starlingx/jenkins-pipelines
Code Issues Proposed changes
Files
0090785d6390431288d13e01d8718953df99c005
jenkins-pipelines/scripts/signing-preflight.sh
Ladislau 0090785d63 Split build-iso step from sign-iso step in STX pipelines 
The issue was:
  Currently building the ISO and signing the ISO are part of the same Jenkins (sub-)job. This makes it difficult to re-run or troubleshoot failures related to signing.

Solution:
  Pipeline Jobs

pipelines/parts/build-iso.Jenkinsfile - MODIFIED
  - Removed the sign-iso stage (now a separate job)
  - Keeps only the build-iso stage

pipelines/parts/sign-iso.Jenkinsfile - NEW
  - Independent job for signing only
  - Validates ISOs before signing calling signing-preflight.sh
  - Executes signing with the original script

Scripts

scripts/build-iso.sh - MODIFIED
  - Added detailed build logging
  - Keeps SECUREBOOT_FORMAL for packages
  - Compatible with all existing configurations

scripts/sign-iso.sh - MODIFIED
  - A log line was informing a wrong message that could dificult the interpretation
    - Line 30 SECUREBOOT_FORMAL requires SIGNING_SERVER changed to SIGN_ISO_FORMAL requires SIGNING_SERVER

scripts/signing-preflight.sh - NEW
  - Full validation before signing
  - Checks ISOs, configuration, connectivity
  - Detailed validation logs

Main Pipeline

pipelines/monolithic.Jenkinsfile - MODIFIED

  - Lines 325–327: Changed to use build-iso + sign-iso
  - Flow: build-iso → sign-iso → publish-iso

TEST PLAN: Create a new Job in Jenkins to validate the new pipeline structure pointing to a fork of the main repository where we can push and adjust the new pipeline structure separatedly from the original pipeline

Closes-Bug: 2122544
Change-Id: I3d44702063974ae23ea3a4f54a82b526f1df5b22
Signed-off-by: Ladislau <Ladislau.Felisbino@windriver.com>
2025-09-11 15:03:47 +00:00

158 lines
5.0 KiB
Bash
Raw Blame History

#!/bin/bash
#
# Copyright (c) 2022 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
set -e
source $(dirname "$0")/lib/job_utils.sh
require_job_env BUILD_HOME
load_build_env
notice "StarlingX Signing Pre-flight Checks"
# Pre-flight validation: ISO artifacts + signing configuration + connectivity
# This script validates all conditions necessary for successful ISO signing
declare -a iso_files
iso_files+=($BUILD_HOME/localdisk/deploy/starlingx-intel-x86-64-cd.iso)
validation_errors=0
for iso_file in "${iso_files[@]}" ; do
# Handle symlinks
if [[ -L "$iso_file" ]] ; then
iso_link_target="$(readlink "$iso_file")" || {
error "failed to read symlink $iso_file"
((validation_errors++))
continue
}
[[ -n "$iso_link_target" ]] || {
error "$iso_file: empty symlink target"
((validation_errors++))
continue
}
[[ ! "$iso_link_target" =~ / ]] || {
error "$iso_file: link target must not include slashes"
((validation_errors++))
continue
}
real_iso_file="$(dirname "$iso_file")/$iso_link_target"
info "ISO symlink: $iso_file -> $real_iso_file"
iso_file="$real_iso_file"
fi
# Check if file exists and is readable
if [[ ! -f "$iso_file" ]]; then
error "ISO file not found: $iso_file"
((validation_errors++))
continue
fi
if [[ ! -r "$iso_file" ]]; then
error "ISO file is not readable: $iso_file"
((validation_errors++))
continue
fi
# Check file size (should be > 1MB for a valid ISO)
file_size=$(stat -c%s "$iso_file" 2>/dev/null || echo "0")
if [[ ${file_size} -lt 1048576 ]]; then
error "ISO file seems too small (${file_size} bytes): $iso_file"
((validation_errors++))
continue
fi
info "✓ ISO file validated: $iso_file ($(numfmt --to=iec ${file_size}))"
done
# Check for build info file
build_info_file="$BUILD_HOME/localdisk/deploy/build_info.log"
if [[ -f "$build_info_file" ]]; then
info "✓ Build info found: $build_info_file"
else
warn "Build info file not found: $build_info_file"
fi
# Check for packages CSV
packages_csv="$BUILD_HOME/localdisk/deploy/iso-packages.csv"
if [[ -f "$packages_csv" ]]; then
info "✓ Packages CSV found: $packages_csv"
else
info "Packages CSV not found (optional): $packages_csv"
fi
# Check signing configuration if formal signing is enabled
if [[ "${SIGN_ISO_FORMAL}" == "true" ]]; then
notice "Validating signing configuration for formal signing"
missing_config=()
if [[ -z "${SIGNING_SERVER}" ]]; then
missing_config+=("SIGNING_SERVER")
fi
if [[ -z "${SIGNING_USER}" ]]; then
missing_config+=("SIGNING_USER")
fi
if [[ ${#missing_config[@]} -gt 0 ]]; then
error "Missing signing configuration for formal signing:"
for config in "${missing_config[@]}"; do
error " - ${config}"
done
((validation_errors++))
else
info "✓ Signing configuration is complete"
info " - SIGNING_SERVER: ${SIGNING_SERVER}"
info " - SIGNING_USER: ${SIGNING_USER}"
if [[ -n "${SIGNING_KEY_NAME}" ]]; then
info "SIGNING_KEY_NAME: ${SIGNING_KEY_NAME}"
else
info "SIGNING_KEY_NAME not specified, using default"
fi
# Test SSH connectivity to signing server (like actual signing process)
if command -v ssh >/dev/null 2>&1; then
info "Testing SSH connectivity to signing server..."
# Test actual SSH connection like sign_iso_formal.sh does
# Use same connection parameters as signing process
ssh_test_cmd="ssh -o ConnectTimeout=10 -o BatchMode=yes -o StrictHostKeyChecking=no"
if [[ -n "${SIGNING_USER}" ]]; then
ssh_test_cmd+=" ${SIGNING_USER}@${SIGNING_SERVER}"
else
ssh_test_cmd+=" ${SIGNING_SERVER}"
fi
ssh_test_cmd+=" exit"
# Execute SSH test with error handling
if eval "${ssh_test_cmd}" >/dev/null 2>&1 || true; then
if eval "${ssh_test_cmd}" >/dev/null 2>&1; then
info "✓ SSH connection successful to signing server: ${SIGNING_SERVER}"
else
warn "SSH connection failed to signing server: ${SIGNING_SERVER}"
warn "This may indicate authentication, network, or server issues"
warn "Signing process may fail - check SSH keys and server access"
fi
fi
else
info "SSH command not available - skipping connectivity test"
fi
fi
else
info "Formal ISO signing is disabled (SIGN_ISO_FORMAL != true)"
fi
# Summary
if [[ ${validation_errors} -eq 0 ]]; then
notice "All pre-flight checks passed - ready for signing"
exit 0
else
error "Found ${validation_errors} pre-flight check error(s)"
exit 1
fi
View Git Blame Copy Permalink