build: don't add public key by default

The key shouldn't be add by default but rather via an external package. Currently the package `attendedsysupgrade-common` contains the servers key. Signed-off-by: Paul Spooren <mail@aparcar.org>
openwrt · Jun 18, 2021 · 9a146cf · 9a146cf
1 parent 58828d9
commit 9a146cf
Show file tree

Hide file tree

Showing 4 changed files with 3 additions and 15 deletions.
diff --git a/asu/api.py b/asu/api.py
@@ -310,7 +310,6 @@ def api_build():
         req["store_path"] = current_app.config["STORE_PATH"]
         req["cache_path"] = current_app.config["CACHE_PATH"]
         req["upstream_url"] = current_app.config["UPSTREAM_URL"]
-        req["ca_pubkey"] = current_app.config["CA_PUBKEY"]
         req["branch_data"] = get_branches()[req["branch"]]
 
         job = get_queue().enqueue(

diff --git a/asu/asu.py b/asu/asu.py
@@ -23,7 +23,6 @@ def create_app(test_config: dict = None) -> Flask:
 
     app = Flask(__name__, instance_relative_config=True)
     app.config.from_mapping(
-        CA_PUBKEY=None,
         STORE_PATH=app.instance_path + "/public/store",
         JSON_PATH=app.instance_path + "/public/json",
         CACHE_PATH=app.instance_path + "/cache/",

diff --git a/asu/build.py b/asu/build.py
@@ -148,20 +148,13 @@ def setup_ib():
         repos_path.write_text(repos)
         log.debug(f"Repos:\n{repos}")
 
-        # if a CA pubkey is defined, add it to the created images
-        # enabling CA requires each worker to find a seckey, pubkey and newcert
-        if req.get("ca_pubkey"):
-            fingerprint = fingerprint_pubkey_usign(req["ca_pubkey"])
-            opkg_key_path = cache / subtarget / "files/etc/opkg/keys"
-            opkg_key_path.mkdir(parents=True, exist_ok=True)
-            (opkg_key_path / fingerprint).write_text(
-                f"untrusted comment: ASU CA pubkey {fingerprint}\n{req['ca_pubkey']}"
-            )
-
+        if (Path.cwd() / "seckey").exists():
             # link key-build to imagebuilder
             (cache / subtarget / "key-build").symlink_to(Path.cwd() / "seckey")
+        if (Path.cwd() / "pubkey").exists():
             # link key-build.pub to imagebuilder
             (cache / subtarget / "key-build.pub").symlink_to(Path.cwd() / "pubkey")
+        if (Path.cwd() / "newcert").exists():
             # link key-build.ucert to imagebuilder
             (cache / subtarget / "key-build.ucert").symlink_to(Path.cwd() / "newcert")
 

diff --git a/misc/config.py b/misc/config.py
@@ -4,12 +4,9 @@
 TESTING = False
 DEBUG = False
 
-CA_PUBKEY = "RWSGJBpwejDLf4OApA5SOavh0GBlBFY9FhqxnivUQHpi0/t0QRI98LPW"
-
 # where to find the ImageBuildes
 UPSTREAM_URL = "https://downloads.cdn.openwrt.org"
 
-
 # where to store created images
 STORE_PATH = Path.cwd() / "public/store/"