aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--classes/swupd-image.bbclass75
-rw-r--r--recipes-core/swupd-client/swupd-client_git.bb27
2 files changed, 82 insertions, 20 deletions
diff --git a/classes/swupd-image.bbclass b/classes/swupd-image.bbclass
index bc23cce..94daafb 100644
--- a/classes/swupd-image.bbclass
+++ b/classes/swupd-image.bbclass
@@ -32,6 +32,28 @@ SWUPD_IMAGE_PN = "${@ d.getVar('PN_BASE', True) or d.getVar('PN', True)}"
# to be published will be in the "www" sub-directory.
DEPLOY_DIR_SWUPD = "${DEPLOY_DIR}/swupd/${MACHINE}/${SWUPD_IMAGE_PN}"
+# The current format has to match the the source code of the
+# swupd-client that is in the image. This recipe picks a suitable
+# swupd-client via the client's RPROVIDES.
+SWUPD_FORMAT ??= "3"
+IMAGE_INSTALL_append = " swupd-client-format${SWUPD_FORMAT}"
+
+# The information about where to find version information and actual
+# content is needed in several places:
+# - the swupd client in the image gets configured such that it uses that as default
+# - swupd server needs information about the previous build
+#
+# The version URL determines what the client picks as the version that it updates to.
+# The content URL must have all builds ever produced and is expected to also
+# have the corresponding version information.
+SWUPD_VERSION_URL ??= "http://download.example.com/updates/my-distro/milestone/${MACHINE}/${SWUPD_IMAGE_PN}"
+SWUPD_CONTENT_URL ??= "http://download.example.com/updates/my-distro/builds/${MACHINE}/${SWUPD_IMAGE_PN}"
+
+# An absolute path for a file containing the SSL certificate that is
+# is to be used for verifying https connections to the version and content
+# derver.
+SWUPD_PINNED_PUBKEY ??= ""
+
# User configurable variables to disable all swupd processing or deltapack
# generation.
SWUPD_GENERATE ??= "1"
@@ -43,8 +65,6 @@ SWUPD_LOG_FN ??= "bbdebug 1"
# a non-negative integer that fits in an int.
OS_VERSION ??= "${DISTRO_VERSION}"
-IMAGE_INSTALL_append = " swupd-client os-release"
-
# We need to preserve xattrs which is only supported by GNU tar >= 1.27
# to be sure this functionality works as expected use the tar-replacement-native
DEPENDS += "tar-replacement-native"
@@ -240,7 +260,6 @@ addtask stage_swupd_inputs after do_image before do_swupd_update
do_stage_swupd_inputs[dirs] = "${SWUPDIMAGEDIR} ${SWUPDMANIFESTDIR} ${DEPLOY_DIR_SWUPD}/maps/"
do_stage_swupd_inputs[depends] += "virtual/fakeroot-native:do_populate_sysroot"
-SWUPD_FORMAT ??= "3"
# do_swupd_update uses its own pseudo database, for several reasons:
# - Performance is better when the pseudo instance is not shared
# with the do_image tasks of other virtual swupd image recipes (those
@@ -449,7 +468,7 @@ ROOTFS_POSTPROCESS_COMMAND += "swupd_replace_hardlinks; "
# then this can be achieved by influencing the os-release package
# by setting in local.conf:
# VERSION_ID = "${OS_VERSION}"
-
+IMAGE_INSTALL_append = " os-release"
swupd_patch_os_release () {
sed -i -e 's/^VERSION_ID *=.*/VERSION_ID="${OS_VERSION}"/' ${IMAGE_ROOTFS}/usr/lib/os-release
}
@@ -515,3 +534,51 @@ i.e. the link is to a file which only exists at runtime, such as files in /proc,
SWUPD_IMAGE_SYMLINK_WHITELIST to resolve this error.'
raise ImageQAFailed(message, swupd_check_dangling_symlinks)
}
+
+def hash_swupd_pinned_pubkey(d):
+ pubkey = d.getVar('SWUPD_PINNED_PUBKEY', True)
+ if pubkey:
+ import hashlib
+ bb.parse.mark_dependency(d, pubkey)
+ with open(pubkey, 'rb') as f:
+ hash = hashlib.sha256()
+ hash.update(f.read())
+ return hash.hexdigest()
+ else:
+ return ''
+
+SWUPD_PINNED_PUBKEY_HASH := "${@ hash_swupd_pinned_pubkey(d)}"
+
+# The swupd client must be configured on a per-image basis.
+# Different images might need different settings.
+configure_swupd_client () {
+ # Write default values to the configuration hierarchy (since 3.4.0)
+ install -d ${IMAGE_ROOTFS}/usr/share/defaults/swupd
+ echo "${SWUPD_VERSION_URL}" >> ${IMAGE_ROOTFS}/usr/share/defaults/swupd/versionurl
+ echo "${SWUPD_CONTENT_URL}" >> ${IMAGE_ROOTFS}/usr/share/defaults/swupd/contenturl
+ echo "${SWUPD_FORMAT}" >> ${IMAGE_ROOTFS}/usr/share/defaults/swupd/format
+ # Changing content of the pubkey also changes the hash and thus ensures
+ # that this method and thus do_rootfs run again.
+ #
+ # TODO: does not actually work. Recipe gets reparsed when the file
+ # changes ("bitbake -e ostro-image-swupd | SWUPD_PINNED_PUBKEY_HASH" changes)
+ # but the task does not get re-executed. Forcing that leads to:
+ #
+ # ERROR: ostro-image-swupd-1.0-r0 do_rootfs: Taskhash mismatch 8762bf20b997ac29dd6793fd11e609c3 versus cb40afac8ca291e31022d5ffd9a9bbac for /work/ostro-os/meta-ostro/recipes-image/images/ostro-image-swupd.bb.do_rootfs
+ # ERROR: Taskhash mismatch 8762bf20b997ac29dd6793fd11e609c3 versus cb40afac8ca291e31022d5ffd9a9bbac for /work/ostro-os/meta-ostro/recipes-image/images/ostro-image-swupd.bb.do_rootfs
+ #
+ # $ bitbake-diffsigs tmp-glibc/stamps/qemux86-ostro-linux/ostro-image-swupd/1.0-r0.do_rootfs.sigdata.c8a9371831f58ce4f8b49a73211f66aa tmp-glibc/stamps/qemux86-ostro-linux/ostro-image-swupd/1.0-r0.do_rootfs.sigdata.cb40afac8ca291e31022d5ffd9a9bbac
+ # basehash changed from 02de100ee7baa348e224f21844fdaa06 to e3bb23a069673a09afee4994522991d3
+ # Variable SWUPD_PINNED_PUBKEY_HASH value changed from 'b9ffbe0963f3f7ab3f3c1af5cd8471c121cb601eb4294ad4b211f1e206746a0a' to '8d172423eb0162feb8c7fb2f2d7da28a6effdf3e95184114c62e6b0efdeae89a'
+ # Taint (by forced/invalidated task) changed from None to 2c8e3b43-5e70-4c96-bf6e-741f0b344731
+ #
+ # There's no sigdata for 8762b. c8a93 is from before changing the file.
+ if [ "${SWUPD_PINNED_PUBKEY_HASH}" ]; then
+ install -d ${IMAGE_ROOTFS}${datadir}/clear/update-ca
+ install -m 0644 '${SWUPD_PINNED_PUBKEY}' ${IMAGE_ROOTFS}${datadir}/clear/update-ca/
+ echo "${datadir}/clear/update-ca/$(basename '${SWUPD_PINNED_PUBKEY}')" > ${IMAGE_ROOTFS}/usr/share/defaults/swupd/pinnedpubkey
+ fi
+ chown -R root:root ${IMAGE_ROOTFS}/usr/share/defaults/swupd
+ chmod 0644 ${IMAGE_ROOTFS}/usr/share/defaults/swupd/*
+}
+ROOTFS_POSTPROCESS_COMMAND_append = " configure_swupd_client;"
diff --git a/recipes-core/swupd-client/swupd-client_git.bb b/recipes-core/swupd-client/swupd-client_git.bb
index 8df89a1..5709357 100644
--- a/recipes-core/swupd-client/swupd-client_git.bb
+++ b/recipes-core/swupd-client/swupd-client_git.bb
@@ -20,6 +20,17 @@ RDEPENDS_${PN}_append_class-target = " oe-swupd-helpers bsdtar"
# We check /etc/os-release for the current OS version number
RRECOMMENDS_${PN}_class-target = "os-release"
+# The current format is determined by the source code of the
+# swupd-client that is in the image.
+#
+# Watch the release notes and/or source code of the client carefully
+# and bump the number by one for each update of the recipe where we
+# switch to a source that has a format change.
+#
+# To switch to a client with a new format also update SWUPD_FORMAT in
+# swupd-image.bbclass.
+RPROVIDES_${PN} = "swupd-client-format3"
+
# TODO: we inherit autotools-brokensep because the Makefile calls a perl script
# in ${S} during one of its steps.
inherit pkgconfig autotools-brokensep systemd
@@ -33,22 +44,6 @@ EXTRA_OECONF = "\
PACKAGECONFIG ??= "stateless"
PACKAGECONFIG[stateless] = ",--disable-stateless"
-SWUPD_VERSION_URL ??= "example.com"
-SWUPD_CONTENT_URL ??= "example.com"
-SWUPD_FORMAT ??= "3"
-SWUPD_PINNED_PUBKEY ??= ""
-do_install_append () {
- # TODO: This should be a less os-specific directory and not hard-code datadir
- install -d ${D}$/usr/share/clear/bundles
-
- # Write default values to the configuration hierarchy (since 3.4.0)
- install -d ${D}/usr/share/defaults/swupd
- echo "${SWUPD_VERSION_URL}" >> ${D}/usr/share/defaults/swupd/versionurl
- echo "${SWUPD_CONTENT_URL}" >> ${D}/usr/share/defaults/swupd/contenturl
- echo "${SWUPD_FORMAT}" >> ${D}/usr/share/defaults/swupd/format
- test -n "${SWUPD_PINNED_PUBKEY}" && echo "${SWUPD_PINNED_PUBKEY}" > ${D}/usr/share/defaults/swupd/pinnedpubkey || true
-}
-
FILES_${PN} += "\
/usr/share \
${systemd_system_unitdir}/multi-user.target.wants* \