From 978e13b180db204b076283088bb392468896f3ce Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cerm=C3=A1k?= <sairon@users.noreply.github.com>
Date: Fri, 22 Dec 2023 14:49:40 +0100
Subject: [PATCH] Generate self-signed certificate in the prepare step and
 archive it (#3015)

Generate the certificate only once and make it available. The preferred
option that doesn't generate warnings would be to use secrets in the
repository config, in that case no certificate is generated or archived.
---
 .github/workflows/build.yaml                  | 36 +++++++++++++++----
 .../scripts/generate-signing-key.sh           | 15 ++++++++
 buildroot-external/scripts/rauc.sh            |  4 +--
 3 files changed, 46 insertions(+), 9 deletions(-)
 create mode 100755 buildroot-external/scripts/generate-signing-key.sh

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 4f4f95112..d57b1d99d 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -36,6 +36,7 @@ jobs:
       matrix: ${{ steps.generate_matrix.outputs.result }}
       build_container_image: ghcr.io/${{ github.repository_owner }}/haos-builder@${{ steps.build_haos_builder.outputs.digest }}
       publish_build: ${{ steps.check_publish.outputs.publish_build }}
+      self_signed_cert: ${{ steps.generate_signing_key.outputs.self_signed }}
     steps:
       - name: Checkout source
         uses: actions/checkout@v4
@@ -153,6 +154,26 @@ jobs:
           cache-to: ghcr.io/${{ github.repository_owner }}/haos-builder:cache-${{ steps.version_main.outputs.version_main }}
           push: true
 
+      - name: Generate self-signed certificate
+        id: generate_signing_key
+        env:
+          RAUC_CERTIFICATE: ${{ secrets.RAUC_CERTIFICATE }}
+          RAUC_PRIVATE_KEY: ${{ secrets.RAUC_PRIVATE_KEY }}
+        if: env.RAUC_CERTIFICATE == '' || env.RAUC_PRIVATE_KEY == ''
+        run: |
+          echo "::warning:: RAUC certificate or key is missing in the repository secrets. Building with a public self-signed certificate!"
+          buildroot-external/scripts/generate-signing-key.sh cert.pem key.pem
+          echo "self_signed_cert=true" >> $GITHUB_OUTPUT
+
+      - name: Create signing key
+        uses: actions/upload-artifact@v4
+        if: steps.generate_signing_key.outcome == 'success'
+        with:
+          name: signing-key
+          path: |
+            cert.pem
+            key.pem
+
   build:
     name: Build for ${{ matrix.board.id }}
     permissions:
@@ -188,16 +209,19 @@ jobs:
           sed -i -E "s/(^VERSION_SUFFIX=\").*(\"$)/\1${VERSION_DEV}\2/" buildroot-external/meta
 
       - name: 'Add release PKI certs'
+        if: ${{ needs.prepare.outputs.self_signed_cert != 'true' }}
         env:
           RAUC_CERTIFICATE: ${{ secrets.RAUC_CERTIFICATE }}
           RAUC_PRIVATE_KEY: ${{ secrets.RAUC_PRIVATE_KEY }}
         run: |
-          if [ -z "${RAUC_CERTIFICATE}" ] || [ -z "${RAUC_PRIVATE_KEY}" ]; then
-              echo "::warning:: RAUC certificate or key is missing. Building with a self-signed certificate!"
-          else
-              echo -e "-----BEGIN CERTIFICATE-----\n${RAUC_CERTIFICATE}\n-----END CERTIFICATE-----" > cert.pem
-              echo -e "-----BEGIN PRIVATE KEY-----\n${RAUC_PRIVATE_KEY}\n-----END PRIVATE KEY-----" > key.pem
-          fi
+          echo -e "-----BEGIN CERTIFICATE-----\n${RAUC_CERTIFICATE}\n-----END CERTIFICATE-----" > cert.pem
+          echo -e "-----BEGIN PRIVATE KEY-----\n${RAUC_PRIVATE_KEY}\n-----END PRIVATE KEY-----" > key.pem
+
+      - name: Get self-signed certificate from the prepare job
+        if: ${{ needs.prepare.outputs.self_signed_cert == 'true' }}
+        uses: actions/download-artifact@v4
+        with:
+          name: signing-key
 
       - name: Free space on build drive
         run: |
diff --git a/buildroot-external/scripts/generate-signing-key.sh b/buildroot-external/scripts/generate-signing-key.sh
new file mode 100755
index 000000000..d16dbd48d
--- /dev/null
+++ b/buildroot-external/scripts/generate-signing-key.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+set -e
+
+if [ "$#" -ne 2 ]; then
+    echo "Usage: $0 <cert_path> <key_path>"
+    exit 1
+fi
+
+cert=$1
+key=$2
+
+openssl req -x509 -newkey rsa:4096 -keyout "${key}" \
+                -out "${cert}" -days 3650 -nodes \
+                -subj "/O=HassOS/CN=HassOS Self-signed Development Certificate"
diff --git a/buildroot-external/scripts/rauc.sh b/buildroot-external/scripts/rauc.sh
index c7625a2bf..a5c23cbf5 100755
--- a/buildroot-external/scripts/rauc.sh
+++ b/buildroot-external/scripts/rauc.sh
@@ -8,9 +8,7 @@ function prepare_rauc_signing() {
 
     if [ ! -f "${key}" ]; then
         echo "Generating a self-signed certificate for development"
-        openssl req -x509 -newkey rsa:4096 -keyout "${key}" \
-                -out "${cert}" -days 3650 -nodes \
-                -subj "/O=HassOS/CN=HassOS Self-signed Development Certificate"
+        "${BR2_EXTERNAL_HASSOS_PATH}"/scripts/generate-signing-key.sh "${cert}" "${key}"
     fi
 }