From 63314d9fccdb369c0d24af7631dd83097b087038 Mon Sep 17 00:00:00 2001
From: Patrick Vacek <patrickvacek@gmail.com>
Date: Tue, 20 Aug 2019 16:59:49 +0200
Subject: aktualizr: latest garage-sign with expiration support.

Use GARAGE_TARGET_EXPIRES or GARAGE_TARGET_EXPIRE_AFTER (but not both!)
to set the garage-sign parameters.

Signed-off-by: Patrick Vacek <patrickvacek@gmail.com>
---
 README.adoc                             |  3 +++
 classes/image_types_ostree.bbclass      | 17 +++++++++++++----
 classes/sota.bbclass                    |  2 ++
 recipes-sota/aktualizr/aktualizr_git.bb |  6 +++---
 4 files changed, 21 insertions(+), 7 deletions(-)

diff --git a/README.adoc b/README.adoc
index dd07425..455b5d9 100644
--- a/README.adoc
+++ b/README.adoc
@@ -107,6 +107,9 @@ Your images will also need network connectivity to be able to reach an actual OT
 * `OSTREE_UPDATE_SUMMARY` - Set this to '1' to update summary of OSTree repository on each commit. '0' by default.
 * `OSTREE_DEPLOY_DEVICETREE` - Set this to '1' to include devicetree(s) to boot
 * `GARAGE_SIGN_AUTOVERSION` - Set this to '1' to automatically fetch the last version of the garage tools installed by the aktualizr-native. Otherwise use the fixed version specified in the recipe.
+* `GARAGE_TARGET_URL` - sets the `--url` parameter of `garage-sign targets add`, which sets a custom URL for the Image repository targets.
+* `GARAGE_TARGET_EXPIRES` - sets the `--expires` parameter of `garage-sign targets sign`. Format is a UTC instant such as '2018-01-01T00:01:00Z'.
+* `GARAGE_TARGET_EXPIRE_AFTER` - sets the `--expire-after` parameter of `garage-sign targets sign`. Format is in years, months, and days (each optional, but in that order), such as '1Y3M5D'.
 * `INITRAMFS_IMAGE` - initramfs/initrd image that is used as a proxy while booting into OSTree deployment. Do not change this setting unless you are sure that your initramfs can serve as such a proxy.
 * `SOTA_PACKED_CREDENTIALS` - when set, your ostree commit will be pushed to a remote repo as a bitbake step. This should be the path to a zipped credentials file in https://github.com/advancedtelematic/aktualizr/blob/master/docs/credentials.adoc[the format accepted by garage-push].
 * `SOTA_DEPLOY_CREDENTIALS` - when set to '1' (default value), deploys credentials to the built image. Override it in `local.conf` to built a generic image that can be provisioned manually after the build.
diff --git a/classes/image_types_ostree.bbclass b/classes/image_types_ostree.bbclass
index 2e8e8f5..fd67865 100644
--- a/classes/image_types_ostree.bbclass
+++ b/classes/image_types_ostree.bbclass
@@ -237,10 +237,18 @@ IMAGE_CMD_garagesign () {
         # Push may fail due to race condition when multiple build machines try to push simultaneously
         #   in which case targets.json should be pulled again and the whole procedure repeated
         push_success=0
-	target_url=""
-	if [ -n "${GARAGE_TARGET_URL}" ]; then
-		target_url='--url ${GARAGE_TARGET_URL}'
-	fi
+        target_url=""
+        if [ -n "${GARAGE_TARGET_URL}" ]; then
+            target_url="--url ${GARAGE_TARGET_URL}"
+        fi
+        target_expiry=""
+        if [ -n "${GARAGE_TARGET_EXPIRES}" ] && [ -n "${GARAGE_TARGET_EXPIRE_AFTER}" ]; then
+            bbfatal "Both GARAGE_TARGET_EXPIRES and GARAGE_TARGET_EXPIRE_AFTER are set. Only one can be set at a time."
+        elif [ -n "${GARAGE_TARGET_EXPIRES}" ]; then
+            target_expiry="--expires ${GARAGE_TARGET_EXPIRES}"
+        elif [ -n "${GARAGE_TARGET_EXPIRE_AFTER}" ]; then
+            target_expiry="--expire-after ${GARAGE_TARGET_EXPIRE_AFTER}"
+        fi
 
         for push_retries in $( seq 3 ); do
             garage-sign targets pull --repo tufrepo \
@@ -262,6 +270,7 @@ IMAGE_CMD_garagesign () {
             fi
             garage-sign targets sign --repo tufrepo \
                                      --home-dir ${GARAGE_SIGN_REPO} \
+                                     ${target_expiry} \
                                      --key-name=targets
             errcode=0
             garage-sign targets push --repo tufrepo \
diff --git a/classes/sota.bbclass b/classes/sota.bbclass
index 5506428..5620b76 100644
--- a/classes/sota.bbclass
+++ b/classes/sota.bbclass
@@ -51,6 +51,8 @@ GARAGE_SIGN_KEYNAME ?= "garage-key"
 GARAGE_TARGET_NAME ?= "${OSTREE_BRANCHNAME}"
 GARAGE_TARGET_VERSION ?= ""
 GARAGE_TARGET_URL ?= ""
+GARAGE_TARGET_EXPIRES ?= ""
+GARAGE_TARGET_EXPIRE_AFTER ?= ""
 GARAGE_CUSTOMIZE_TARGET ?= ""
 
 SOTA_MACHINE ??="none"
diff --git a/recipes-sota/aktualizr/aktualizr_git.bb b/recipes-sota/aktualizr/aktualizr_git.bb
index 9adfce8..5ee9399 100644
--- a/recipes-sota/aktualizr/aktualizr_git.bb
+++ b/recipes-sota/aktualizr/aktualizr_git.bb
@@ -15,7 +15,7 @@ RDEPENDS_${PN}-ptest += "bash cmake curl python3-misc python3-modules openssl-bi
 PV = "1.0+git${SRCPV}"
 PR = "7"
 
-GARAGE_SIGN_PV = "0.7.0-19-g89ec974"
+GARAGE_SIGN_PV = "0.7.0-25-ge74a964"
 
 SRC_URI = " \
   gitsm://github.com/advancedtelematic/aktualizr;branch=${BRANCH} \
@@ -28,8 +28,8 @@ SRC_URI = " \
   "
 
 # for garage-sign archive
-SRC_URI[md5sum] = "3ed27c1142860cd9b4a2594067312b8b"
-SRC_URI[sha256sum] = "e54eef3863118f373c3ebd9e2877f9de5bab4950ed157a15fb4f4ec575bc2ece"
+SRC_URI[md5sum] = "9601dd891abac754400852cf367e86a2"
+SRC_URI[sha256sum] = "1ebe2c9655b1fcc8d597dbda10c8a413eca12e5351582d916d0b088a84c33cd2"
 
 SRCREV = "03778511cc937d07bf53a8092f8b268e65f5d9a6"
 BRANCH ?= "master"
-- 
cgit v1.2.3-54-g00ecf