[Replicant] 'sign-build': Make certificate creation more robust

Sun, 28 Jan 2018 15:47:08 -0800 

Dear Replicant developers,

in reference to issue [#1870] I made the creation of certificates 
('./vendor/replicant/sign-build') more robust.
Please find the patches attached. Let me know if they need some rework to be 
accepted. Feel free to accept only some of them as well.

[#1870] https://redmine.replicant.us/issues/1870


Best regards,
doak




From 023723c0c68444c6008bfb0f66350fc003118fd4 Mon Sep 17 00:00:00 2001
From: doak <d...@posteo.net>
Date: Mon, 29 Jan 2018 00:02:11 +0100
Subject: [PATCH 4/4] Do not leave certificates creation in undefined state

Create either all or none keys and certificates.
---
 sign-build | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/sign-build b/sign-build
index a066409b..cbf3c077 100755
--- a/sign-build
+++ b/sign-build
@@ -83,10 +83,17 @@ generate_keys () {
     read_var "Email Address" KEY_EA
     SUBJECT="/C=$KEY_C/ST=$KEY_ST/L=$KEY_L/O=$KEY_O/OU=$KEY_OU/CN=$KEY_CN/emailAddress=$KEY_EA"
 
-    mkdir $KEY_DIR
-    for x in releasekey platform shared media; do \
-        ./development/tools/make_key $KEY_DIR/$x "$SUBJECT" || true; \
+    # Ensure that all keys and certificates are deleted in case of an error during creation,
+    # i.e. either all certificates are in place or none.
+    trap 'rm -rf "$KEY_DIR"' EXIT INT
+    mkdir "$KEY_DIR"
+    for x in releasekey platform shared media; do
+        ./development/tools/make_key "$KEY_DIR/$x" "$SUBJECT" || true
+        # The return value of 'make_key' cannot be trusted.  Check on out own
+        # if key and certificate has been created successfully.
+        test -r "$KEY_DIR/$x.x509.pem"
     done
+    trap - EXIT INT
 }
 
 if [ "$DEVICE" = "" ]
-- 
2.15.1





From b79503d1714df15a4eddfc34f34aa7249550c179 Mon Sep 17 00:00:00 2001
From: doak <d...@posteo.net>
Date: Sun, 28 Jan 2018 23:56:24 +0100
Subject: [PATCH 3/4] Make creation of certificates more robust

This fixes several issues:
  * Mostly all fields have to be set (at least it seems like this) to create certificates using 'make_key' successfully.
  * Handle default values.
  * Avoid unwanted whitespaces in 'SUBJECT' due of linebreak.
---
 sign-build | 42 ++++++++++++++++++++++++++++--------------
 1 file changed, 28 insertions(+), 14 deletions(-)

diff --git a/sign-build b/sign-build
index a88d0299..a066409b 100755
--- a/sign-build
+++ b/sign-build
@@ -44,11 +44,27 @@ TARGET_FILES=$TARGET_DIR/obj/PACKAGING/target_files_intermediates/*-target_files
 DIST_OUT_DIR=$OUT_DIR/"dist"/$DEVICE
 RELEASE=replicant-6.0
 
+read_var() {
+    local prompt="$1"
+    local var="$2"
+    # Store current value of variable as default.
+    eval "local default=\"\$$var\""
+
+    read -p "$prompt: [$default] " "$var"
+    # Set default value if empty.
+    eval "test -n \"\$$var\"" ||
+    eval "$var='$default'"
+}
+
 generate_keys () {
-    # keys default values
-    KEY_C=AU
-    KEY_ST=Some-State
-    KEY_O="Internet Widgits Pty Ltd"
+    local KEY_C="NA"
+    local KEY_ST="unknown"
+    local KEY_L="unknown"
+    local KEY_O="unknown"
+    local KEY_OU="unknown"
+    local KEY_CN="unknown"
+    local KEY_EA="unknown"
+    local SUBJECT
 
     echo "No keys present. Generating them now."
     echo
@@ -58,16 +74,14 @@ generate_keys () {
     echo "There are quite a few fields but you can leave some blank."
     echo "For some fields there will be a default value."
 
-    read -p "Country Name (2 letter code) [AU]:" KEY_CN
-    read -p "State or Province Name (full name) [Some-State]:" KEY_ST
-    read -p "Locality Name (eg, city) []:" KEY_L
-    read -p "Organization Name (eg, company) [Internet Widgits Pty Ltd]:" KEY_O
-    read -p "Organizational Unit Name (eg, section) []:" KEY_OU
-    read -p "Common Name (e.g. your name) []:" KEY_CN
-    read -p "Email Address []:" KEY_EA
-
-    SUBJECT="/C=$KEY_C/ST=$KEY_ST/L=$KEY_L/O=$KEY_O/OU=$KEY_OU/CN=$KEY_CN \
-       /emailAddress=$KEY_EA"
+    read_var "Country Name (2 letter code)" KEY_C
+    read_var "State or Province Name (full name)" KEY_ST
+    read_var "Locality Name (e.g. city)" KEY_L
+    read_var "Organization Name (e.g. company)" KEY_O
+    read_var "Organizational Unit Name (e.g. section)" KEY_OU
+    read_var "Common Name (e.g. your name)" KEY_CN
+    read_var "Email Address" KEY_EA
+    SUBJECT="/C=$KEY_C/ST=$KEY_ST/L=$KEY_L/O=$KEY_O/OU=$KEY_OU/CN=$KEY_CN/emailAddress=$KEY_EA"
 
     mkdir $KEY_DIR
     for x in releasekey platform shared media; do \
-- 
2.15.1





From 3af6aaa15d32bc1ed6354da485fbafaf600d4924 Mon Sep 17 00:00:00 2001
From: doak <d...@posteo.net>
Date: Sun, 28 Jan 2018 23:51:28 +0100
Subject: [PATCH 2/4] Formatting: Split all arguments into seperate lines

---
 sign-build | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/sign-build b/sign-build
index da80d125..a88d0299 100755
--- a/sign-build
+++ b/sign-build
@@ -109,7 +109,8 @@ then
 	   -s device/samsung/galaxys2-common/releasetools/extensions/releasetools.py \
 	   -o \
 	   -p $OUT_DIR/host/linux-x86 \
-	   -d $KEY_DIR $TARGET_FILES \
+	   -d $KEY_DIR \
+           $TARGET_FILES \
 	   $DIST_OUT_DIR/signed-target_files-$DEVICE.zip
 
     echo "Signing target OTAs files ..."
@@ -125,7 +126,8 @@ else
     python $BASEDIR/build/tools/releasetools/sign_target_files_apks \
 	   -o \
 	   -p $OUT_DIR/host/linux-x86 \
-	   -d $KEY_DIR $TARGET_FILES \
+	   -d $KEY_DIR \
+           $TARGET_FILES \
 	   $DIST_OUT_DIR/signed-target_files-$DEVICE.zip
 
     echo "Signing target OTAs files ..."
-- 
2.15.1





From 93f1103c04b7e6585d0b4116cb13e59da1e277e8 Mon Sep 17 00:00:00 2001
From: doak <d...@posteo.net>
Date: Sun, 28 Jan 2018 23:50:31 +0100
Subject: [PATCH 1/4] Add output messages

---
 sign-build | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/sign-build b/sign-build
index fed4a543..da80d125 100755
--- a/sign-build
+++ b/sign-build
@@ -104,6 +104,7 @@ mkdir -p $DIST_OUT_DIR
 # -p makes sure the script finds signapk.jar
 if [ "$DEVICE" = "i9100" ] || [ "$DEVICE" = "n7000" ]
 then
+    echo "Signing target APKs files ..."
     python $BASEDIR/device/samsung/galaxys2-common/releasetools/galaxys2_sign_target_files_apks \
 	   -s device/samsung/galaxys2-common/releasetools/extensions/releasetools.py \
 	   -o \
@@ -111,6 +112,7 @@ then
 	   -d $KEY_DIR $TARGET_FILES \
 	   $DIST_OUT_DIR/signed-target_files-$DEVICE.zip
 
+    echo "Signing target OTAs files ..."
     python $BASEDIR/build/tools/releasetools/ota_from_target_files \
 	   -s device/samsung/galaxys2-common/releasetools/extensions/releasetools.py \
 	   -k $KEY_DIR/releasekey \
@@ -119,12 +121,14 @@ then
 	   $DIST_OUT_DIR/$RELEASE-$DEVICE.zip
 
 else
+    echo "Signing target APKs files ..."
     python $BASEDIR/build/tools/releasetools/sign_target_files_apks \
 	   -o \
 	   -p $OUT_DIR/host/linux-x86 \
 	   -d $KEY_DIR $TARGET_FILES \
 	   $DIST_OUT_DIR/signed-target_files-$DEVICE.zip
 
+    echo "Signing target OTAs files ..."
     python $BASEDIR/build/tools/releasetools/ota_from_target_files \
 	   -k $KEY_DIR/releasekey \
 	   -p $OUT_DIR/host/linux-x86 \
@@ -132,6 +136,7 @@ else
 	   $DIST_OUT_DIR/$RELEASE-$DEVICE.zip
 fi
 
+echo "Signing target image files ..."
 python $BASEDIR/build/tools/releasetools/img_from_target_files \
        -z \
        $DIST_OUT_DIR/signed-target_files-$DEVICE.zip \
-- 
2.15.1

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Replicant mailing list
Replicant@osuosl.org
https://lists.osuosl.org/mailman/listinfo/replicant

Reply via email to