balena-os · flowzone-app · Jan 17, 2025 · Jan 16, 2025 · Jan 16, 2025 · Jan 16, 2025
diff --git a/meta-balena-common/classes/image_types_balena.bbclass b/meta-balena-common/classes/image_types_balena.bbclass
@@ -400,3 +400,46 @@ IMAGE_CMD:hostapp-ext4 () {
     truncate -s "$(expr ${ROOTFS_SIZE} \* 1024)" "${BALENA_HOSTAPP_IMG}"
     mkfs.hostapp -t "${TMPDIR}" -s "${STAGING_DIR_NATIVE}" -i ${BALENA_DOCKER_IMG} -o ${BALENA_HOSTAPP_IMG}
 }
+
+IMAGE_TYPEDEP:balenaos-img.sig = "balenaos-img"
+
+IMAGE_CMD:balenaos-img.sig () {
+    if [ "x${SIGN_API}" = "x" ]; then
+        bbnote "Signing API not defined"
+        return 0
+    fi
+    if [ "x${SIGN_API_KEY}" = "x" ]; then
+        bbfatal "Signing API key must be defined"
+    fi
+
+    for SIGNING_ARTIFACT in ${SIGNING_ARTIFACTS}
+    do
+        if [ -z "${SIGNING_ARTIFACT}" ] || [ ! -f "${SIGNING_ARTIFACT}" ]; then
+            bbfatal "Nothing to sign"
+        fi
+
+        DIGEST=$(openssl dgst -hex -sha256 "${SIGNING_ARTIFACT}" | awk '{print $2}')
+
+        REQUEST_FILE=$(mktemp)
+        RESPONSE_FILE=$(mktemp)
+        echo "{\"cert_id\": \"${SIGN_KMOD_KEY_ID}\", \"digest\": \"${DIGEST}\"}" > "${REQUEST_FILE}"
+        CURL_CA_BUNDLE="${STAGING_DIR_NATIVE}/etc/ssl/certs/ca-certificates.crt" curl --retry 5 --fail --silent "${SIGN_API}/cert/sign" -X POST -H "Content-Type: application/json" -H "X-API-Key: ${SIGN_API_KEY}" -d "@${REQUEST_FILE}" > "${RESPONSE_FILE}"
+        jq -r ".signature" < "${RESPONSE_FILE}" | base64 -d > "${SIGNING_ARTIFACT}.sig"
+        rm -f "${REQUEST_FILE}" "${RESPONSE_FILE}"
+    done
+}
+
+do_image_balenaos_img_sig[network] = "1"
+do_image_balenaos_img_sig[depends] += " \
+    openssl-native:do_populate_sysroot \
+    curl-native:do_populate_sysroot \
+    jq-native:do_populate_sysroot \
+    ca-certificates-native:do_populate_sysroot \
+    coreutils-native:do_populate_sysroot \
+    gnupg-native:do_populate_sysroot \
+    "
+
+do_image_balenaos_img_sig[vardeps] += " \
+    SIGN_API \
+    SIGN_KMOD_KEY_ID \
+    "
diff --git a/meta-balena-common/classes/sign-digest.bbclass b/meta-balena-common/classes/sign-digest.bbclass
diff --git a/meta-balena-common/recipes-core/images/balena-image-flasher.bb b/meta-balena-common/recipes-core/images/balena-image-flasher.bb
@@ -8,12 +8,12 @@ REQUIRED_DISTRO_FEATURES += " systemd"
 
 BALENA_FLAG_FILE = "${BALENA_FLASHER_FLAG_FILE}"
 
-IMAGE_FSTYPES = "balenaos-img"
+IMAGE_FSTYPES = "${@oe.utils.conditional('SIGN_API','','balenaos-img','balenaos-img.sig',d)}"
 
 BALENA_ROOT_FSTYPE = "ext4"
 
 # Make sure you have the resin image ready
-do_image_balenaos_img[depends] += "balena-image:do_image_complete"
+do_image_balenaos_img[depends] += "balena-image:do_rootfs"
 
 # Ensure we have the raw balena image ready in DEPLOY_DIR_IMAGE
 do_image[depends] += "balena-image:do_image_complete"

diff --git a/meta-balena-common/recipes-core/images/balena-image.bb b/meta-balena-common/recipes-core/images/balena-image.bb
@@ -16,9 +16,9 @@ IMAGE_OVERHEAD_FACTOR = "1.0"
 IMAGE_ROOTFS_EXTRA_SPACE = "0"
 IMAGE_ROOTFS_MAXSIZE = "${IMAGE_ROOTFS_SIZE}"
 
-IMAGE_FSTYPES = "balenaos-img"
+IMAGE_FSTYPES = "${@oe.utils.conditional('SIGN_API','','balenaos-img','balenaos-img.sig',d)}"
 
-inherit core-image image-balena features_check sign-digest
+inherit core-image image-balena features_check
 
 SPLASH += "plymouth-balena-theme"
 
@@ -58,25 +58,10 @@ generate_hostos_version () {
     echo "${HOSTOS_VERSION}" > ${DEPLOY_DIR_IMAGE}/VERSION_HOSTOS
 }
 
-symlink_image_signature () {
-    # This is probably not the correct way to do it, but it works.
-    # We sign BALENA_RAW_IMG, which ends up in IMGDEPLOYDIR
-    # and has a timestamp in the file name. We need to get rid
-    # of the timestamp for the final deploy, so that the file
-    # ends up in a predictable location.
-
-    if [ -n "${SIGN_API}" ]; then
-        ln -sf "${BALENA_RAW_IMG}.sig" "${DEPLOY_DIR_IMAGE}/balena-image-${MACHINE}.balenaos-img.sig"
-    fi
-}
-
 DEPENDS += "jq-native"
 
 IMAGE_PREPROCESS_COMMAND:append = " generate_rootfs_fingerprints ; "
-IMAGE_POSTPROCESS_COMMAND += " \
-    generate_hostos_version ; \
-    symlink_image_signature ; \
-"
+IMAGE_POSTPROCESS_COMMAND += " generate_hostos_version ; "
 
 BALENA_BOOT_PARTITION_FILES:append = " \
     balena-logo.png:/splash/balena-logo.png \
@@ -113,4 +98,3 @@ addtask image_size_check after do_image_balenaos_img before do_image_complete
 do_resin_boot_dirgen_and_deploy[depends] += "redsocks:do_deploy"
 
 SIGNING_ARTIFACTS = "${BALENA_RAW_IMG}"
-addtask sign_digest after do_image_balenaos_img before do_image_complete