diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 3170254..504d3bf 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -325,6 +325,32 @@ jobs: priority: 1 broken: ${{ needs.build-meta.outputs.broken }} + - name: Sign manifest (Stable) + uses: freifunk-gluon/action-sign@v1 + if: > + needs.build-meta.outputs.manifest-stable != '0' && + needs.build-meta.outputs.sign-manifest != '0' + with: + container-version: ${{ needs.build-meta.outputs.container-version }} + gluon-path: "gluon-gha-data/gluon" + manifest: >- + gluon-gha-data/gluon/output/images/sysupgrade/stable.manifest + signing-key: ${{ secrets.GHA_FFDA_BUILD_ECDSA_KEY_STABLE }} + write-signature: "true" + + - name: Sign manifest (Beta) + uses: freifunk-gluon/action-sign@v1 + if: > + needs.build-meta.outputs.manifest-beta != '0' && + needs.build-meta.outputs.sign-manifest != '0' + with: + container-version: ${{ needs.build-meta.outputs.container-version }} + gluon-path: "gluon-gha-data/gluon" + manifest: >- + gluon-gha-data/gluon/output/images/sysupgrade/beta.manifest + signing-key: ${{ secrets.GHA_FFDA_BUILD_ECDSA_KEY_BETA }} + write-signature: "true" + - name: Sign manifest (Testing) uses: freifunk-gluon/action-sign@v1 if: > diff --git a/contrib/sign-release.sh b/contrib/sign-release.sh index f350707..83f5331 100755 --- a/contrib/sign-release.sh +++ b/contrib/sign-release.sh @@ -8,12 +8,84 @@ function usage() { exit 1 } -SCRIPT_DIR="$(dirname "$0")" +function split_manifest() { + local manifest upper lower + + manifest="$1" + upper="$2" + lower="$3" + + awk 'BEGIN { + sep = 0 + } + + /^---$/ { + sep = 1; + next + } + + { + if(sep == 0) { + print > "'"$upper"'" + } else { + print > "'"$lower"'" + } + }' "$manifest" +} + +function create_signature() { + local secret manifest upper lower + + manifest="$1" + secret="$2" + + upper="$(mktemp)" + lower="$(mktemp)" + + # Split manifest into upper and lower part + split_manifest "$manifest" "$upper" "$lower" + + # Sign upper part of manifest + ecdsasign "$upper" < "$secret" + + # Remove temporary files + rm -f "$upper" "$lower" +} + +function get_valid_signature() { + local public_key manifest upper lower + + manifest="$1" + public_key="$2" + + upper="$(mktemp)" + lower="$(mktemp)" + + # Split manifest into upper and lower part + split_manifest "$manifest" "$upper" "$lower" + + # Validate upper part of manifest + while read -r line + do + if ecdsaverify -s "$line" -p "$public_key" "$upper"; then + echo "$line" + break + fi + done < "$lower" + + # Remove temporary files + rm -f "$upper" "$lower" +} + +function cleanup() { + rm -rf "$TEMP_DIR" +} # This Script is used to sign a Firmware Release using # a private ECDSA key. DEFAULT_GITHUB_REPOSITORY_URL="freifunk-darmstadt/site-ffda" +CI_PUBLIC_KEY="cea1e84bf157d7362287fcd21d13de14634341e3d1ea7038000062743554dc88" GITHUB_REPOSITORY_URL="${GITHUB_REPOSITORY_URL:-$DEFAULT_GITHUB_REPOSITORY_URL}" @@ -37,17 +109,25 @@ tar xf "${TEMP_DIR}/manifest.tar.xz" -C "${TEMP_DIR}" # Sign manifest for manifest_path in "${TEMP_DIR}/"*.manifest; do - echo "" + valid_ci_signature="$(get_valid_signature "$manifest_path" "$CI_PUBLIC_KEY")" + + # Check if manifest is signed with CI key first + if [ -n "$valid_ci_signature" ]; then + echo "Manifest $manifest_path is signed with CI key" + echo "Signature: $valid_ci_signature" + else + echo "Manifest $manifest_path is not signed with CI key" + cleanup + exit 1 + fi # Get filename without extension manifest_branch_name="$(basename "$manifest_path" .manifest)" # Get Signature - signature="$("$SCRIPT_DIR/sign.sh" "$PRIVATE_KEY_PATH" "$manifest_path")" - - echo "Signature for $manifest_branch_name" - echo "$signature" + echo "-- Signature for $manifest_branch_name --" + create_signature "$manifest_path" "$PRIVATE_KEY_PATH" done # Remove Temporary working directory -rm -rf "$TEMP_DIR" +cleanup diff --git a/contrib/sign.sh b/contrib/sign.sh deleted file mode 100755 index 64d2b4b..0000000 --- a/contrib/sign.sh +++ /dev/null @@ -1,27 +0,0 @@ -#!/bin/sh - -set -e - -SECRET="$1" -manifest="$2" - -upper="$(mktemp)" - -trap 'rm -f "$upper"' EXIT - -awk 'BEGIN { - sep = 0 -} - -/^---$/ { - sep = 1; - next -} - -{ - if(sep == 0) { - print > "'"$upper"'" - } -}' "$manifest" - -ecdsasign "$upper" < "$SECRET"