Merge pull request #590 from advancedtelematic/fix/OTA-3419/garage-sign-expiry

aktualizr: latest garage-sign with expiration support.

4 files changed, 29 insertions, 7 deletions

diff --git a/README.adoc b/README.adoc
index dd07425..bcbcf96 100644
--- a/README.adoc
+++ b/README.adoc
@@ -107,6 +107,9 @@ Your images will also need network connectivity to be able to reach an actual OT
 * `OSTREE_UPDATE_SUMMARY` - Set this to '1' to update summary of OSTree repository on each commit. '0' by default.
 * `OSTREE_DEPLOY_DEVICETREE` - Set this to '1' to include devicetree(s) to boot
 * `GARAGE_SIGN_AUTOVERSION` - Set this to '1' to automatically fetch the last version of the garage tools installed by the aktualizr-native. Otherwise use the fixed version specified in the recipe.
+* `GARAGE_TARGET_URL` - sets the `--url` parameter of `garage-sign targets add`, which sets a custom URL for the Image repository targets.
+* `GARAGE_TARGET_EXPIRES` - sets the `--expires` parameter of `garage-sign targets sign`. Format is a UTC instant such as '2018-01-01T00:01:00Z'.
+* `GARAGE_TARGET_EXPIRE_AFTER` - sets the `--expire-after` parameter of `garage-sign targets sign`. Format is in years, months, and days (each optional, but in that order), such as '1Y3M5D'.
 * `INITRAMFS_IMAGE` - initramfs/initrd image that is used as a proxy while booting into OSTree deployment. Do not change this setting unless you are sure that your initramfs can serve as such a proxy.
 * `SOTA_PACKED_CREDENTIALS` - when set, your ostree commit will be pushed to a remote repo as a bitbake step. This should be the path to a zipped credentials file in https://github.com/advancedtelematic/aktualizr/blob/master/docs/credentials.adoc[the format accepted by garage-push].
 * `SOTA_DEPLOY_CREDENTIALS` - when set to '1' (default value), deploys credentials to the built image. Override it in `local.conf` to built a generic image that can be provisioned manually after the build.
@@ -197,6 +200,12 @@ IMAGE_INSTALL_append += " aktualizr-resource-control "
 RESOURCE_CPU_WEIGHT_pn-aktualizr = "50"
 ....
 
+=== garage-sign configuration
+
+The https://github.com/advancedtelematic/ota-tuf/tree/master/cli[garage-sign] tool can be configured with variables described in the <<sota-related-variables-in-localconf,SOTA-related variables in local.conf>> section.
+
+Of particular importance is controlling the expiration of the Targets metadata signed with garage-sign. This is described in detail in the https://docs.ota.here.com/ota-client/dev/metadata-expiry.html[OTA Connect documentation]. To set a manual expiration date, you can use either of the variables `GARAGE_TARGET_EXPIRES` or `GARAGE_TARGET_EXPIRE_AFTER`. Both cannot be supplied simultaneously. If neither are provided, a default of one month will be used.
+
 == Development configuration
 
 === Logging
diff --git a/classes/image_types_ostree.bbclass b/classes/image_types_ostree.bbclass
index 2e8e8f5..795e01b 100644
--- a/classes/image_types_ostree.bbclass
+++ b/classes/image_types_ostree.bbclass
@@ -237,10 +237,20 @@ IMAGE_CMD_garagesign () {
         # Push may fail due to race condition when multiple build machines try to push simultaneously
         #   in which case targets.json should be pulled again and the whole procedure repeated
         push_success=0
-        target_url=""
-        if [ -n "${GARAGE_TARGET_URL}" ]; then
-                target_url='--url ${GARAGE_TARGET_URL}'
-        fi
+        target_url=""
+        if [ -n "${GARAGE_TARGET_URL}" ]; then
+            target_url="--url ${GARAGE_TARGET_URL}"
+        fi
+        target_expiry=""
+        if [ -n "${GARAGE_TARGET_EXPIRES}" ] && [ -n "${GARAGE_TARGET_EXPIRE_AFTER}" ]; then
+            bbfatal "Both GARAGE_TARGET_EXPIRES and GARAGE_TARGET_EXPIRE_AFTER are set. Only one can be set at a time."
+        elif [ -n "${GARAGE_TARGET_EXPIRES}" ]; then
+            target_expiry="--expires ${GARAGE_TARGET_EXPIRES}"
+        elif [ -n "${GARAGE_TARGET_EXPIRE_AFTER}" ]; then
+            target_expiry="--expire-after ${GARAGE_TARGET_EXPIRE_AFTER}"
+        else
+            target_expiry="--expire-after 1M"
+        fi
 
         for push_retries in $( seq 3 ); do
             garage-sign targets pull --repo tufrepo \
@@ -262,6 +272,7 @@ IMAGE_CMD_garagesign () {
             fi
             garage-sign targets sign --repo tufrepo \
                                      --home-dir ${GARAGE_SIGN_REPO} \
+                                     ${target_expiry} \
                                      --key-name=targets
             errcode=0
             garage-sign targets push --repo tufrepo \
diff --git a/classes/sota.bbclass b/classes/sota.bbclass
index 86863d9..5b06397 100644
--- a/classes/sota.bbclass
+++ b/classes/sota.bbclass
@@ -51,6 +51,8 @@ GARAGE_SIGN_KEYNAME ?= "garage-key"
 GARAGE_TARGET_NAME ?= "${OSTREE_BRANCHNAME}"
 GARAGE_TARGET_VERSION ?= ""
 GARAGE_TARGET_URL ?= ""
+GARAGE_TARGET_EXPIRES ?= ""
+GARAGE_TARGET_EXPIRE_AFTER ?= ""
 GARAGE_CUSTOMIZE_TARGET ?= ""
 
 SOTA_MACHINE ??="none"
diff --git a/recipes-sota/aktualizr/aktualizr_git.bb b/recipes-sota/aktualizr/aktualizr_git.bb
index 69fc1e9..03840ac 100644
--- a/recipes-sota/aktualizr/aktualizr_git.bb
+++ b/recipes-sota/aktualizr/aktualizr_git.bb
@@ -15,7 +15,7 @@ RDEPENDS_${PN}-ptest += "bash cmake curl net-tools python3-core python3-misc pyt
 PV = "1.0+git${SRCPV}"
 PR = "7"
 
-GARAGE_SIGN_PV = "0.7.0-19-g89ec974"
+GARAGE_SIGN_PV = "0.7.0-25-ge74a964"
 
 SRC_URI = " \
   gitsm://github.com/advancedtelematic/aktualizr;branch=${BRANCH} \
@@ -28,8 +28,8 @@ SRC_URI = " \
   "
 
 # for garage-sign archive
-SRC_URI[md5sum] = "3ed27c1142860cd9b4a2594067312b8b"
-SRC_URI[sha256sum] = "e54eef3863118f373c3ebd9e2877f9de5bab4950ed157a15fb4f4ec575bc2ece"
+SRC_URI[md5sum] = "9601dd891abac754400852cf367e86a2"
+SRC_URI[sha256sum] = "1ebe2c9655b1fcc8d597dbda10c8a413eca12e5351582d916d0b088a84c33cd2"
 
 SRCREV = "03778511cc937d07bf53a8092f8b268e65f5d9a6"
 BRANCH ?= "master"