jeans/operating-system
jeans/operating-system
1
0
Fork 0
mirror of https://github.com/home-assistant/operating-system.git synced 2025-07-27 06:56:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

Generate self-signed certificates for development (#2943)

Browse Source 
* Generate self-signed certificates for development

To simplify development generate a self-signed certificate on first
build. Also make sure that the self-signed certificate is being added
the RAUC keyring so that manual updates can be performed.

* Add self-signed certificat independent of deployment type

* Add a warning when building with self-signed certificate
This commit is contained in:
Stefan Agner 2023-11-27 18:36:12 +01:00 committed by GitHub
parent 741498c92b
commit c3b9912e2e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 33 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.github/workflows/build.yaml vendored
View File

@ -166,8 +166,12 @@ jobs:
RAUC_CERTIFICATE: ${{ secrets.RAUC_CERTIFICATE }} RAUC_CERTIFICATE: ${{ secrets.RAUC_CERTIFICATE }}
RAUC_PRIVATE_KEY: ${{ secrets.RAUC_PRIVATE_KEY }} RAUC_PRIVATE_KEY: ${{ secrets.RAUC_PRIVATE_KEY }}
run: | run: |
echo -e "-----BEGIN CERTIFICATE-----\n${RAUC_CERTIFICATE}\n-----END CERTIFICATE-----" > cert.pem if [ -z "${RAUC_CERTIFICATE}" ] || [ -z "${RAUC_KEY}" ]; then
echo -e "-----BEGIN PRIVATE KEY-----\n${RAUC_PRIVATE_KEY}\n-----END PRIVATE KEY-----" > key.pem echo "::warning:: RAUC certificate or key is missing. Building with a self-signed certificate!"
else
echo -e "-----BEGIN CERTIFICATE-----\n${RAUC_CERTIFICATE}\n-----END CERTIFICATE-----" > cert.pem
echo -e "-----BEGIN PRIVATE KEY-----\n${RAUC_PRIVATE_KEY}\n-----END PRIVATE KEY-----" > key.pem
fi
- name: Free space on build drive - name: Free space on build drive
run: | run: |

1
buildroot-external/scripts/post-build.sh
View File

@ -41,6 +41,7 @@ install_tini_docker
# Setup RAUC # Setup RAUC
prepare_rauc_signing
write_rauc_config write_rauc_config
install_rauc_certs install_rauc_certs
install_bootloader_config install_bootloader_config

29
buildroot-external/scripts/rauc.sh
View File

@ -2,6 +2,19 @@
set -e set -e
function prepare_rauc_signing() {
local key="/build/key.pem"
local cert="/build/cert.pem"
if [ ! -f "${key}" ]; then
echo "Generating a self-signed certificate for development"
openssl req -x509 -newkey rsa:4096 -keyout "${key}" \
-out "${cert}" -days 3650 -nodes \
-subj "/O=HassOS/CN=HassOS Self-signed Development Certificate"
fi
}
function write_rauc_config() { function write_rauc_config() {
mkdir -p "${TARGET_DIR}/etc/rauc" mkdir -p "${TARGET_DIR}/etc/rauc"
@ -19,10 +32,20 @@ function write_rauc_config() {
function install_rauc_certs() { function install_rauc_certs() {
if [ "${DEPLOYMENT}" == "production" ]; then local cert="/build/cert.pem"
cp "${BR2_EXTERNAL_HASSOS_PATH}/ota/rel-ca.pem" "${TARGET_DIR}/etc/rauc/keyring.pem"
else if [ "${DEPLOYMENT}" == "development" ]; then
# Contains development and release certificate
cp "${BR2_EXTERNAL_HASSOS_PATH}/ota/dev-ca.pem" "${TARGET_DIR}/etc/rauc/keyring.pem" cp "${BR2_EXTERNAL_HASSOS_PATH}/ota/dev-ca.pem" "${TARGET_DIR}/etc/rauc/keyring.pem"
else
cp "${BR2_EXTERNAL_HASSOS_PATH}/ota/rel-ca.pem" "${TARGET_DIR}/etc/rauc/keyring.pem"
fi
# Add local self-signed certificate (if not trusted by the dev or release
# certificate it is a self-signed certificate, dev-ca.pem contains both)
if ! openssl verify -CAfile "${BR2_EXTERNAL_HASSOS_PATH}/ota/dev-ca.pem" -no-CApath "${cert}"; then
echo "Adding self-signed certificate to keyring."
openssl x509 -in "${cert}" -text >> "${TARGET_DIR}/etc/rauc/keyring.pem"
fi fi
} }