VerityBook/mkrelease.sh

#!/bin/bash -ex

usage() {
    cat << EOF
Usage: $PROGNAME [OPTION] LATEST.JSON

  -h, --help             Display this help
  --nosign               Don't sign the EFI executable
  --key KEY            Use KEY as certification key for EFI signing
  --crt CRT            Use CRT as certification for EFI signing
EOF
}

TEMP=$(
    getopt -o '' \
        --long key: \
        --long crt: \
        --long nosign \
        --long notar \
        --long help \
        -- "$@"
    )

if (( $? != 0 )); then
    usage >&2
    exit 1
fi

eval set -- "$TEMP"
unset TEMP

while true; do
    case "$1" in
        '--key')
            KEY="$(readlink -e $2)"
            shift 2; continue
            ;;
        '--crt')
            CRT="$(readlink -e $2)"
            shift 2; continue
            ;;
        '--nosign')
            NOSIGN="1"
            shift 1; continue
            ;;
        '--notar')
            NOTAR="1"
            shift 1; continue
            ;;
        '--help')
            usage
            exit 0
            ;;
        '--')
            shift
            break
            ;;
        *)
            echo 'Internal error!' >&2
            exit 1
            ;;
    esac
done
PROGNAME=${0##*/}
BASEDIR=$(realpath ${0%/*})

JSON="$(realpath -e $1)"
JSONDIR="${JSON%/*}"
NAME="$(jq -r '.name' ${JSON})"
VERSION="$(jq -r '.version' ${JSON})"
ROOTHASH="$(jq -r '.roothash' ${JSON})"
IMAGE="${JSONDIR}/${NAME}-${VERSION}"
HASH_IMAGE="${JSONDIR}/${NAME}-${ROOTHASH}"
CRT=${CRT:-${BASEDIR}/${NAME}.crt}
KEY=${KEY:-${BASEDIR}/${NAME}.key}

pushd "$IMAGE"
if ! [[ $NOSIGN ]]; then
    if ! [[ $KEY ]] || ! [[ $CRT ]]; then
        echo "Cannot find $KEY and $CRT"
        echo "Need --key KEY --crt CRT options"
        exit 1
    fi
    for i in $(find . -type f -name '*.efi'); do
        [[ -f "$i" ]] || continue
        if ! sbverify --cert "$CRT" "$i" &>/dev/null ; then
            sbsign --key "$KEY" --cert "$CRT" --output "${i}signed" "$i"
            mv "${i}signed" "$i"
        fi
    done
fi

[[ -f sha512sum.txt ]] || sha512sum $(find . -type f) > sha512sum.txt
[[ -f sha512sum.txt.sig ]] || openssl dgst -sha256 -sign "$KEY" -out sha512sum.txt.sig sha512sum.txt

if ! [[ $NOTAR ]]; then
    [[ -e "$IMAGE".tgz ]] || tar cf - -C "${IMAGE%/*}" "${IMAGE##*/}" | pigz -c > "${IMAGE}.tgz"
    if ! [[ -e "$HASH_IMAGE-efi".tgz ]]; then
        tar cf - efi | pigz -c > "$HASH_IMAGE-efi.tgz"
    fi
    [[ $NOSIGN ]] || openssl dgst -sha256 -sign "$KEY" \
        -out "${HASH_IMAGE}-efi.tgz.sig" "${HASH_IMAGE}-efi.tgz"
    [[ $NOSIGN ]] || openssl dgst -sha256 -sign "$KEY" \
        -out "${JSONDIR}/${NAME}-${ROOTHASH}.img.sig" "$IMAGE/root.img"
fi

popd
add mkrelease.sh 2018-09-10 15:51:20 +02:00			`#!/bin/bash -ex`

mkrelease.sh: add UEFI signing 2018-09-12 16:44:03 +02:00			`usage() {`
			`cat << EOF`
mkrelease.sh: add release.json and efi tarball 2018-10-23 16:12:16 +02:00			`Usage: $PROGNAME [OPTION] LATEST.JSON`
mkrelease.sh: add UEFI signing 2018-09-12 16:44:03 +02:00
			`-h, --help Display this help`
mkrelease.sh: add --nosign option 2018-09-13 10:15:54 +02:00			`--nosign Don't sign the EFI executable`
use openssl for verification also rename --dbkey --dbcrt arguments 2018-10-19 14:32:53 +02:00			`--key KEY Use KEY as certification key for EFI signing`
			`--crt CRT Use CRT as certification for EFI signing`
mkrelease.sh: add UEFI signing 2018-09-12 16:44:03 +02:00			`EOF`
			`}`

			`TEMP=$(`
			`getopt -o '' \`
use openssl for verification also rename --dbkey --dbcrt arguments 2018-10-19 14:32:53 +02:00			`--long key: \`
			`--long crt: \`
mkrelease.sh: add --nosign option 2018-09-13 10:15:54 +02:00			`--long nosign \`
mkrelease.sh: add --notar 2018-09-13 10:58:26 +02:00			`--long notar \`
mkrelease.sh: add release.json and efi tarball 2018-10-23 16:12:16 +02:00			`--long help \`
mkrelease.sh: add UEFI signing 2018-09-12 16:44:03 +02:00			`-- "$@"`
			`)`

			`if (( $? != 0 )); then`
			`usage >&2`
			`exit 1`
			`fi`

			`eval set -- "$TEMP"`
			`unset TEMP`

			`while true; do`
			`case "$1" in`
use openssl for verification also rename --dbkey --dbcrt arguments 2018-10-19 14:32:53 +02:00			`'--key')`
			`KEY="$(readlink -e $2)"`
mkrelease.sh: use sbsign as EFI signing tool 2018-09-14 11:37:19 +02:00			`shift 2; continue`
			`;;`
use openssl for verification also rename --dbkey --dbcrt arguments 2018-10-19 14:32:53 +02:00			`'--crt')`
			`CRT="$(readlink -e $2)"`
mkrelease.sh: add UEFI signing 2018-09-12 16:44:03 +02:00			`shift 2; continue`
			`;;`
mkrelease.sh: add --nosign option 2018-09-13 10:15:54 +02:00			`'--nosign')`
mkrelease.sh: use sbsign as EFI signing tool 2018-09-14 11:37:19 +02:00			`NOSIGN="1"`
mkrelease.sh: add --nosign option 2018-09-13 10:15:54 +02:00			`shift 1; continue`
			`;;`
mkrelease.sh: add --notar 2018-09-13 10:58:26 +02:00			`'--notar')`
mkrelease.sh: use sbsign as EFI signing tool 2018-09-14 11:37:19 +02:00			`NOTAR="1"`
mkrelease.sh: add --notar 2018-09-13 10:58:26 +02:00			`shift 1; continue`
			`;;`
mkrelease.sh: add UEFI signing 2018-09-12 16:44:03 +02:00			`'--help')`
mkrelease.sh: use sbsign as EFI signing tool 2018-09-14 11:37:19 +02:00			`usage`
			`exit 0`
mkrelease.sh: add UEFI signing 2018-09-12 16:44:03 +02:00			`;;`
			`'--')`
			`shift`
			`break`
			`;;`
			`*)`
			`echo 'Internal error!' >&2`
			`exit 1`
			`;;`
			`esac`
			`done`
mkrelease.sh: add release.json and efi tarball 2018-10-23 16:12:16 +02:00			`PROGNAME=${0##*/}`
			`BASEDIR=$(realpath ${0%/*})`
mkrelease.sh: add UEFI signing 2018-09-12 16:44:03 +02:00
add mkrelease.sh 2018-09-10 15:51:20 +02:00			`JSON="$(realpath -e $1)"`
mkrelease.sh: add release.json and efi tarball 2018-10-23 16:12:16 +02:00			`JSONDIR="${JSON%/*}"`
use openssl for verification also rename --dbkey --dbcrt arguments 2018-10-19 14:32:53 +02:00			`NAME="$(jq -r '.name' ${JSON})"`
			`VERSION="$(jq -r '.version' ${JSON})"`
mkrelease.sh: add release.json and efi tarball 2018-10-23 16:12:16 +02:00			`ROOTHASH="$(jq -r '.roothash' ${JSON})"`
			`IMAGE="${JSONDIR}/${NAME}-${VERSION}"`
			`HASH_IMAGE="${JSONDIR}/${NAME}-${ROOTHASH}"`
use openssl for verification also rename --dbkey --dbcrt arguments 2018-10-19 14:32:53 +02:00			`CRT=${CRT:-${BASEDIR}/${NAME}.crt}`
			`KEY=${KEY:-${BASEDIR}/${NAME}.key}`
add mkrelease.sh 2018-09-10 15:51:20 +02:00
move everything configurable to /cfg and try selinux 2018-09-17 17:32:13 +02:00			`pushd "$IMAGE"`
			`if ! [[ $NOSIGN ]]; then`
use openssl for verification also rename --dbkey --dbcrt arguments 2018-10-19 14:32:53 +02:00			`if ! [[ $KEY ]] \|\| ! [[ $CRT ]]; then`
			`echo "Cannot find $KEY and $CRT"`
			`echo "Need --key KEY --crt CRT options"`
move everything configurable to /cfg and try selinux 2018-09-17 17:32:13 +02:00			`exit 1`
mkrelease.sh: add --nosign option 2018-09-13 10:15:54 +02:00			`fi`
move everything configurable to /cfg and try selinux 2018-09-17 17:32:13 +02:00			`for i in $(find . -type f -name '*.efi'); do`
			`[[ -f "$i" ]] \|\| continue`
use openssl for verification also rename --dbkey --dbcrt arguments 2018-10-19 14:32:53 +02:00			`if ! sbverify --cert "$CRT" "$i" &>/dev/null ; then`
			`sbsign --key "$KEY" --cert "$CRT" --output "${i}signed" "$i"`
move everything configurable to /cfg and try selinux 2018-09-17 17:32:13 +02:00			`mv "${i}signed" "$i"`
			`fi`
			`done`
			`fi`
mkrelease.sh: add release.json and efi tarball 2018-10-23 16:12:16 +02:00
move everything configurable to /cfg and try selinux 2018-09-17 17:32:13 +02:00			`[[ -f sha512sum.txt ]] \|\| sha512sum $(find . -type f) > sha512sum.txt`
use openssl for verification also rename --dbkey --dbcrt arguments 2018-10-19 14:32:53 +02:00			`[[ -f sha512sum.txt.sig ]] \|\| openssl dgst -sha256 -sign "$KEY" -out sha512sum.txt.sig sha512sum.txt`
move everything configurable to /cfg and try selinux 2018-09-17 17:32:13 +02:00
mkrelease.sh: add release.json and efi tarball 2018-10-23 16:12:16 +02:00			`if ! [[ $NOTAR ]]; then`
			`[[ -e "$IMAGE".tgz ]] \|\| tar cf - -C "${IMAGE%/}" "${IMAGE##/}" \| pigz -c > "${IMAGE}.tgz"`
			`if ! [[ -e "$HASH_IMAGE-efi".tgz ]]; then`
			`tar cf - efi \| pigz -c > "$HASH_IMAGE-efi.tgz"`
			`fi`
			`[[ $NOSIGN ]] \|\| openssl dgst -sha256 -sign "$KEY" \`
			`-out "${HASH_IMAGE}-efi.tgz.sig" "${HASH_IMAGE}-efi.tgz"`
			`[[ $NOSIGN ]] \|\| openssl dgst -sha256 -sign "$KEY" \`
			`-out "${JSONDIR}/${NAME}-${ROOTHASH}.img.sig" "$IMAGE/root.img"`
add mkrelease.sh 2018-09-10 15:51:20 +02:00			`fi`
mkrelease.sh: add release.json and efi tarball 2018-10-23 16:12:16 +02:00
			`popd`