From 0307c1000803f2b3abfb90460f1cbce263429057 Mon Sep 17 00:00:00 2001 From: Clyne Sullivan Date: Tue, 29 Oct 2024 19:29:42 -0400 Subject: [PATCH] only sign firmware when necessary --- .github/workflows/dummy_priv_key.pem | 52 ---------------------------- .github/workflows/main.yml | 2 +- .github/workflows/ota-release.yml | 4 +-- build_hooks.py | 19 +++++----- platformio.ini | 2 +- 5 files changed, 12 insertions(+), 67 deletions(-) delete mode 100644 .github/workflows/dummy_priv_key.pem diff --git a/.github/workflows/dummy_priv_key.pem b/.github/workflows/dummy_priv_key.pem deleted file mode 100644 index e535136..0000000 --- a/.github/workflows/dummy_priv_key.pem +++ /dev/null @@ -1,52 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQCUVCGRQOZBMk6F -+cMwcQ9g/JzZLWPd2VTAJOm4jrt0DsXlcBhG5u8Zkc+U33FcW9kD2aINxkfMUpCS -FfxmmOA1ONN0noZ3HatuIcYkswdsmJl92Uz5VX2kA8Fq6/GVx5nTo6Ip7WO9kyL9 -iuPfTbycSJ9thXjwRDUD2KaBDZFS3pe6NwhqEDpPvaw/EHBbHxEBS8GhftifhKEc -EUYwEepe6RKfyykVMQrFMhRAOikarKEuxs9LWCHB0wysy64dWuqiRBQTPlCm77mC -dJN9I8tPDhNn/AsrJRxAKTfeTZ4rEDCVEyOZTdxxpD2K9Ad46w/+olmoYnvdm/81 -C1Y7mWFIQL4PcIX9uiQ35rU9MJqA4BztGGTYkIVq0IIVI0cqgsh18RttEn7/AL4l -1NEGlTMLlXbrw2qonZr4+HTRRtKoRxG4LYXliuXoEOh43T4vh7TwAVG3DYhnBHCv -JuA3bV+NtTn8rIHEnkBhPpBPbyn8Y2PNRJGS7/XffESea3XuH0nNKHBpWycgrrtX -KqwQvtoy4IkClwhHkw2RjK840e2HoGsA1RUl1vDRNwklDbU8A1gZUGT+4zMO83to -NfYjjPsgvAUQOPuh6ajVVF+OSkZt8EzpgY3zoAymHqcfqUVim5Iv+9fZItQYBlqL -o29Pyc0e+P8+wCiT8rP5gjDnoZ5/hQIDAQABAoICABO6b48u6fEjTHJhWpFnguYh -czMnkwV/fILkkKQtcnKTQcWsd8N7v7LPmU5xvFV5GeTQiM9QNLMmYCLYrcNvnefg -8QRXzrFVJDyiXVpQPYfiHA2IXhvjlQcVlh+EgOitAva1PZevV/lvnSh1Kq3EByFk -6govxdAfIktVViq1WpjXu6fW3gBNZuloOYVXHbqLkpVw4AYneuRsnYkVexe1qk3e -riLMFgtthG3fT/Y4Rh34IVAOvU+GH1H094CcGUJqRJQ50yRkFhITXGx6LjZnZl5+ -FB1b1phxzSTI1qzIohA+4ldRk7CLkesY2d6mFRWuHhMowMgL9pxDvVlEHWoRPRui -ekZATVfZYKfCbBchDoHPCMMLeomjyI3bxtyHWot2xWdvXpk+Co2QnEHLew+sTWAD -+vQUnUS4Qo1NFDcmQEtnQnNA3QRW1pBDyhSmmdEwhSfohgzjC1D7UuU8q62l+F7M -Me3GtSikBD/xCjdf2i1VtuJjk62uCadx3jm1bD+85C+JHYSohlzoL06ShIltEx1B -Eo1TiYBtqixAjcBwy51X3s4EIUckOtm5pwOWaVXzXWGVbHUS91Nom9Jn4QsX0kL9 -rLpxmzGJ3NMAkUDUsq5ROjZVSm3QUAplap7chGddXTv+lUfLEUBN0PUpaRQsnDXG -8oB6dSkRxxRwh5T7JuTZAoIBAQDOXGOVs4QmckFCJ3xbyduTKAr9QWsuI3feMs+U -tsFgu17ek/gJ47/IYGqAATi/kA0dAfkP1kqYCdsCUNRedUsdCsJOmCLicGPY7vNq -NKgEXYEKIi3sexOXRstYyardFbsUgc9r2Bve1uZSBLnFgS67RuP8DRGX6slosESe -wXrNK6oh3Yfz9UPt6D1yMjizCVqhntp2Vl1aSAU0TiBD0Q1bHo1FgU7gdsvKpFGN -aZfNKjqnnueUpPpv6w4fzIhlCASTKmPmvDNMoz/L8T9dpyLorttAz9c/HdSXImB3 -1GQskOvMlrISierV6GpiEzcK6aKaNEyHf3RjRgvmdsY5zo93AoIBAQC4AiRPQL3K -MHOqGV4ADpHBGqZDsxFVFSFR/gwu3izoTkODrV1I3zLo5hcMdeGg2/Dmwgy8Marx -evJPdMkCOcxjUhdGFZuzC2c2Fb3lbPWeDqT5jlYry47evz6HZjpILVTzcMCMhltu -+Tah7Hh8y/Pb896yZpca25oYMLlRajrwGxHlCuOTPOb1ImTpFBd5ntlWM0EbvJYx -LUMx7OICtGPFAqkBLZQdIGNjt9NmioUKUkx0yhcWvfrT5qW//YsnZpqz6jw4PMte -b4Co3cqMvKbhEddd88PWr/evllIpVmiZg4HncGz4pXlSUfiyFzCGLO+onkhwsBF5 -iQoHh8Rm0T/jAoIBAF7jXqs8Y3ymNtmrfGRcekm9NOhlB1qs1nZmmMrCCkNnhOUF -1xz9C3eg1ffMGAMFwvHesV6V47DrfzgeYLiaaJKPGu+2xvumQFNE9MqWMdfoAujc -9I7zvPtngyNtf9KvJln0oqLtOUuLN1bpc16c2xckLrr8a2WWgUxRGQyC3Ouws0dl -LRmBYt3nVzHGZAn3OCRu/fdCGSTlTvdRIUbtvp1ye/VE0zcliOnCCvniXvno/BWN -XOEdx0ZlKBZ5HxKN0ES3Tj6PtWr8+d3WLZPrwYKKvKidqVUNa26fUQposDNJ5BMs -C++4WTJI73nvafTrn2gWukXn1mW7lMdBQD7ee1sCggEAdPO3jD/D4RyGh1h0LGkW -Lrv3bRQFMiSp9ukXaTqBJG2J78lifwyN2QVVJPBPpePk62XunjabRbw1Aldh4u5F -f+MPM9ZMDbJzuSZ8ebOVMQ5xwMO89Tz944l9/qT06icV1VyWpTpIJvJyzNv1gKxI -pEYOBym5ZLKq8DEXuC1ipHUwHHmdR1nwGWHw7Ut92CkkTetpuG1WsI7qJHNA+yMY -PoGAVWVYvGJ3iUuvK39jK7o/KgPARQ4evEvekXZe2X4XWb7I452QTMdl6O5+7JCD -KI4kamyiznMtZAaQ1gE7nka9bBJC0I6r26yJ+vdOOhmZgXyI4kal9K8rFrouFINu -rQKCAQBaDtt+e+ZfJ5VEz5oYl7B9+7TQ+/vvlbljprFZajv4RoPGo4Bsb+CtebFF -Ptquie02mKdvBoZpEvkJf7doLoJvrgsHIhgbW3QpqbSzJtSDEKBOfve8TnGFcz/6 -83ktiNINE1BkedF496x0AVouAE29c1a7Br0eU0lSU9OEw9XFHX7eBCXBJXlKmVLh -pOqYeTCbwTKN8SNcdcqKGhZbkVuxFhZJaeF4mOaDvyuw7eAq1oReGuNv8hcyPC8Q -kr3x7MWDO9X9lfuZXd3yp41ZbGM8p1yMUjzeoOpAC1hLfTcaFU0UKK+gpXoZIrU6 -GmYhu3ZgTC9xGnl1pfiZvLTjLdac ------END PRIVATE KEY----- diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index b8be3a9..da55a42 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -24,7 +24,6 @@ jobs: - name: Create header files run: | - cp "${GITHUB_WORKSPACE}/.github/workflows/dummy_priv_key.pem" "${GITHUB_WORKSPACE}/priv_key.pem" cp "${GITHUB_WORKSPACE}/noisemeter-device/config.h.example" "${GITHUB_WORKSPACE}/noisemeter-device/config.h" python "${GITHUB_WORKSPACE}/noisemeter-device/certs.py" -s api.tracket.info > "${GITHUB_WORKSPACE}/noisemeter-device/certs.h" @@ -33,3 +32,4 @@ jobs: - name: Build PlatformIO Project (esp32-breadboard) run: pio run -e esp32-breadboard + diff --git a/.github/workflows/ota-release.yml b/.github/workflows/ota-release.yml index c37213e..39214f9 100644 --- a/.github/workflows/ota-release.yml +++ b/.github/workflows/ota-release.yml @@ -32,8 +32,8 @@ jobs: cp "${GITHUB_WORKSPACE}/noisemeter-device/config.h.example" "${GITHUB_WORKSPACE}/noisemeter-device/config.h" python "${GITHUB_WORKSPACE}/noisemeter-device/certs.py" -s api.tracket.info > "${GITHUB_WORKSPACE}/noisemeter-device/certs.h" - - name: Build PlatformIO Project - run: pio run -e esp32-pcb + - name: Build signed firmware + run: pio run -t ota -e esp32-pcb - name: Upload signed firmware uses: djn24/add-asset-to-release@v1 diff --git a/build_hooks.py b/build_hooks.py index e6a4971..5abd1f6 100755 --- a/build_hooks.py +++ b/build_hooks.py @@ -1,16 +1,13 @@ Import("env") -env.AddPostAction( - "$BUILD_DIR/${PROGNAME}.bin", - env.VerboseAction( +env.AddCustomTarget( + name="ota", + dependencies="$BUILD_DIR/${PROGNAME}.bin", + actions=[ "openssl dgst -sha256 -sign priv_key.pem -keyform PEM -out $BUILD_DIR/${PROGNAME}.sig -binary $BUILD_DIR/${PROGNAME}.bin", - "Creating OTA signature...") -) - -env.AddPostAction( - "$BUILD_DIR/${PROGNAME}.bin", - env.VerboseAction( - "cat $BUILD_DIR/${PROGNAME}.sig $BUILD_DIR/${PROGNAME}.bin > ${PROGNAME}_signed.bin", - "Creating ${PROGNAME}_signed.bin") + "cat $BUILD_DIR/${PROGNAME}.sig $BUILD_DIR/${PROGNAME}.bin > ${PROGNAME}_signed.bin" + ], + title="OTA Signing", + description="Create a signed OTA update" ) diff --git a/platformio.ini b/platformio.ini index 0143d98..f9b91a0 100644 --- a/platformio.ini +++ b/platformio.ini @@ -14,7 +14,7 @@ include_dir = noisemeter-device default_envs = esp32-pcb [env] -extra_scripts = post:build_hooks.py +extra_scripts = build_hooks.py framework = arduino platform = espressif32@6.1.0 board_build.partitions = nmpartitions.csv