-
Notifications
You must be signed in to change notification settings - Fork 52
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
core_sign_update: use pkcs11 openssl engine #1149
Conversation
04c3a88
to
b107797
Compare
b107797
to
e7a819a
Compare
sdk_container/src/third_party/portage-stable/acct-user/pcscd/pcscd-0-r2.ebuild
Outdated
Show resolved
Hide resolved
+1 for adding download_payloads/generate_payload to this repo. (What I don't like is making it mandatory to run inside the SDK because of of common.sh) |
Build action triggered: https://github.com/flatcar/scripts/actions/runs/7628587794 |
Inside the SDK or can I use the one from the host? Would it conflict with the one from the host? That was the case before and one had to manually stop it for successful signing. |
In the end a big wrapper would be nice that downloads and uploads. |
@pothos I just checked, it conflicts indeed:
For this to work, one has to use the daemon from the SDK (and not from the host). That's also the idea behind: no need to pull dependencies on your own machine. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good!
9516816
to
078943a
Compare
Let's merge and then remove the scripts from flatcar-build-scripts, otherwise things can get out of sync |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I assume that the scripts work. The changes in portage-stable and coreos-overlay look good. The baselayout will need to have its commit ID updated, of course.
One question though: why putting download_payloads
script in the data
subdirectory? The generate payload
scripts could just create the directory and call download_payloads
from there.
this is the pkcs11 engine for OpenSSL Signed-off-by: Mathieu Tortuyaux <[email protected]>
it's used to interact with the HSM device. Signed-off-by: Mathieu Tortuyaux <[email protected]>
required for pcsc-lite daemon to work Signed-off-by: Mathieu Tortuyaux <[email protected]>
Signed-off-by: Mathieu Tortuyaux <[email protected]>
Signed-off-by: Mathieu Tortuyaux <[email protected]>
Signed-off-by: Mathieu Tortuyaux <[email protected]>
directly from the flatcar-build-scripts (no modification) Signed-off-by: Mathieu Tortuyaux <[email protected]>
Signed-off-by: Mathieu Tortuyaux <[email protected]>
Signed-off-by: Mathieu Tortuyaux <[email protected]>
a20451b
to
05d4afb
Compare
It's because the |
To be tested with an actual payload.
SDK: http://jenkins.infra.kinvolk.io:8080/job/container/job/sdk/1275/cldsv/
TODO:
acct-user/pcscd
(see the comment: core_sign_update: use pkcs11 openssl engine #1149 (comment))The workflow would be the follow: (see: https://github.com/flatcar/flatcar-maintainer-private/pull/9)