Fixing signatures and add certs to loaders

* Shifting after_deploy messages and aws invalidation to proper locations * Add cert checkout to preinstall and setting those on s3 deploys only * Adding production docker file which runs netboot.xyz overrides * Only display sig menus if enabled * Fix var names for signing
2026-01-23 02:34:26 +00:00 · 2019-12-15 08:13:35 +00:00 · 2019-12-15 08:13:35 +00:00 · f628157e43
commit f628157e43
parent 6c03e92881
11 changed files with 70 additions and 16 deletions
--- a/script/build_release
+++ b/script/build_release
@ -5,6 +5,7 @@ TYPE=$1
 HARD_RELEASE="2.x"
 HARD_RC="2.x-RC"
 LIVE_URL="staging.boot.netboot.xyz"
+DOCKER_FILE="Dockerfile-build.production"

 # Set boot domain
 if [[ "${TYPE}" == "dev" ]]; then
@ -13,6 +14,7 @@ if [[ "${TYPE}" == "dev" ]]; then
 elif [[ "${TYPE}" == "pr" ]]; then
  BOOT_DOMAIN="test.com"
  BOOT_VERSION="test"
+  DOCKER_FILE="Dockerfile-build"
 elif [[ "${TYPE}" == "rc" ]]; then
  BOOT_VERSION=$(cat version.txt)-RC
  BOOT_DOMAIN="${LIVE_URL}/${BOOT_VERSION}"
@ -28,7 +30,7 @@ sed -i \
  user_overrides.yml

 # Build release
-docker build -t localbuild -f Dockerfile-build .
+docker build -t localbuild -f ${DOCKER_FILE} .
 docker run --rm -it -v $(pwd):/buildout localbuild

 # Generate folder outputs
@ -51,7 +53,7 @@ if [[ "${TYPE}" == "release" ]] || [[ "${TYPE}" == "rc" ]]; then
      -e "/^boot_version/c\boot_version: \"${HARD_RELEASE}\"" \
      -e "/^boot_domain/c\boot_domain: ${LIVE_URL}" \
      user_overrides.yml
-    docker build -t localbuild -f Dockerfile-build .
+    docker build -t localbuild -f ${DOCKER_FILE} .
    docker run --rm -it -v $(pwd):/buildout localbuild
  fi
  if [[ "${TYPE}" == "rc" ]]; then
@ -59,7 +61,7 @@ if [[ "${TYPE}" == "release" ]] || [[ "${TYPE}" == "rc" ]]; then
      -e "/^boot_version/c\boot_version: \"${HARD_RC}\"" \
      -e "/^boot_domain/c\boot_domain: ${LIVE_URL}/rc" \
      user_overrides.yml
-    docker build -t localbuild -f Dockerfile-build .
+    docker build -t localbuild -f ${DOCKER_FILE} .
    docker run --rm -it -v $(pwd):/buildout localbuild
  fi
  mkdir -p s3out-latest
--- a/script/message
+++ b/script/message
@ -1,4 +1,5 @@
 #!/bin/bash
+set -e

 TYPE=$1

--- a/script/netbootxyz-overrides.yml
+++ b/script/netbootxyz-overrides.yml
@ -6,4 +6,13 @@ bootloader_multiple: true
 bootloader_disks:
  - "netboot.xyz"
  - "netboot.xyz-packet"
-generate_signatures: true
+generate_signatures: true
+sigs_dir: "{{ netbootxyz_root }}/sigs"
+sigs_location: "http://${boot_domain}/sigs/"
+cert_dir: "/ansible/certs"
+ipxe_trust_args: "TRUST={{ ipxe_ca_location }}"
+ipxe_ca_url: http://ca.ipxe.org/ca.crt
+ipxe_ca_filename: ca-ipxe-org.crt
+codesign_cert_filename: codesign.crt
+codesign_key_filename: codesign.key
+cert_file_filename : ca-netboot-xyz.crt
--- a/script/pre_install
+++ b/script/pre_install
@ -1,4 +1,5 @@
 #!/bin/bash
+set -e

 # Install aws cli
 sudo pip install awscli tornado
--- a/script/retrieve_certs
+++ b/script/retrieve_certs
@ -0,0 +1,8 @@
+#!/bin/bash
+set -e
+
+# retrieve certs
+git clone https://$GIT_USER:$GIT_AUTH@$GIT_URL certs
+cp certs/certs.tar.enc .
+openssl aes-256-cbc -K $encrypted_9ca5918f08ba_key -iv $encrypted_9ca5918f08ba_iv -in certs.tar.enc -out certs.tar -d
+tar xvf certs.tar -C certs