Skip to content
Snippets Groups Projects
Commit c73a53ef authored by Arnaud Ferraris's avatar Arnaud Ferraris
Browse files

Enable ED25519 signature of generated components


In order to publish verified runtimes and applications that can be
checked using ED25519 keys, this commit adds the `--sign` and
`--sign-type` command-line options with the same semantic as their
`flatpak` and `ostree` counterparts:
- `--sign` must be followed by a base64-encoded secret key
- `--sign-type` indicates the signature type (default, and only valid
  value, is `ed25519`)

Signed-off-by: default avatarArnaud Ferraris <arnaud.ferraris@collabora.com>
parent 9e1fcb71
No related branches found
No related tags found
1 merge request!12Enable ED25519 signatures
Pipeline #295006 failed
......@@ -254,6 +254,8 @@ class Builder:
self.strict = False
self.do_platform = False
self.do_sdk = False
self.sign_key = None
self.sign_type = 'ed25519'
self.metadata = GLib.KeyFile()
self.metadata_debug = GLib.KeyFile()
......@@ -544,6 +546,14 @@ class Builder:
'--no-sdk', action='store_false', dest='sdk', default=None,
help='Do not build SDK (default if --platform is used)',
)
parser.add_argument(
'--sign', default=None,
help='Secret key to sign the Flatpak with',
)
parser.add_argument(
'--sign-type', default=self.sign_type,
help='Signature type to use (default is "ed25519")',
)
subparser = subparsers.add_parser(
'base',
......@@ -608,6 +618,8 @@ class Builder:
self.export_bundles = args.export_bundles
self.ostree_mode = args.ostree_mode
self.strict = args.strict
self.sign_key = args.sign
self.sign_type = args.sign_type
if args.platform is None and args.sdk is None:
self.do_platform = True
......@@ -1356,7 +1368,7 @@ class Builder:
if self.ostree_commit and self.debug_symbols:
logger.info('Committing %s to OSTree', debug_tarball)
subprocess.check_call([
cmd = [
'time',
'ostree',
'--repo=' + self.ostree_repo,
......@@ -1372,7 +1384,14 @@ class Builder:
'--tar-autocreate-parents',
'--add-metadata-string',
'xa.metadata=' + self.metadata_debug.to_data()[0],
])
]
if self.sign_key:
cmd.extend([
'--sign=' + self.sign_key,
'--sign-type=' + self.sign_type,
])
subprocess.check_call(cmd)
if self.collect_source_code and generate_source_tarball:
output = os.path.join(self.build_area, sources_tarball)
......@@ -1381,7 +1400,7 @@ class Builder:
if self.ostree_commit:
logger.info(
'Committing %s to OSTree', sources_tarball)
subprocess.check_call([
cmd = [
'time',
'ostree',
'--repo=' + self.ostree_repo,
......@@ -1397,14 +1416,21 @@ class Builder:
'--tar-autocreate-parents',
'--add-metadata-string',
'xa.metadata=' + self.metadata_sources.to_data()[0],
])
]
if self.sign_key:
cmd.extend([
'--sign=' + self.sign_key,
'--sign-type=' + self.sign_type,
])
subprocess.check_call(cmd)
output = os.path.join(self.build_area, out_tarball)
os.rename(output + '.new', output)
if self.ostree_commit:
logger.info('Committing %s to OSTree', out_tarball)
subprocess.check_call([
cmd = [
'time',
'ostree',
'--repo=' + self.ostree_repo,
......@@ -1420,7 +1446,15 @@ class Builder:
'--tar-autocreate-parents',
'--add-metadata-string',
'xa.metadata=' + self.metadata.to_data()[0],
])
]
if self.sign_key:
cmd.extend([
'--sign=' + self.sign_key,
'--sign-type=' + self.sign_type,
])
subprocess.check_call(cmd)
if self.ostree_commit:
# Don't keep the history in this working repository:
......@@ -1435,12 +1469,19 @@ class Builder:
'--depth=1',
])
subprocess.check_call([
cmd = [
'time',
'flatpak',
'build-update-repo',
self.ostree_repo,
])
]
if self.sign_key:
cmd.extend([
'--sign=' + self.sign_key,
'--sign-type=' + self.sign_type,
])
cmd.append(self.ostree_repo)
subprocess.check_call(cmd)
if self.export_bundles:
for suffix in ('.Platform', '.Sdk'):
......@@ -1451,16 +1492,25 @@ class Builder:
)
output = os.path.join(self.build_area, bundle)
subprocess.check_call([
cmd = [
'time',
'flatpak',
'build-bundle',
'--runtime',
]
if self.sign_key:
cmd.extend([
'--sign=' + self.sign_key,
'--sign-type=' + self.sign_type,
])
cmd.extend([
self.ostree_repo,
output + '.new',
prefix + suffix,
self.runtime_branch,
])
subprocess.check_call(cmd)
os.rename(output + '.new', output)
......@@ -1958,7 +2008,7 @@ class Builder:
with open(json_manifest, 'w', encoding='utf-8') as writer:
json.dump(manifest, writer, indent=2, sort_keys=True)
subprocess.check_call([
cmd = [
'env',
'DEBIAN_FRONTEND=noninteractive',
'XDG_DATA_HOME={}/home'.format(scratch),
......@@ -1970,9 +2020,18 @@ class Builder:
'--arch={}'.format(self.flatpak_arch),
'--repo={}'.format(self.ostree_repo),
'--bundle-sources',
]
if self.sign_key:
cmd.extend([
'--sign=' + self.sign_key,
'--sign-type=' + self.sign_type,
])
cmd.extend([
os.path.join(scratch, 'workdir'),
json_manifest,
])
subprocess.check_call(cmd)
if self.export_bundles:
bundle = '{}-{}-{}.bundle'.format(
......@@ -1981,17 +2040,27 @@ class Builder:
manifest['branch'],
)
output = os.path.join(self.build_area, bundle)
subprocess.check_call([
cmd = [
'time',
'env',
'XDG_DATA_HOME={}/home'.format(scratch),
'flatpak',
'build-bundle',
]
if self.sign_key:
cmd.extend([
'--sign=' + self.sign_key,
'--sign-type=' + self.sign_type,
])
cmd.extend([
self.ostree_repo,
output + '.new',
manifest['id'],
manifest['branch'],
])
subprocess.check_call(cmd)
os.rename(output + '.new', output)
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment