sign created images after build

asu/build.py

@@ -236,6 +236,77 @@ def build(req: dict, job=None):
     if req["profile"] not in json_content["profiles"]:
         report_error(job, "Profile not found in JSON file")
 
+    # get list of installable images to sign (i.e. don't sign kernel)
+    images = list(
+        map(
+            lambda i: i["name"],
+            filter(
+                lambda i: i["type"]
+                in ["sysupgrade", "factory", "combined", "combined-efi"],
+                json_content["profiles"][req["profile"]]["images"],
+            ),
+        )
+    )
+
+    log.info(f"Signing images: {images}")
+
+    # job.meta["imagebuilder_status"] = "signing_images"
+    job.save_meta()
+
+    build_key = getenv("BUILD_KEY") or str(Path.cwd() / "key-build")
+
+    if Path(build_key).is_file():
+        log.info(f"Signing images with key {build_key}")
+        returncode, job.meta["stdout"], job.meta["stderr"] = run_container(
+            podman,
+            image,
+            [
+                "bash",
+                "-c",
+                (
+                    "env;"
+                    "for IMAGE in $IMAGES_TO_SIGN; do "
+                    "touch ${IMAGE}.test;"
+                    'fwtool -t -s /dev/null "$IMAGE" && echo "sign entfern";'
+                    'cp "/builder/key-build.ucert" "$IMAGE.ucert" && echo "moved";'
+                    'usign -S -m "$IMAGE" -s "/builder/key-build" -x "$IMAGE.sig"  && echo "usign";'
+                    'ucert -A -c "$IMAGE.ucert" -x "$IMAGE.sig" && echo "ucert";'
+                    'fwtool -S "$IMAGE.ucert" "$IMAGE" && echo "fwtool";'
+                    "done"
+                ),
+            ],
+            mounts=[
+                {
+                    "type": "bind",
+                    "source": build_key,
+                    "target": "/builder/key-build",
+                    "read_only": True,
+                },
+                {
+                    "type": "bind",
+                    "source": build_key + ".ucert",
+                    "target": "/builder/key-build.ucert",
+                    "read_only": True,
+                },
+                {
+                    "type": "bind",
+                    "source": str(store_path / bin_dir),
+                    "target": str(store_path / bin_dir),
+                    "read_only": False,
+                },
+            ],
+            user="root",  # running as root to have write access to the mounted volume
+            working_dir=str(store_path / bin_dir),
+            environment={
+                "IMAGES_TO_SIGN": " ".join(images),
+                "PATH": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/builder/staging_dir/host/bin",
+            },
+        )
+        job.save_meta()
+
+    else:
+        log.warning("No build key found, skipping signing")
+
     json_content.update({"manifest": manifest})
     json_content.update(json_content["profiles"][req["profile"]])
     json_content["id"] = req["profile"]

asu/common.py

@@ -232,7 +232,16 @@ def diff_packages(requested_packages: set, default_packages: set):
     )
 
 
-def run_container(podman: PodmanClient, image, command, mounts=[], copy=[]):
+def run_container(
+    podman: PodmanClient,
+    image,
+    command,
+    mounts=[],
+    copy=[],
+    user=None,
+    environment={},
+    working_dir=None,
+):
     """Run a container and return the returncode, stdout and stderr
 
     Args:
@@ -250,10 +259,12 @@ def run_container(podman: PodmanClient, image, command, mounts=[], copy=[]):
         command=command,
         detach=True,
         mounts=mounts,
-        userns_mode="keep-id",
         cap_drop=["all"],
         no_new_privileges=True,
         privileged=False,
+        user=user,
+        working_dir=working_dir,
+        environment=environment,
     )
 
     returncode = container.wait()
@@ -294,6 +305,7 @@ def run_container(podman: PodmanClient, image, command, mounts=[], copy=[]):
         logging.debug(f"Closed {host_tar}")
 
     container.remove(v=True)
+    podman.volumes.prune()  # TODO: remove once v=True works
 
     return returncode, stdout, stderr