[isar-cip-core,v3,0/3] Separate swu signing script from key

Message

Quirin Gylstorff Sept. 16, 2024, 12:54 p.m. UTC

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Some downstream projects use Hardware security module(HSM) to sign their
updates. To avoid a error message in case a HSM is used the user needs
override the major parts of the swupdate-certificates-key recipe. To
reduce the integration work in a downstream layer:
- seperate the signing script from the keys
- move the package installation of th scripts out of the swupdate.bbclass.
- update the readme to show this new behaviour

Changes in v2:
 - remove SWU_SIGN_SCRIPT variable
 - remove rsa-swu-sign script
 - fix typos in commit messages
 - rename swu-signer to swu-signer-snakeoil

Changes in v3:
  - Add example of an empty swupdate-signer
  - Clarify signing script section
  - rename swu-signer to swu-signer-cms

Quirin Gylstorff (3):
  Move signing script to seperate package to better support HSM signing
  Add check for sign-swu executable
  Update README for swupdate signing

 classes/swupdate.bbclass                      |  7 +++--
 doc/README.swupdate.md                        | 25 +++++++++++++++---
 kas/opt/swupdate.yml                          |  1 +
 recipes-core/images/swupdate.inc              |  5 +++-
 .../swupdate-certificates/files/sign-swu-rsa  |  6 -----
 .../swupdate-certificates-key.inc             |  9 +------
 .../files/sign-swu-cms                        |  0
 .../swupdate-signer-cms_0.1.bb                | 26 +++++++++++++++++++
 .../swupdate-signer/swupdate-signer-empty.bb  | 22 ++++++++++++++++
 9 files changed, 81 insertions(+), 20 deletions(-)
 delete mode 100644 recipes-devtools/swupdate-certificates/files/sign-swu-rsa
 rename recipes-devtools/{swupdate-certificates => swupdate-signer}/files/sign-swu-cms (100%)
 create mode 100644 recipes-devtools/swupdate-signer/swupdate-signer-cms_0.1.bb
 create mode 100644 recipes-devtools/swupdate-signer/swupdate-signer-empty.bb