "SECUREBOOT_FORMAL requires SIGNING_SERVER"
|
||
sign_secure_boot_env="SIGNING_USER=${SIGNING_USER:-signing} SIGNING_SERVER=${SIGNING_SERVER} SIGNING_KEY_NAME=${SIGNING_KEY_NAME}"
|
||
stx_docker_cmd $DRY_RUN_ARG "$sign_secure_boot_env PATH=\$MY_REPO/build-tools:\$PATH sign-secure-boot_debian"
|
||
fi
|
||
|
||
build_img_args=
|
||
# Job is configured to sign the ISO with official keys.
|
||
if $SIGN_ISO_FORMAL ; then
|
||
[[ -n "$SIGNING_SERVER" ]] || die "SIGN_ISO_FORMAL requires SIGNING_SERVER"
|
||
# Formal signing, task of the 'sign-iso.sh´ with official key
|
||
build_img_args+=" --no-sign"
|
||
else
|
||
# Use developer key signing (default build-image behavior)
|
||
# build_img_args remains empty to enable default signing
|
||
notice "Using developer key signing"
|
||
fi
|
||
|
||
notice "building STD ISO"
|
||
stx_docker_cmd $DRY_RUN_ARG "build-image $build_img_args"
|
||
|
||
python3 $(dirname "$0")/lib/packages_parser.py --input "$BUILD_HOME"/localdisk/workdir/starlingx/packages.yaml --csv-dest "$BUILD_HOME"/localdisk/deploy/iso-packages.csv || true
|
||
# errors on the script are ignored
|
||
|
||
# Create build information log
|
||
create_build_info_log() {
|
||
local build_info_file="$BUILD_HOME/localdisk/deploy/build_info.log"
|
||
|
||
cat > "$build_info_file" << EOF
|
||
# StarlingX ISO Build Information (Build Stage)
|
||
Build Date: $(date -u)
|
||
Build Type: ISO Build (No Signing - separate sign-iso job)
|
||
Jenkins Job: ${JOB_NAME:-Unknown}
|
||
Build Number: ${BUILD_NUMBER:-Unknown}
|
||
Git Commit: ${GIT_COMMIT:-Unknown}
|
||
Git Branch: ${GIT_BRANCH:-Unknown}
|
||
Workspace: ${WORKSPACE:-Unknown}
|
||
Build Home: ${BUILD_HOME}
|
||
Timestamp: ${TIMESTAMP:-Unknown}
|
||
Secureboot Formal: ${SECUREBOOT_FORMAL:-false}
|
||
Sign ISO Formal: ${SIGN_ISO_FORMAL:-false}
|
||
Build Host: $(hostname)
|
||
Build User: $(whoami)
|
||
|
||
# Build Configuration:
|
||
$(grep -E '^(BUILD_|SIGN_|SECUREBOOT_)' "$BUILD_HOME/build.conf" 2>/dev/null || echo "Configuration not available")
|
||
|
||
# ISO Files Created:
|
||
$(find "$BUILD_HOME/localdisk/deploy" -name "*.iso" -type f 2>/dev/null | while read iso_file; do
|
||
echo "$iso_file ($(stat -c%s "$iso_file" 2>/dev/null | numfmt --to=iec 2>/dev/null || echo "unknown size"))"
|
||
done)
|
||
|
||
# Build Command Used:
|
||
build-image --no-sign
|
||
|
||
# Next Steps:
|
||
This build completed successfully without signing.
|
||
The ISO files are ready for the sign-iso stage.
|
||
Run 'sign-iso' job to complete the process.
|
||
EOF
|
||
|
||
notice "Build info saved to: $build_info_file"
|
||
}
|
||
|
||
create_build_info_log
|
||
|
||
notice "ISO build completed successfully - ready for sign-iso stage"
|