← Back to team overview

launchpad-reviewers team mailing list archive

[Merge] ~ilasc/launchpad:sign-android-kernel into launchpad:master

 

Ioana Lasc has proposed merging ~ilasc/launchpad:sign-android-kernel into launchpad:master.

Commit message:
Sign Android kernel boot images

Requested reviews:
  Launchpad code reviewers (launchpad-reviewers)

For more details, see:
https://code.launchpad.net/~ilasc/launchpad/+git/launchpad/+merge/404759
-- 
Your team Launchpad code reviewers is requested to review the proposed merge of ~ilasc/launchpad:sign-android-kernel into launchpad:master.
diff --git a/lib/lp/archivepublisher/signing.py b/lib/lp/archivepublisher/signing.py
index 588a66f..9c05737 100644
--- a/lib/lp/archivepublisher/signing.py
+++ b/lib/lp/archivepublisher/signing.py
@@ -299,6 +299,8 @@ class SigningUpload(CustomUpload):
                     key_type = SigningKeyType.FIT
                 elif filename.endswith(".cv2-kernel"):
                     key_type = SigningKeyType.CV2_KERNEL
+                elif filename.endswith(".android-kernel"):
+                    key_type = SigningKeyType.ANDROID_KERNEL
                 else:
                     continue
 
@@ -398,7 +400,8 @@ class SigningUpload(CustomUpload):
             raise SigningServiceError(
                 "Could not sign message with key %s: %s" % (signing_key, e))
 
-        if key_type in (SigningKeyType.UEFI, SigningKeyType.FIT):
+        if key_type in (SigningKeyType.UEFI, SigningKeyType.FIT,
+                        SigningKeyType.ANDROID_KERNEL):
             file_suffix = ".signed"
             public_key_suffix = ".crt"
         else:
diff --git a/lib/lp/archivepublisher/tests/test_copy_signingkeys.py b/lib/lp/archivepublisher/tests/test_copy_signingkeys.py
index f993c19..d4d943f 100644
--- a/lib/lp/archivepublisher/tests/test_copy_signingkeys.py
+++ b/lib/lp/archivepublisher/tests/test_copy_signingkeys.py
@@ -141,6 +141,8 @@ class TestCopySigningKeysScript(TestCaseWithFactory):
                 archives[0].reference,
             "INFO No CV2 Kernel signing key for %s / None" %
                 archives[0].reference,
+            "INFO No Android Kernel signing key for %s / None" %
+            archives[0].reference,
             ]
         self.assertEqual(
             expected_log, script.logger.content.as_text().splitlines())
@@ -249,6 +251,8 @@ class TestCopySigningKeysScript(TestCaseWithFactory):
                 archives[0].reference, distro_serieses[0].name),
             "INFO No CV2 Kernel signing key for %s / %s" % (
                 archives[0].reference, distro_serieses[0].name),
+            "INFO No Android Kernel signing key for %s / %s" % (
+                archives[0].reference, distro_serieses[0].name),
             ]
         self.assertEqual(
             expected_log, script.logger.content.as_text().splitlines())
diff --git a/lib/lp/archivepublisher/tests/test_signing.py b/lib/lp/archivepublisher/tests/test_signing.py
index 18a5bec..1f97913 100644
--- a/lib/lp/archivepublisher/tests/test_signing.py
+++ b/lib/lp/archivepublisher/tests/test_signing.py
@@ -1632,7 +1632,7 @@ class TestSigningUploadWithSigningService(TestSigningHelpers):
         self.tarfile.add_file("1.0/empty.sipl", b"d")
         self.tarfile.add_file("1.0/empty.fit", b"e")
         self.tarfile.add_file("1.0/empty.cv2-kernel", b"f")
-
+        self.tarfile.add_file("1.0/empty.android-kernel", b"g")
         self.process_emulate()
 
         self.assertThat(self.getSignedPath("test", "amd64"), SignedMatches([
@@ -1655,6 +1655,8 @@ class TestSigningUploadWithSigningService(TestSigningHelpers):
                 '1.0/control/fit.crt',
                 '1.0/empty.cv2-kernel', '1.0/empty.cv2-kernel.sig',
                 '1.0/control/cv2-kernel.pub',
+                '1.0/empty.android-kernel', '1.0/empty.android-kernel.signed',
+                '1.0/control/android-kernel.crt',
                 ], tarball.getnames())
         self.assertEqual(0, self.signing_service_client.generate.call_count)
         keys = self.signing_keys
@@ -1677,7 +1679,11 @@ class TestSigningUploadWithSigningService(TestSigningHelpers):
             call(
                 SigningKeyType.CV2_KERNEL,
                 keys[SigningKeyType.CV2_KERNEL].fingerprint,
-                'empty.cv2-kernel', b'f', SigningMode.DETACHED)],
+                'empty.cv2-kernel', b'f', SigningMode.DETACHED),
+            call(
+                SigningKeyType.ANDROID_KERNEL,
+                keys[SigningKeyType.ANDROID_KERNEL].fingerprint,
+                'empty.android-kernel', b'g', SigningMode.DETACHED)],
             self.signing_service_client.sign.call_args_list)
 
     def test_options_signed_only(self):
@@ -1692,6 +1698,7 @@ class TestSigningUploadWithSigningService(TestSigningHelpers):
         self.tarfile.add_file("1.0/empty.sipl", b"d")
         self.tarfile.add_file("1.0/empty.fit", b"e")
         self.tarfile.add_file("1.0/empty.cv2-kernel", b"f")
+        self.tarfile.add_file("1.0/empty.android-kernel", b"g")
 
         self.process_emulate()
 
@@ -1703,6 +1710,7 @@ class TestSigningUploadWithSigningService(TestSigningHelpers):
             "1.0/empty.sipl.sig", "1.0/control/sipl.x509",
             "1.0/empty.fit.signed", "1.0/control/fit.crt",
             "1.0/empty.cv2-kernel.sig", "1.0/control/cv2-kernel.pub",
+            "1.0/empty.android-kernel.signed", "1.0/control/android-kernel.crt",
         ]))
         self.assertEqual(0, self.signing_service_client.generate.call_count)
         keys = self.signing_keys
@@ -1725,7 +1733,11 @@ class TestSigningUploadWithSigningService(TestSigningHelpers):
             call(
                 SigningKeyType.CV2_KERNEL,
                 keys[SigningKeyType.CV2_KERNEL].fingerprint,
-                'empty.cv2-kernel', b'f', SigningMode.DETACHED)],
+                'empty.cv2-kernel', b'f', SigningMode.DETACHED),
+            call(
+                SigningKeyType.ANDROID_KERNEL,
+                keys[SigningKeyType.ANDROID_KERNEL].fingerprint,
+                'empty.android-kernel', b'g', SigningMode.DETACHED)],
             self.signing_service_client.sign.call_args_list)
 
     def test_options_tarball_signed_only(self):
@@ -1741,6 +1753,7 @@ class TestSigningUploadWithSigningService(TestSigningHelpers):
         self.tarfile.add_file("1.0/empty.sipl", b"d")
         self.tarfile.add_file("1.0/empty.fit", b"e")
         self.tarfile.add_file("1.0/empty.cv2-kernel", b"f")
+        self.tarfile.add_file("1.0/empty.android-kernel", b"g")
         self.process_emulate()
         self.assertThat(self.getSignedPath("test", "amd64"), SignedMatches([
             "1.0/SHA256SUMS",
@@ -1757,6 +1770,7 @@ class TestSigningUploadWithSigningService(TestSigningHelpers):
                 '1.0/empty.sipl.sig', '1.0/control/sipl.x509',
                 '1.0/empty.fit.signed', '1.0/control/fit.crt',
                 '1.0/empty.cv2-kernel.sig', '1.0/control/cv2-kernel.pub',
+                '1.0/empty.android-kernel.signed', '1.0/control/android-kernel.crt',
             ], tarball.getnames())
         self.assertEqual(0, self.signing_service_client.generate.call_count)
         keys = self.signing_keys
@@ -1779,7 +1793,11 @@ class TestSigningUploadWithSigningService(TestSigningHelpers):
             call(
                 SigningKeyType.CV2_KERNEL,
                 keys[SigningKeyType.CV2_KERNEL].fingerprint,
-                'empty.cv2-kernel', b'f', SigningMode.DETACHED)],
+                'empty.cv2-kernel', b'f', SigningMode.DETACHED),
+            call(
+                SigningKeyType.ANDROID_KERNEL,
+                keys[SigningKeyType.ANDROID_KERNEL].fingerprint,
+                'empty.android-kernel', b'g', SigningMode.DETACHED)],
             self.signing_service_client.sign.call_args_list)
 
     def test_archive_copy(self):
@@ -1799,6 +1817,7 @@ class TestSigningUploadWithSigningService(TestSigningHelpers):
         self.tarfile.add_file("1.0/empty.sipl", b"d")
         self.tarfile.add_file("1.0/empty.fit", b"e")
         self.tarfile.add_file("1.0/empty.cv2-kernel", b"f")
+        self.tarfile.add_file("1.0/empty.android-kernel", b"g")
         self.tarfile.close()
         self.buffer.close()
 
@@ -1810,7 +1829,7 @@ class TestSigningUploadWithSigningService(TestSigningHelpers):
         self.assertThat(signed_path, SignedMatches(
             ["1.0/SHA256SUMS", "1.0/empty.efi", "1.0/empty.ko",
              "1.0/empty.opal", "1.0/empty.sipl", "1.0/empty.fit",
-             "1.0/empty.cv2-kernel"]))
+             "1.0/empty.cv2-kernel", "1.0/empty.android-kernel"]))
 
         self.assertEqual(0, self.signing_service_client.generate.call_count)
         self.assertEqual(0, self.signing_service_client.sign.call_count)
@@ -1829,7 +1848,8 @@ class TestSigningUploadWithSigningService(TestSigningHelpers):
 
         filenames = [
             "1.0/empty.efi", "1.0/empty.ko", "1.0/empty.opal",
-            "1.0/empty.sipl", "1.0/empty.fit", "1.0/empty.cv2-kernel"]
+            "1.0/empty.sipl", "1.0/empty.fit", "1.0/empty.cv2-kernel",
+            "1.0/empty.android-kernel"]
 
         # Write data on the archive
         self.openArchive("test", "1.0", "amd64")
@@ -1880,7 +1900,8 @@ class TestSigningUploadWithSigningService(TestSigningHelpers):
 
         filenames = [
             "1.0/empty.efi", "1.0/empty.ko", "1.0/empty.opal",
-            "1.0/empty.sipl", "1.0/empty.fit", "1.0/empty.cv2-kernel"]
+            "1.0/empty.sipl", "1.0/empty.fit", "1.0/empty.cv2-kernel",
+            "1.0/empty.android-kernel"]
 
         self.openArchive("test", "1.0", "amd64")
         for filename in filenames:
@@ -1899,20 +1920,22 @@ class TestSigningUploadWithSigningService(TestSigningHelpers):
         expected_signed_filenames = [
             "1.0/empty.efi.signed", "1.0/empty.ko.sig",
             "1.0/empty.opal.sig", "1.0/empty.sipl.sig",
-            "1.0/empty.fit.signed", "1.0/empty.cv2-kernel.sig"]
+            "1.0/empty.fit.signed", "1.0/empty.cv2-kernel.sig",
+            "1.0/empty.android-kernel.signed"]
 
         expected_public_keys_filenames = [
             "1.0/control/uefi.crt", "1.0/control/kmod.x509",
             "1.0/control/opal.x509", "1.0/control/sipl.x509",
-            "1.0/control/fit.crt", "1.0/control/cv2-kernel.pub"]
+            "1.0/control/fit.crt", "1.0/control/cv2-kernel.pub",
+            "1.0/control/android-kernel.crt"]
 
         signed_path = self.getSignedPath("test", "amd64")
         self.assertThat(signed_path, SignedMatches(
             ["1.0/SHA256SUMS"] + filenames + expected_public_keys_filenames +
             expected_signed_filenames))
 
-        self.assertEqual(6, self.signing_service_client.generate.call_count)
-        self.assertEqual(6, self.signing_service_client.sign.call_count)
+        self.assertEqual(7, self.signing_service_client.generate.call_count)
+        self.assertEqual(7, self.signing_service_client.sign.call_count)
 
         fingerprints = {
             key_type: data['fingerprint'] for key_type, data in
@@ -1937,6 +1960,11 @@ class TestSigningUploadWithSigningService(TestSigningHelpers):
                 SigningKeyType.CV2_KERNEL,
                 fingerprints[SigningKeyType.CV2_KERNEL],
                 'empty.cv2-kernel', b'data - 1.0/empty.cv2-kernel',
+                SigningMode.DETACHED),
+            call(
+                SigningKeyType.ANDROID_KERNEL,
+                fingerprints[SigningKeyType.ANDROID_KERNEL],
+                'empty.android-kernel', b'data - 1.0/empty.android-kernel',
                 SigningMode.DETACHED)],
             self.signing_service_client.sign.call_args_list)
 
@@ -1945,7 +1973,8 @@ class TestSigningUploadWithSigningService(TestSigningHelpers):
             signed_path, expected_signed_filenames)
         key_types = (
             SigningKeyType.UEFI, SigningKeyType.KMOD, SigningKeyType.OPAL,
-            SigningKeyType.SIPL, SigningKeyType.FIT, SigningKeyType.CV2_KERNEL)
+            SigningKeyType.SIPL, SigningKeyType.FIT, SigningKeyType.CV2_KERNEL,
+            SigningKeyType.ANDROID_KERNEL)
         modes = {
             SigningKeyType.UEFI: SigningMode.ATTACHED,
             SigningKeyType.KMOD: SigningMode.DETACHED,
@@ -1953,6 +1982,7 @@ class TestSigningUploadWithSigningService(TestSigningHelpers):
             SigningKeyType.SIPL: SigningMode.DETACHED,
             SigningKeyType.FIT: SigningMode.ATTACHED,
             SigningKeyType.CV2_KERNEL: SigningMode.DETACHED,
+            SigningKeyType.ANDROID_KERNEL: SigningMode.DETACHED,
             }
         expected_signed_contents = [
             ("signed with key_type=%s mode=%s" % (
diff --git a/lib/lp/services/signing/enums.py b/lib/lp/services/signing/enums.py
index bba843f..dc02135 100644
--- a/lib/lp/services/signing/enums.py
+++ b/lib/lp/services/signing/enums.py
@@ -68,6 +68,12 @@ class SigningKeyType(DBEnumeratedType):
         An Ambarella CV2 kernel signing key.
         """)
 
+    ANDROID_KERNEL = DBItem(8, """
+        Android Kernel
+
+        An Android kernel signing key.
+        """)
+
 
 class OpenPGPKeyAlgorithm(EnumeratedType):