6a8bf7afff
The stand-alone signing script 'trustfence-sign-artifact.sh' checks if a valid PKI tree exists (by checking the existance of four SRK files) and if they don't, it calls trustfence-gen-pki.sh (which is a wrapper over different generators (for HAB or AHAB) to create one. Recipes such as 'dualboot' or 'recovery-initramfs' may need to call openssl functions over the PKI tree. These recipes do not currently generate the PKI tree; they expect it to be already in place. This might not be the case if the trustfence-sign-artifact.sh script has not been called yet. Originally, a fake dependency on virtual/kernel recipe was made to force it, but it doesn't quite work since the calling only happens on deploy() while regular DEPENDS doesn't wait for this task. If the PKI does not exist, a recipe that requires the PKI tree will fail. The solution is to create a function on the trustfence.bbclass that allows any recipe to check for the existance of a PKI tree and generate it if it doesn't exist. This is repeated inside the trustfence-sign-artifact.sh, but it needs to be in both places because this script must work stand-alone. The generation of the PKI tree takes some seconds so this commit adds a lock dir to prevent race conditions when called from different recipes. It also removes the fake dependency on virtual/kernel and adds a dependency on trustfence-cst-native (which is the recipe that provides the PKI generation tool). Signed-off-by: Hector Palacios <hector.palacios@digi.com> https://onedigi.atlassian.net/browse/DEL-8430 |
||
|---|---|---|
| .. | ||
| trustfence-sign-tools | ||
| trustfence-sign-tools_git.bb | ||