[Replicant] 'sign-build': Make certificate creation more robust

2019-01-29 Thread doak 
Dear Denis,
dear Replicant developers,

I adapted the patches like requested. Additionally I fixed a minor typo in a 
comment.
Sorry for the long delay.

The original description follows:

In reference to issue [#1870] I made the creation of certificates 
('./vendor/replicant/sign-build') more robust.
Please find the patches attached. Let me know if they need some rework to be 
accepted. Feel free to accept only some of them as well.

sign-build | 68 

1 file changed, 48 insertions(+), 20 deletions(-)


Best regards,
doak






___
Replicant mailing list
Replicant@osuosl.org
https://lists.osuosl.org/mailman/listinfo/replicant

Re: [Replicant] 'sign-build': Make certificate creation more robust

2018-01-31 Thread doak 
Dear Denis,

thank you very much for the feedback.
It seems I managed to send the patches like requested.

Sadly the stuff is not signed by GPG anymore... :(

Feel free to ask in case something  ist not clear enough..


Regards,
doak




On 30 January 2018 17:23:47 CET, Denis 'GNUtoo' Carikli  
wrote:
>On Mon, 29 Jan 2018 00:46:25 +0100
>doak  wrote:
>
>> Dear Replicant developers,
>Hi,
>
>> in reference to issue [#1870] I made the creation of certificates
>> ('./vendor/replicant/sign-build') more robust. Please find the
>> patches attached. Let me know if they need some rework to be
>> accepted. Feel free to accept only some of them as well.
>I've looked rapidly at the first patch, and they seem great.
>
>However it would be easier to review and comment on the patch if they
>were sent like that:
>- One mail for the message you wrote
>- One mail per patch in response to this message, with the mail inside
>  the message body.
>
>The git-send-email program (which is part of git) is able to do that.
>for instance for Replicant it would look like that:
>git-send-email --compose \
>--to="replicant@osuosl.org" \
>--to="Denis 'GNUtoo' Carikli " \
>0001-Add-output-messages.patch \
>0002-Formatting-Split-all-arguments-into-seperate-lines.patch \
>0003-Make-creation-of-certificates-more-robust.patch \
>0004-Do-not-leave-certificates-creation-in-undefined-stat.patch
>
>As for the account settings, see the EXAMPLE section of git-send-email.
>
>I'm very interested in having a robust build system as it makes the job
>of new developers easier. On a build computer, I even had an issue that
>the patches are supposed to fix (incomplete certificate generation ->
>impossible to sign images).
>
>Denis.


signature.asc
Description: PGP signature
___
Replicant mailing list
Replicant@osuosl.org
https://lists.osuosl.org/mailman/listinfo/replicant

Re: [Replicant] 'sign-build': Make certificate creation more robust

2018-01-30 Thread Denis 'GNUtoo' Carikli 
On Mon, 29 Jan 2018 00:46:25 +0100
doak  wrote:

> Dear Replicant developers,
Hi,

> in reference to issue [#1870] I made the creation of certificates
> ('./vendor/replicant/sign-build') more robust. Please find the
> patches attached. Let me know if they need some rework to be
> accepted. Feel free to accept only some of them as well.
I've looked rapidly at the first patch, and they seem great.

However it would be easier to review and comment on the patch if they
were sent like that:
- One mail for the message you wrote
- One mail per patch in response to this message, with the mail inside
  the message body.

The git-send-email program (which is part of git) is able to do that.
for instance for Replicant it would look like that:
git-send-email --compose \
--to="replicant@osuosl.org" \
--to="Denis 'GNUtoo' Carikli " \
0001-Add-output-messages.patch \
0002-Formatting-Split-all-arguments-into-seperate-lines.patch \
0003-Make-creation-of-certificates-more-robust.patch \
0004-Do-not-leave-certificates-creation-in-undefined-stat.patch

As for the account settings, see the EXAMPLE section of git-send-email.

I'm very interested in having a robust build system as it makes the job
of new developers easier. On a build computer, I even had an issue that
the patches are supposed to fix (incomplete certificate generation ->
impossible to sign images).

Denis.


pgp_Nl7UejPOO.pgp
Description: OpenPGP digital signature
___
Replicant mailing list
Replicant@osuosl.org
https://lists.osuosl.org/mailman/listinfo/replicant

[Replicant] 'sign-build': Make certificate creation more robust

2018-01-28 Thread doak 

Dear Replicant developers,

in reference to issue [#1870] I made the creation of certificates 
('./vendor/replicant/sign-build') more robust.
Please find the patches attached. Let me know if they need some rework to be 
accepted. Feel free to accept only some of them as well.

[#1870] https://redmine.replicant.us/issues/1870


Best regards,
doak



From 023723c0c68444c6008bfb0f66350fc003118fd4 Mon Sep 17 00:00:00 2001
From: doak 
Date: Mon, 29 Jan 2018 00:02:11 +0100
Subject: [PATCH 4/4] Do not leave certificates creation in undefined state

Create either all or none keys and certificates.
---
 sign-build | 13 ++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/sign-build b/sign-build
index a066409b..cbf3c077 100755
--- a/sign-build
+++ b/sign-build
@@ -83,10 +83,17 @@ generate_keys () {
 read_var "Email Address" KEY_EA
 SUBJECT="/C=$KEY_C/ST=$KEY_ST/L=$KEY_L/O=$KEY_O/OU=$KEY_OU/CN=$KEY_CN/emailAddress=$KEY_EA"
 
-mkdir $KEY_DIR
-for x in releasekey platform shared media; do \
-./development/tools/make_key $KEY_DIR/$x "$SUBJECT" || true; \
+# Ensure that all keys and certificates are deleted in case of an error during creation,
+# i.e. either all certificates are in place or none.
+trap 'rm -rf "$KEY_DIR"' EXIT INT
+mkdir "$KEY_DIR"
+for x in releasekey platform shared media; do
+./development/tools/make_key "$KEY_DIR/$x" "$SUBJECT" || true
+# The return value of 'make_key' cannot be trusted.  Check on out own
+# if key and certificate has been created successfully.
+test -r "$KEY_DIR/$x.x509.pem"
 done
+trap - EXIT INT
 }
 
 if [ "$DEVICE" = "" ]
-- 
2.15.1




From b79503d1714df15a4eddfc34f34aa7249550c179 Mon Sep 17 00:00:00 2001
From: doak 
Date: Sun, 28 Jan 2018 23:56:24 +0100
Subject: [PATCH 3/4] Make creation of certificates more robust

This fixes several issues:
  * Mostly all fields have to be set (at least it seems like this) to create certificates using 'make_key' successfully.
  * Handle default values.
  * Avoid unwanted whitespaces in 'SUBJECT' due of linebreak.
---
 sign-build | 42 --
 1 file changed, 28 insertions(+), 14 deletions(-)

diff --git a/sign-build b/sign-build
index a88d0299..a066409b 100755
--- a/sign-build
+++ b/sign-build
@@ -44,11 +44,27 @@ TARGET_FILES=$TARGET_DIR/obj/PACKAGING/target_files_intermediates/*-target_files
 DIST_OUT_DIR=$OUT_DIR/"dist"/$DEVICE
 RELEASE=replicant-6.0
 
+read_var() {
+local prompt="$1"
+local var="$2"
+# Store current value of variable as default.
+eval "local default=\"\$$var\""
+
+read -p "$prompt: [$default] " "$var"
+# Set default value if empty.
+eval "test -n \"\$$var\"" ||
+eval "$var='$default'"
+}
+
 generate_keys () {
-# keys default values
-KEY_C=AU
-KEY_ST=Some-State
-KEY_O="Internet Widgits Pty Ltd"
+local KEY_C="NA"
+local KEY_ST="unknown"
+local KEY_L="unknown"
+local KEY_O="unknown"
+local KEY_OU="unknown"
+local KEY_CN="unknown"
+local KEY_EA="unknown"
+local SUBJECT
 
 echo "No keys present. Generating them now."
 echo
@@ -58,16 +74,14 @@ generate_keys () {
 echo "There are quite a few fields but you can leave some blank."
 echo "For some fields there will be a default value."
 
-read -p "Country Name (2 letter code) [AU]:" KEY_CN
-read -p "State or Province Name (full name) [Some-State]:" KEY_ST
-read -p "Locality Name (eg, city) []:" KEY_L
-read -p "Organization Name (eg, company) [Internet Widgits Pty Ltd]:" KEY_O
-read -p "Organizational Unit Name (eg, section) []:" KEY_OU
-read -p "Common Name (e.g. your name) []:" KEY_CN
-read -p "Email Address []:" KEY_EA
-
-SUBJECT="/C=$KEY_C/ST=$KEY_ST/L=$KEY_L/O=$KEY_O/OU=$KEY_OU/CN=$KEY_CN \
-   /emailAddress=$KEY_EA"
+read_var "Country Name (2 letter code)" KEY_C
+read_var "State or Province Name (full name)" KEY_ST
+read_var "Locality Name (e.g. city)" KEY_L
+read_var "Organization Name (e.g. company)" KEY_O
+read_var "Organizational Unit Name (e.g. section)" KEY_OU
+read_var "Common Name (e.g. your name)" KEY_CN
+read_var "Email Address" KEY_EA
+SUBJECT="/C=$KEY_C/ST=$KEY_ST/L=$KEY_L/O=$KEY_O/OU=$KEY_OU/CN=$KEY_CN/emailAddress=$KEY_EA"
 
 mkdir $KEY_DIR
 for x in releasekey platform shared media; do \
-- 
2.15.1




From 3af6aaa15d32bc1ed6354da485fbafaf600d4924 Mon Sep 17 00:00:00 2001
From: doak 
Date: Sun, 28 Jan 2018 23:51:28 +0100
Subject: [PATCH 2/4] Formatting: Split all arguments into seperate lines

---
 sign-build | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/sign-build b/sign-build
index da80d125..a88d0299 100755
--- a/sign-build
+++ b/sign-build
@@ -109,7 +109,8 @@ then
 	   -s device/samsung/galaxys2-common/releasetools/extensions/releasetools.py \
 	   -o \
 	   -p