0090785d63
The issue was:
Currently building the ISO and signing the ISO are part of the same Jenkins (sub-)job. This makes it difficult to re-run or troubleshoot failures related to signing.
Solution:
Pipeline Jobs
pipelines/parts/build-iso.Jenkinsfile - MODIFIED
- Removed the sign-iso stage (now a separate job)
- Keeps only the build-iso stage
pipelines/parts/sign-iso.Jenkinsfile - NEW
- Independent job for signing only
- Validates ISOs before signing calling signing-preflight.sh
- Executes signing with the original script
Scripts
scripts/build-iso.sh - MODIFIED
- Added detailed build logging
- Keeps SECUREBOOT_FORMAL for packages
- Compatible with all existing configurations
scripts/sign-iso.sh - MODIFIED
- A log line was informing a wrong message that could dificult the interpretation
- Line 30 SECUREBOOT_FORMAL requires SIGNING_SERVER changed to SIGN_ISO_FORMAL requires SIGNING_SERVER
scripts/signing-preflight.sh - NEW
- Full validation before signing
- Checks ISOs, configuration, connectivity
- Detailed validation logs
Main Pipeline
pipelines/monolithic.Jenkinsfile - MODIFIED
- Lines 325–327: Changed to use build-iso + sign-iso
- Flow: build-iso → sign-iso → publish-iso
TEST PLAN: Create a new Job in Jenkins to validate the new pipeline structure pointing to a fork of the main repository where we can push and adjust the new pipeline structure separatedly from the original pipeline
Closes-Bug: 2122544
Change-Id: I3d44702063974ae23ea3a4f54a82b526f1df5b22
Signed-off-by: Ladislau <Ladislau.Felisbino@windriver.com>
78 lines
2.4 KiB
Bash
Executable File
78 lines
2.4 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
#
|
|
# Copyright (c) 2022 Wind River Systems, Inc.
|
|
#
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
#
|
|
|
|
set -e
|
|
source $(dirname "$0")/lib/job_utils.sh
|
|
source $(dirname "$0")/lib/retries.sh
|
|
|
|
require_job_env BUILD_HOME
|
|
require_job_env BUILD_ISO
|
|
|
|
load_build_env
|
|
|
|
require_job_env SIGN_ISO_FORMAL
|
|
require_job_env SIGN_MAX_ATTEMPTS
|
|
require_job_env SIGN_BACKOFF_DELAY
|
|
|
|
$BUILD_ISO || bail "BUILD_ISO=false, bailing out"
|
|
|
|
sign_iso() {
|
|
local iso_file="$1"
|
|
local sig_file="${iso_file%.iso}.sig"
|
|
|
|
# Job is configured to sign the ISO with formal keys
|
|
if $SIGN_ISO_FORMAL ; then
|
|
[[ -n "$SIGNING_SERVER" ]] || die "SIGN_ISO_FORMAL requires SIGNING_SERVER"
|
|
(
|
|
export MY_REPO=$REPO_ROOT/cgcs-root
|
|
export MY_WORKSPACE=$WORKSPACE_ROOT
|
|
export PATH=$MY_REPO/build-tools:$PATH:/usr/local/bin
|
|
export SIGNING_SERVER
|
|
export SIGNING_USER
|
|
maybe_run rm -f "$sig_file"
|
|
if ! maybe_run with_retries -d "$SIGN_BACKOFF_DELAY" "$SIGN_MAX_ATTEMPTS" sign_iso_formal.sh "$iso_file" ; then
|
|
die "failed to sign ISO"
|
|
fi
|
|
if ! $DRY_RUN ; then
|
|
[[ -f "$sig_file" ]] || die "failed to sign ISO"
|
|
info "created signature $sig_file"
|
|
fi
|
|
) || exit 1
|
|
return 0
|
|
fi
|
|
|
|
# ISO is already signed with developer keys - make sure .sig file exists
|
|
info "skipping formal ISO signing because it's already signed with developer key"
|
|
if ! $DRY_RUN ; then
|
|
[[ -f "$sig_file" ]] || die "$sig_file: file not found"
|
|
info "using existing ISO signature $sig_file"
|
|
fi
|
|
}
|
|
|
|
|
|
declare -a iso_files
|
|
iso_files+=($BUILD_HOME/localdisk/deploy/starlingx-intel-x86-64-cd.iso)
|
|
|
|
for iso_file in "${iso_files[@]}" ; do
|
|
if [[ -L "$iso_file" ]] ; then
|
|
iso_link_target="$(readlink "$iso_file")" || exit 1
|
|
[[ -n "$iso_link_target" ]] || die "failed to read symlink $iso_file"
|
|
[[ ! "$iso_link_target" =~ / ]] || die "$iso_file: link target must not include slashes"
|
|
real_iso_file="$(dirname "$iso_file")/$iso_link_target"
|
|
sign_iso "$real_iso_file"
|
|
sig_file="${iso_file%.iso}.sig"
|
|
sig_link_target="${iso_link_target%.iso}.sig"
|
|
if ! $DRY_RUN ; then
|
|
ln -sfn "$sig_link_target" "$sig_file" || exit 1
|
|
info "created signature link $sig_file => $sig_link_target"
|
|
fi
|
|
else
|
|
sign_iso "$iso_file"
|
|
fi
|
|
done
|