From fe71189c5d3a357a2f2d7ed0b448b45fd80a08a9 Mon Sep 17 00:00:00 2001 From: Laura Abbott Date: Mon, 7 Oct 2024 18:10:45 -0400 Subject: [PATCH] Add buildomat jobs for select images It's useful to have some images that have gone through a `permslip sign`. Do so in a very limited fashion. --- .github/buildomat/build-one.sh | 14 +++++ .github/buildomat/force-git-over-https.sh | 26 ++++++++++ .github/buildomat/jobs/gimlet-c-lab.sh | 16 ++++++ .github/buildomat/jobs/gimlet-c.sh | 16 ++++++ .github/buildomat/jobs/gimlet-d-lab.sh | 16 ++++++ .github/buildomat/jobs/gimlet-d.sh | 16 ++++++ .github/buildomat/jobs/gimlet-e-lab.sh | 16 ++++++ .github/buildomat/jobs/gimlet-e.sh | 16 ++++++ .github/buildomat/jobs/gimlet-f-lab.sh | 16 ++++++ .github/buildomat/jobs/gimlet-f.sh | 16 ++++++ .github/buildomat/jobs/psc-b.sh | 16 ++++++ .github/buildomat/jobs/psc-c.sh | 16 ++++++ .github/buildomat/jobs/rot.sh | 38 ++++++++++++++ .github/buildomat/jobs/sidecar-b-lab.sh | 16 ++++++ .github/buildomat/jobs/sidecar-b.sh | 16 ++++++ .github/buildomat/jobs/sidecar-c-lab.sh | 16 ++++++ .github/buildomat/jobs/sidecar-c.sh | 16 ++++++ .github/buildomat/jobs/sidecar-d-lab.sh | 16 ++++++ .github/buildomat/jobs/sidecar-d.sh | 16 ++++++ .github/buildomat/jobs/sign-sp1.sh | 59 +++++++++++++++++++++ .github/buildomat/jobs/sign-sp2.sh | 62 +++++++++++++++++++++++ .github/buildomat/notes.md | 12 +++++ .github/buildomat/permslip-setup.sh | 60 ++++++++++++++++++++++ 23 files changed, 527 insertions(+) create mode 100755 .github/buildomat/build-one.sh create mode 100644 .github/buildomat/force-git-over-https.sh create mode 100755 .github/buildomat/jobs/gimlet-c-lab.sh create mode 100755 .github/buildomat/jobs/gimlet-c.sh create mode 100755 .github/buildomat/jobs/gimlet-d-lab.sh create mode 100755 .github/buildomat/jobs/gimlet-d.sh create mode 100755 .github/buildomat/jobs/gimlet-e-lab.sh create mode 100755 .github/buildomat/jobs/gimlet-e.sh create mode 100755 .github/buildomat/jobs/gimlet-f-lab.sh create mode 100755 .github/buildomat/jobs/gimlet-f.sh create mode 100755 .github/buildomat/jobs/psc-b.sh create mode 100755 .github/buildomat/jobs/psc-c.sh create mode 100755 .github/buildomat/jobs/rot.sh create mode 100755 .github/buildomat/jobs/sidecar-b-lab.sh create mode 100755 .github/buildomat/jobs/sidecar-b.sh create mode 100755 .github/buildomat/jobs/sidecar-c-lab.sh create mode 100755 .github/buildomat/jobs/sidecar-c.sh create mode 100755 .github/buildomat/jobs/sidecar-d-lab.sh create mode 100755 .github/buildomat/jobs/sidecar-d.sh create mode 100755 .github/buildomat/jobs/sign-sp1.sh create mode 100755 .github/buildomat/jobs/sign-sp2.sh create mode 100644 .github/buildomat/notes.md create mode 100644 .github/buildomat/permslip-setup.sh diff --git a/.github/buildomat/build-one.sh b/.github/buildomat/build-one.sh new file mode 100755 index 000000000..a999a3612 --- /dev/null +++ b/.github/buildomat/build-one.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +set -o errexit +set -o pipefail +set -o xtrace +set -o nounset + +name=$1 +toml=$2 +image=$3 + +cargo xtask dist $toml +cp target/$name/dist/$image/build-$name-image-$image.zip /work/ +touch /work/this_is_not_signed.txt diff --git a/.github/buildomat/force-git-over-https.sh b/.github/buildomat/force-git-over-https.sh new file mode 100644 index 000000000..3bc7b8679 --- /dev/null +++ b/.github/buildomat/force-git-over-https.sh @@ -0,0 +1,26 @@ +#!/usr/bin/env bash +# +# The token authentication mechanism that affords us access to other private +# repositories requires that we use HTTPS URLs for GitHub, rather than SSH. +# +override_urls=( + 'git://github.com/' + 'git@github.com:' + 'ssh://github.com/' + 'ssh://git@github.com/' + 'git+ssh://git@github.com/' +) +for (( i = 0; i < ${#override_urls[@]}; i++ )); do + git config --add --global url.https://github.com/.insteadOf \ + "${override_urls[$i]}" +done + +# +# Require that cargo use the git CLI instead of the built-in support. This +# achieves two things: first, SSH URLs should be transformed on fetch without +# requiring Cargo.toml rewriting, which is especially difficult in transitive +# dependencies; second, Cargo does not seem willing on its own to look in +# ~/.netrc and find the temporary token that buildomat generates for our job, +# so we must use git which uses curl. +# +export CARGO_NET_GIT_FETCH_WITH_CLI=true diff --git a/.github/buildomat/jobs/gimlet-c-lab.sh b/.github/buildomat/jobs/gimlet-c-lab.sh new file mode 100755 index 000000000..0fc7c38f8 --- /dev/null +++ b/.github/buildomat/jobs/gimlet-c-lab.sh @@ -0,0 +1,16 @@ +#!/bin/bash +#: +#: name = "build gimlet-c-lab" +#: variety = "basic" +#: target = "ubuntu-22.04" +#: rust_toolchain = true +#: output_rules = [ +#: "=/work/*.zip", +#: "=/work/this_is_not_signed.txt", +#: ] + +set -o errexit +set -o pipefail +set -o xtrace + +exec .github/buildomat/build-one.sh gimlet-c-lab app/gimlet/rev-c-lab.toml default diff --git a/.github/buildomat/jobs/gimlet-c.sh b/.github/buildomat/jobs/gimlet-c.sh new file mode 100755 index 000000000..06690666e --- /dev/null +++ b/.github/buildomat/jobs/gimlet-c.sh @@ -0,0 +1,16 @@ +#!/bin/bash +#: +#: name = "build gimlet-c" +#: variety = "basic" +#: target = "ubuntu-22.04" +#: rust_toolchain = true +#: output_rules = [ +#: "=/work/*.zip", +#: "=/work/this_is_not_signed.txt", +#: ] + +set -o errexit +set -o pipefail +set -o xtrace + +exec .github/buildomat/build-one.sh gimlet-c app/gimlet/rev-c.toml default diff --git a/.github/buildomat/jobs/gimlet-d-lab.sh b/.github/buildomat/jobs/gimlet-d-lab.sh new file mode 100755 index 000000000..e5e29de5a --- /dev/null +++ b/.github/buildomat/jobs/gimlet-d-lab.sh @@ -0,0 +1,16 @@ +#!/bin/bash +#: +#: name = "build gimlet-d-lab" +#: variety = "basic" +#: target = "ubuntu-22.04" +#: rust_toolchain = true +#: output_rules = [ +#: "=/work/*.zip", +#: "=/work/this_is_not_signed.txt", +#: ] + +set -o errexit +set -o pipefail +set -o xtrace + +exec .github/buildomat/build-one.sh gimlet-d-lab app/gimlet/rev-d-lab.toml default diff --git a/.github/buildomat/jobs/gimlet-d.sh b/.github/buildomat/jobs/gimlet-d.sh new file mode 100755 index 000000000..7bffe0f62 --- /dev/null +++ b/.github/buildomat/jobs/gimlet-d.sh @@ -0,0 +1,16 @@ +#!/bin/bash +#: +#: name = "build gimlet-d" +#: variety = "basic" +#: target = "ubuntu-22.04" +#: rust_toolchain = true +#: output_rules = [ +#: "=/work/*.zip", +#: "=/work/this_is_not_signed.txt", +#: ] + +set -o errexit +set -o pipefail +set -o xtrace + +exec .github/buildomat/build-one.sh gimlet-d app/gimlet/rev-d.toml default diff --git a/.github/buildomat/jobs/gimlet-e-lab.sh b/.github/buildomat/jobs/gimlet-e-lab.sh new file mode 100755 index 000000000..6df06e13e --- /dev/null +++ b/.github/buildomat/jobs/gimlet-e-lab.sh @@ -0,0 +1,16 @@ +#!/bin/bash +#: +#: name = "build gimlet-e-lab" +#: variety = "basic" +#: target = "ubuntu-22.04" +#: rust_toolchain = true +#: output_rules = [ +#: "=/work/*.zip", +#: "=/work/this_is_not_signed.txt", +#: ] + +set -o errexit +set -o pipefail +set -o xtrace + +exec .github/buildomat/build-one.sh gimlet-e-lab app/gimlet/rev-e-lab.toml default diff --git a/.github/buildomat/jobs/gimlet-e.sh b/.github/buildomat/jobs/gimlet-e.sh new file mode 100755 index 000000000..f0840f1b9 --- /dev/null +++ b/.github/buildomat/jobs/gimlet-e.sh @@ -0,0 +1,16 @@ +#!/bin/bash +#: +#: name = "build gimlet-e" +#: variety = "basic" +#: target = "ubuntu-22.04" +#: rust_toolchain = true +#: output_rules = [ +#: "=/work/*.zip", +#: "=/work/this_is_not_signed.txt", +#: ] + +set -o errexit +set -o pipefail +set -o xtrace + +exec .github/buildomat/build-one.sh gimlet-e app/gimlet/rev-e.toml default diff --git a/.github/buildomat/jobs/gimlet-f-lab.sh b/.github/buildomat/jobs/gimlet-f-lab.sh new file mode 100755 index 000000000..b800d02c9 --- /dev/null +++ b/.github/buildomat/jobs/gimlet-f-lab.sh @@ -0,0 +1,16 @@ +#!/bin/bash +#: +#: name = "build gimlet-f-lab" +#: variety = "basic" +#: target = "ubuntu-22.04" +#: rust_toolchain = true +#: output_rules = [ +#: "=/work/*.zip", +#: "=/work/this_is_not_signed.txt", +#: ] + +set -o errexit +set -o pipefail +set -o xtrace + +exec .github/buildomat/build-one.sh gimlet-f-lab app/gimlet/rev-f-lab.toml default diff --git a/.github/buildomat/jobs/gimlet-f.sh b/.github/buildomat/jobs/gimlet-f.sh new file mode 100755 index 000000000..dcffb364b --- /dev/null +++ b/.github/buildomat/jobs/gimlet-f.sh @@ -0,0 +1,16 @@ +#!/bin/bash +#: +#: name = "build gimlet-f" +#: variety = "basic" +#: target = "ubuntu-22.04" +#: rust_toolchain = true +#: output_rules = [ +#: "=/work/*.zip", +#: "=/work/this_is_not_signed.txt", +#: ] + +set -o errexit +set -o pipefail +set -o xtrace + +exec .github/buildomat/build-one.sh gimlet-f app/gimlet/rev-f.toml default diff --git a/.github/buildomat/jobs/psc-b.sh b/.github/buildomat/jobs/psc-b.sh new file mode 100755 index 000000000..0a904875c --- /dev/null +++ b/.github/buildomat/jobs/psc-b.sh @@ -0,0 +1,16 @@ +#!/bin/bash +#: +#: name = "build psc-b" +#: variety = "basic" +#: target = "ubuntu-22.04" +#: rust_toolchain = true +#: output_rules = [ +#: "=/work/*.zip", +#: "=/work/this_is_not_signed.txt", +#: ] + +set -o errexit +set -o pipefail +set -o xtrace + +exec .github/buildomat/build-one.sh psc-b app/psc/rev-b.toml default diff --git a/.github/buildomat/jobs/psc-c.sh b/.github/buildomat/jobs/psc-c.sh new file mode 100755 index 000000000..46f4a745f --- /dev/null +++ b/.github/buildomat/jobs/psc-c.sh @@ -0,0 +1,16 @@ +#!/bin/bash +#: +#: name = "build psc-c" +#: variety = "basic" +#: target = "ubuntu-22.04" +#: rust_toolchain = true +#: output_rules = [ +#: "=/work/*.zip", +#: "=/work/this_is_not_signed.txt", +#: ] + +set -o errexit +set -o pipefail +set -o xtrace + +exec .github/buildomat/build-one.sh psc-c app/psc/rev-c.toml default diff --git a/.github/buildomat/jobs/rot.sh b/.github/buildomat/jobs/rot.sh new file mode 100755 index 000000000..e7032fab3 --- /dev/null +++ b/.github/buildomat/jobs/rot.sh @@ -0,0 +1,38 @@ +#!/bin/bash +#: +#: name = "build rot" +#: variety = "basic" +#: target = "ubuntu-22.04" +#: rust_toolchain = true +#: output_rules = [ +#: "=/work/*.zip", +#: ] +#: access_repos = [ +#: "oxidecomputer/permission-slip", +#: ] +#: + +set -o errexit +set -o pipefail +set -o xtrace + +_cleanup () { + kill $(jobs -p) +} + +trap _cleanup SIGINT SIGTERM EXIT + +source .github/buildomat/force-git-over-https.sh +source .github/buildomat/permslip-setup.sh + + +cargo xtask dist app/oxide-rot-1/app-dev.toml +$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 \ + sign "UNTRUSTED bart" \ + target/oxide-rot-1-selfsigned/dist/a/build-oxide-rot-1-selfsigned-image-a.zip \ + --version 0.0.0-ci > /work/build-oxide-rot-1-selfsigned-image-a.zip + +$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 \ + sign "UNTRUSTED bart" \ + target/oxide-rot-1-selfsigned/dist/b/build-oxide-rot-1-selfsigned-image-b.zip \ + --version 0.0.0-ci > /work/build-oxide-rot-1-selfsigned-image-b.zip diff --git a/.github/buildomat/jobs/sidecar-b-lab.sh b/.github/buildomat/jobs/sidecar-b-lab.sh new file mode 100755 index 000000000..98a81657d --- /dev/null +++ b/.github/buildomat/jobs/sidecar-b-lab.sh @@ -0,0 +1,16 @@ +#!/bin/bash +#: +#: name = "build sidecar-b-lab" +#: variety = "basic" +#: target = "ubuntu-22.04" +#: rust_toolchain = true +#: output_rules = [ +#: "=/work/*.zip", +#: "=/work/this_is_not_signed.txt", +#: ] + +set -o errexit +set -o pipefail +set -o xtrace + +exec .github/buildomat/build-one.sh sidecar-b-lab app/sidecar/rev-b-lab.toml default diff --git a/.github/buildomat/jobs/sidecar-b.sh b/.github/buildomat/jobs/sidecar-b.sh new file mode 100755 index 000000000..a8088bdb0 --- /dev/null +++ b/.github/buildomat/jobs/sidecar-b.sh @@ -0,0 +1,16 @@ +#!/bin/bash +#: +#: name = "build sidecar-b" +#: variety = "basic" +#: target = "ubuntu-22.04" +#: rust_toolchain = true +#: output_rules = [ +#: "=/work/*.zip", +#: "=/work/this_is_not_signed.txt", +#: ] + +set -o errexit +set -o pipefail +set -o xtrace + +exec .github/buildomat/build-one.sh sidecar-b app/sidecar/rev-b.toml default diff --git a/.github/buildomat/jobs/sidecar-c-lab.sh b/.github/buildomat/jobs/sidecar-c-lab.sh new file mode 100755 index 000000000..5987f83a9 --- /dev/null +++ b/.github/buildomat/jobs/sidecar-c-lab.sh @@ -0,0 +1,16 @@ +#!/bin/bash +#: +#: name = "build sidecar-c-lab" +#: variety = "basic" +#: target = "ubuntu-22.04" +#: rust_toolchain = true +#: output_rules = [ +#: "=/work/*.zip", +#: "=/work/this_is_not_signed.txt", +#: ] + +set -o errexit +set -o pipefail +set -o xtrace + +exec .github/buildomat/build-one.sh sidecar-c-lab app/sidecar/rev-c-lab.toml default diff --git a/.github/buildomat/jobs/sidecar-c.sh b/.github/buildomat/jobs/sidecar-c.sh new file mode 100755 index 000000000..74806f3a0 --- /dev/null +++ b/.github/buildomat/jobs/sidecar-c.sh @@ -0,0 +1,16 @@ +#!/bin/bash +#: +#: name = "build sidecar-c" +#: variety = "basic" +#: target = "ubuntu-22.04" +#: rust_toolchain = true +#: output_rules = [ +#: "=/work/*.zip", +#: "=/work/this_is_not_signed.txt", +#: ] + +set -o errexit +set -o pipefail +set -o xtrace + +exec .github/buildomat/build-one.sh sidecar-c app/sidecar/rev-c.toml default diff --git a/.github/buildomat/jobs/sidecar-d-lab.sh b/.github/buildomat/jobs/sidecar-d-lab.sh new file mode 100755 index 000000000..4b25c8200 --- /dev/null +++ b/.github/buildomat/jobs/sidecar-d-lab.sh @@ -0,0 +1,16 @@ +#!/bin/bash +#: +#: name = "build sidecar-d-lab" +#: variety = "basic" +#: target = "ubuntu-22.04" +#: rust_toolchain = true +#: output_rules = [ +#: "=/work/*.zip", +#: "=/work/this_is_not_signed.txt", +#: ] + +set -o errexit +set -o pipefail +set -o xtrace + +exec .github/buildomat/build-one.sh sidecar-d-lab app/sidecar/rev-d-lab.toml default diff --git a/.github/buildomat/jobs/sidecar-d.sh b/.github/buildomat/jobs/sidecar-d.sh new file mode 100755 index 000000000..faf9c6b59 --- /dev/null +++ b/.github/buildomat/jobs/sidecar-d.sh @@ -0,0 +1,16 @@ +#!/bin/bash +#: +#: name = "build sidecar-d" +#: variety = "basic" +#: target = "ubuntu-22.04" +#: rust_toolchain = true +#: output_rules = [ +#: "=/work/*.zip", +#: "=/work/this_is_not_signed.txt", +#: ] + +set -o errexit +set -o pipefail +set -o xtrace + +exec .github/buildomat/build-one.sh sidecar-d app/sidecar/rev-d.toml default diff --git a/.github/buildomat/jobs/sign-sp1.sh b/.github/buildomat/jobs/sign-sp1.sh new file mode 100755 index 000000000..f601a63a2 --- /dev/null +++ b/.github/buildomat/jobs/sign-sp1.sh @@ -0,0 +1,59 @@ +#!/bin/bash +#: +#: name = "sign sp-1" +#: variety = "basic" +#: target = "ubuntu-22.04" +#: rust_toolchain = true +#: output_rules = [ +#: "=/work/*.zip", +#: ] +#: access_repos = [ +#: "oxidecomputer/permission-slip", +#: ] +#: [dependencies.gimlet-c] +#: job = "build gimlet-c" +#: +#: [dependencies.gimlet-c-lab] +#: job = "build gimlet-c-lab" +#: +#: [dependencies.gimlet-d] +#: job = "build gimlet-d" +#: +#: [dependencies.gimlet-d-lab] +#: job = "build gimlet-d-lab" +#: +#: [dependencies.gimlet-e] +#: job = "build gimlet-e" +#: +#: [dependencies.gimlet-e-lab] +#: job = "build gimlet-e-lab" +#: +#: [dependencies.gimlet-f] +#: job = "build gimlet-f" +#: +#: [dependencies.gimlet-f-lab] +#: job = "build gimlet-f-lab" +# + +# Due to buildomat limits we can only have 8 dependent jobs so we +# split the SP signing into two different jobs + +set -o errexit +set -o pipefail +set -o xtrace + +_cleanup () { + kill $(jobs -p) +} + +trap _cleanup SIGINT SIGTERM EXIT + +source .github/buildomat/force-git-over-https.sh +source .github/buildomat/permslip-setup.sh + + +for f in `find /input -type f -name "*.zip"`; do + $PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 sign "UNTRUSTED SP" \ + $f \ + --version 0.0.0-ci > /work/$(basename $f) +done diff --git a/.github/buildomat/jobs/sign-sp2.sh b/.github/buildomat/jobs/sign-sp2.sh new file mode 100755 index 000000000..e09263c1e --- /dev/null +++ b/.github/buildomat/jobs/sign-sp2.sh @@ -0,0 +1,62 @@ +#!/bin/bash +#: +#: name = "sign sp-2" +#: variety = "basic" +#: target = "ubuntu-22.04" +#: rust_toolchain = true +#: output_rules = [ +#: "=/work/*.zip", +#: ] +#: access_repos = [ +#: "oxidecomputer/permission-slip", +#: ] +#: +#: [dependencies.sidecar-b] +#: job = "build sidecar-b" +#: +#: [dependencies.sidecar-b-lab] +#: job = "build sidecar-b-lab" +# +#: [dependencies.sidecar-c] +#: job = "build sidecar-c" +#: +#: [dependencies.sidecar-c-lab] +#: job = "build sidecar-c-lab" +#: +#: [dependencies.sidecar-d] +#: job = "build sidecar-d" +#: +#: [dependencies.sidecar-d-lab] +#: job = "build sidecar-d-lab" +#: +#: +#: [dependencies.psc-b] +#: job = "build psc-b" +#: +#: [dependencies.psc-c] +#: job = "build psc-c" +# + +# Due to buildomat limits we can only have 8 dependent jobs so we +# split the SP signing into two different jobs + + +set -o errexit +set -o pipefail +set -o xtrace + +_cleanup () { + kill $(jobs -p) +} + +trap _cleanup SIGINT SIGTERM EXIT + +source .github/buildomat/force-git-over-https.sh +source .github/buildomat/permslip-setup.sh + + +for f in `find /input -type f -name "*.zip"`; do + $PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 sign "UNTRUSTED SP" \ + $f \ + --version 0.0.0-ci > /work/$(basename $f) +done diff --git a/.github/buildomat/notes.md b/.github/buildomat/notes.md new file mode 100644 index 000000000..20183fa0d --- /dev/null +++ b/.github/buildomat/notes.md @@ -0,0 +1,12 @@ +# Why are there so many jobs? + +We need to build many images. Doing it in one job requires building each in +sequence. Separate buildomat jobs for each image builds in parallel and +mimimizes waiting time + +# Could you add the parallelization within a buildomat job? + +We could! That does not match what we do currently for our workflow. Part +of the point of CI/testing is to use the flows that already exist as +much as possible. Someone interested in this would need to profile our +buildomat jobs. diff --git a/.github/buildomat/permslip-setup.sh b/.github/buildomat/permslip-setup.sh new file mode 100644 index 000000000..95833abfc --- /dev/null +++ b/.github/buildomat/permslip-setup.sh @@ -0,0 +1,60 @@ +#!/bin/bash + +set -ex + +sudo apt-get update +sudo apt-get install -y postgresql gcc pkgconf openssl libssl-dev + +sudo -u postgres createuser yourname +sudo -u postgres createdb permslip +sudo -u postgres psql << EOF +\x +alter user yourname with encrypted password 'password'; +EOF + +sudo -u postgres psql << EOF +\x +grant all privileges on database permslip to yourname; +EOF +sudo -u postgres psql -d permslip << EOF +grant all on schema public to yourname; +EOF + +export PERMSLIP_DIR=/work/permslip +BART_KEY=$(pwd)/support/fake_certs/fake_private_key.pem + +mkdir -p $PERMSLIP_DIR +git clone https://github.com/oxidecomputer/permission-slip.git -b ssh_key_fix $PERMSLIP_DIR +pushd $PERMSLIP_DIR +cargo build --release +export POSTGRES_HOST=localhost +export POSTGRES_PORT=5432 +export POSTGRES_USER=yourname +export POSTGRES_PASSWORD=password + +ssh-keygen -t ecdsa -b 256 -f /tmp/id_p256 -N '' -C '' +eval "$(ssh-agent -s)" +ssh-add /tmp/id_p256 +PERMSLIP_SSH_KEY=$(ssh-keygen -lf /tmp/id_p256.pub | cut -d ' ' -f 2) +export PERMSLIP_SSH_KEY + +$PERMSLIP_DIR/target/release/permslip-server import-ssh-key /tmp/id_p256.pub +$PERMSLIP_DIR/target/release/permslip-server import-private-key "UNTRUSTED bart" rsa "$BART_KEY" +$PERMSLIP_DIR/target/release/permslip-server start-server & + +sleep 5 + +$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 list-keys + +# SP +$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 generate-key "UNTRUSTED SP" rsa +$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 generate-csr "UNTRUSTED SP" > SP.csr +$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 sign "UNTRUSTED SP" --kind csr SP.csr > SP.cert +$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 set-key-context "UNTRUSTED SP" --kind hubris --cert SP.cert --root SP.cert + +# Bart +$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 generate-csr "UNTRUSTED bart" > bart.csr +$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 sign "UNTRUSTED bart" --kind csr bart.csr > bart.cert +$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 set-key-context "UNTRUSTED bart" --kind hubris --cert bart.cert --root bart.cert + +popd