Skip to content

Commit 9c5c28d

Browse files
dustymabedustymabe
committed
cmd-buildextend-metal: move ignition secex key into secex if conditional
This separates them. It adds a call to `cosa meta` but now the code stands on its own and the ordering doesn't matter.
1 parent d8d4134 commit 9c5c28d

File tree

1 file changed

+15
-19
lines changed

1 file changed

+15
-19
lines changed

src/cmd-buildextend-metal

Lines changed: 15 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -125,7 +125,6 @@ main() {
125125

126126
# Parse options
127127
genprotimgvm=/data.secex/genprotimgvm.qcow2
128-
ignition_pubkey=
129128
rc=0
130129
build=
131130
force=
@@ -282,22 +281,8 @@ main() {
282281
--genprotimgvm "${genprotimgvm}" -- "${qemu_args[@]}"
283282
rm -f "${genprotimg_img}"
284283
exec 9>&-
285-
fi
286-
287-
sha256=$(sha256sum_str < "${imgpath}")
288-
cosa meta --workdir "${workdir}" --build "${build}" --dump | python3 -c "
289-
import sys, json
290-
j = json.load(sys.stdin)
291-
j['images']['${platform}'] = {
292-
'path': '${imgname}',
293-
'sha256': '${sha256}',
294-
'size': $(stat -c '%s' "${imgpath}")
295-
}
296-
json.dump(j, sys.stdout, indent=4)
297-
" | jq -s add > "meta.json.new"
298284

299-
# one more artifact for Secure Execution
300-
if [[ -n "${ignition_pubkey}" ]]; then
285+
# Now store the ${ignition_pubkey} in the builddir and meta.json
301286
gpg_key=${name}-${build}-ignition-secex-key.gpg.pub
302287
python3 -c "
303288
import sys, json
@@ -309,12 +294,23 @@ j['images']['ignition-gpg-key'] = {
309294
'skip-compression': True
310295
}
311296
json.dump(j, sys.stdout, indent=4)
312-
" < "meta.json.new" | jq -s add > "key.json"
313-
mv key.json meta.json.new
297+
" > meta.json.new
298+
cosa meta --workdir "${workdir}" --build "${build}" --artifact-json "$(readlink -f meta.json.new)"
314299
/usr/lib/coreos-assembler/finalize-artifact "${ignition_pubkey}" "${builddir}/${gpg_key}"
315300
fi
316301

317-
# and now the crucial bits
302+
sha256=$(sha256sum_str < "${imgpath}")
303+
cosa meta --workdir "${workdir}" --build "${build}" --dump | python3 -c "
304+
import sys, json
305+
j = json.load(sys.stdin)
306+
j['images']['${platform}'] = {
307+
'path': '${imgname}',
308+
'sha256': '${sha256}',
309+
'size': $(stat -c '%s' "${imgpath}")
310+
}
311+
json.dump(j, sys.stdout, indent=4)
312+
" > meta.json.new
313+
# Now store the built artifact in the builddir and meta.json
318314
cosa meta --workdir "${workdir}" --build "${build}" --artifact-json "$(readlink -f meta.json.new)"
319315
/usr/lib/coreos-assembler/finalize-artifact "${imgpath}" "${builddir}/${imgname}"
320316

0 commit comments

Comments
 (0)