Skip to content

Commit 2f878b6

Browse files
klutchellklutchell
committed
Align file encryption with artifact inclusion
This makes it easier to see what we are encrypting vs what we are uploading as artifacts. Signed-off-by: Kyle Harding <kyle@balena.io>
1 parent 42fd892 commit 2f878b6

File tree

1 file changed

+30
-8
lines changed

1 file changed

+30
-8
lines changed

.github/workflows/yocto-build-deploy.yml

Lines changed: 30 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -892,15 +892,23 @@ jobs:
892892
893893
find "${DEPLOY_PATH}" -exec ls -lh {} \;
894894
895-
# Encrypt .img and .img.zip files and remove the originals
896895
# Encryption is required for private device types, and signed images.
896+
# We do this to obfuscate private device images on public repos,
897+
# and to prevent running signed images that have not gone through review and may have security flaws.
898+
# Additional file extensions can be added below, but are only required if included as artifact uploads.
897899
- name: Encrypt signed/private artifacts
898900
if: inputs.sign-image || needs.balena-lib.outputs.is_private == 'true'
899901
env:
900902
PBDKF2_PASSPHRASE: ${{ secrets.PBDKF2_PASSPHRASE }}
903+
PATHS_TO_ENCRYPT: |
904+
${{ env.S3_DEPLOY_PATH }}/balena-image.docker
905+
${{ env.S3_DEPLOY_PATH }}/image/*.img.zip
906+
${{ env.S3_DEPLOY_PATH }}/compressed*/*.deflate
907+
${{ env.S3_DEPLOY_PATH }}/*.manifest
908+
${{ env.S3_DEPLOY_PATH }}/kernel_modules_headers.tar.gz
901909
run: |
902910
set -x
903-
for file in "${S3_DEPLOY_PATH}"/**/*.img "${S3_DEPLOY_PATH}"/**/*.img.zip "${S3_DEPLOY_PATH}"/**/*.docker "${S3_DEPLOY_PATH}"/**/*.deflate; do
911+
for file in $(echo "${PATHS_TO_ENCRYPT}" | tr '\n' ' '); do
904912
openssl enc -v -e -aes-256-cbc -k "${PBDKF2_PASSPHRASE}" -pbkdf2 -iter 310000 -md sha256 -salt -in "${file}" -out "${file}.enc"
905913
rm "${file}"
906914
done
@@ -932,6 +940,7 @@ jobs:
932940
${{ env.S3_DEPLOY_PATH }}/VERSION*
933941
${{ env.S3_DEPLOY_PATH }}/*.manifest
934942
${{ env.S3_DEPLOY_PATH }}/kernel_modules_headers.tar.gz
943+
${{ env.S3_DEPLOY_PATH }}/kernel_modules_headers.tar.gz.enc
935944
936945
# Upload artifacts used by Leviathan for test suites.
937946
# Primarily raw and flasher images, and the hostapp docker image, and the kernel module headers.
@@ -952,6 +961,7 @@ jobs:
952961
${{ env.S3_DEPLOY_PATH }}/balena-image.docker
953962
${{ env.S3_DEPLOY_PATH }}/balena-image.docker.enc
954963
${{ env.S3_DEPLOY_PATH }}/kernel_modules_headers.tar.gz
964+
${{ env.S3_DEPLOY_PATH }}/kernel_modules_headers.tar.gz.enc
955965
956966
##############################
957967
# hostapp Deploy
@@ -1014,9 +1024,12 @@ jobs:
10141024
if: inputs.sign-image || needs.balena-lib.outputs.is_private == 'true'
10151025
env:
10161026
PBDKF2_PASSPHRASE: ${{ secrets.PBDKF2_PASSPHRASE }}
1027+
PATHS_TO_DECRYPT: |
1028+
${{ env.DEPLOY_PATH }}/*.enc
1029+
${{ env.DEPLOY_PATH }}/**/*.enc
10171030
run: |
10181031
set -x
1019-
for enc in "${DEPLOY_PATH}"/**/*.enc; do
1032+
for enc in $(echo "${PATHS_TO_DECRYPT}" | tr '\n' ' '); do
10201033
openssl enc -v -d -aes-256-cbc -k "${PBDKF2_PASSPHRASE}" -pbkdf2 -iter 310000 -md sha256 -salt -in "${enc}" -out "${enc%.enc}"
10211034
done
10221035
@@ -1345,9 +1358,12 @@ jobs:
13451358
if: inputs.sign-image || needs.balena-lib.outputs.is_private == 'true'
13461359
env:
13471360
PBDKF2_PASSPHRASE: ${{ secrets.PBDKF2_PASSPHRASE }}
1361+
PATHS_TO_DECRYPT: |
1362+
${{ env.DEPLOY_PATH }}/*.enc
1363+
${{ env.DEPLOY_PATH }}/**/*.enc
13481364
run: |
13491365
set -x
1350-
for enc in "${DEPLOY_PATH}"/**/*.enc; do
1366+
for enc in $(echo "${PATHS_TO_DECRYPT}" | tr '\n' ' '); do
13511367
openssl enc -v -d -aes-256-cbc -k "${PBDKF2_PASSPHRASE}" -pbkdf2 -iter 310000 -md sha256 -salt -in "${enc}" -out "${enc%.enc}"
13521368
done
13531369
@@ -1499,9 +1515,12 @@ jobs:
14991515
if: inputs.sign-image || needs.balena-lib.outputs.is_private == 'true'
15001516
env:
15011517
PBDKF2_PASSPHRASE: ${{ secrets.PBDKF2_PASSPHRASE }}
1518+
PATHS_TO_DECRYPT: |
1519+
${{ env.DEPLOY_PATH }}/*.enc
1520+
${{ env.DEPLOY_PATH }}/**/*.enc
15021521
run: |
15031522
set -x
1504-
for enc in "${DEPLOY_PATH}"/**/*.enc; do
1523+
for enc in $(echo "${PATHS_TO_DECRYPT}" | tr '\n' ' '); do
15051524
openssl enc -v -d -aes-256-cbc -k "${PBDKF2_PASSPHRASE}" -pbkdf2 -iter 310000 -md sha256 -salt -in "${enc}" -out "${enc%.enc}"
15061525
done
15071526
@@ -2101,9 +2120,12 @@ jobs:
21012120
if: inputs.sign-image || needs.balena-lib.outputs.is_private == 'true'
21022121
env:
21032122
PBDKF2_PASSPHRASE: ${{ secrets.PBDKF2_PASSPHRASE }}
2123+
PATHS_TO_DECRYPT: |
2124+
${{ env.DEPLOY_PATH }}/*.enc
2125+
${{ env.DEPLOY_PATH }}/**/*.enc
21042126
run: |
21052127
set -x
2106-
for enc in "${DEPLOY_PATH}"/**/*.enc; do
2128+
for enc in $(echo "${PATHS_TO_DECRYPT}" | tr '\n' ' '); do
21072129
openssl enc -v -d -aes-256-cbc -k "${PBDKF2_PASSPHRASE}" -pbkdf2 -iter 310000 -md sha256 -salt -in "${enc}" -out "${enc%.enc}"
21082130
done
21092131
@@ -2144,8 +2166,8 @@ jobs:
21442166
21452167
# The test suite expects the image to be tested to be called "balena.img.gz" - regardless of what it may have been called before
21462168
gzip -9 -c "${DEPLOY_PATH}/image/${BALENA_OS_IMAGE}" >"${LEVIATHAN_WORKSPACE}/balena.img.gz"
2147-
cp -v "${DEPLOY_PATH}/balena-image.docker" "${LEVIATHAN_WORKSPACE}/balena-image.docker"
2148-
cp -v "${DEPLOY_PATH}/kernel_modules_headers.tar.gz" "${LEVIATHAN_WORKSPACE}/kernel_modules_headers.tar.gz"
2169+
mv -v "${DEPLOY_PATH}/balena-image.docker" "${LEVIATHAN_WORKSPACE}/balena-image.docker"
2170+
mv -v "${DEPLOY_PATH}/kernel_modules_headers.tar.gz" "${LEVIATHAN_WORKSPACE}/kernel_modules_headers.tar.gz"
21492171
21502172
cp -v "${SUITES}/${TEST_SUITE}/config.js" "${LEVIATHAN_WORKSPACE}/config.js"
21512173
mkdir -p "${REPORTS}"

0 commit comments

Comments
 (0)