Generate self-signed certificates for development (#2943)

* Generate self-signed certificates for development To simplify development generate a self-signed certificate on first build. Also make sure that the self-signed certificate is being added the RAUC keyring so that manual updates can be performed. * Add self-signed certificat independent of deployment type * Add a warning when building with self-signed certificate
home-assistant · Nov 27, 2023 · c3b9912 · c3b9912
1 parent 741498c
commit c3b9912
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 5 deletions.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -166,8 +166,12 @@ jobs:
           RAUC_CERTIFICATE: ${{ secrets.RAUC_CERTIFICATE }}
           RAUC_PRIVATE_KEY: ${{ secrets.RAUC_PRIVATE_KEY }}
         run: |
-          echo -e "-----BEGIN CERTIFICATE-----\n${RAUC_CERTIFICATE}\n-----END CERTIFICATE-----" > cert.pem
-          echo -e "-----BEGIN PRIVATE KEY-----\n${RAUC_PRIVATE_KEY}\n-----END PRIVATE KEY-----" > key.pem
+          if [ -z "${RAUC_CERTIFICATE}" ] || [ -z "${RAUC_KEY}" ]; then
+              echo "::warning:: RAUC certificate or key is missing. Building with a self-signed certificate!"
+          else
+              echo -e "-----BEGIN CERTIFICATE-----\n${RAUC_CERTIFICATE}\n-----END CERTIFICATE-----" > cert.pem
+              echo -e "-----BEGIN PRIVATE KEY-----\n${RAUC_PRIVATE_KEY}\n-----END PRIVATE KEY-----" > key.pem
+          fi
 
       - name: Free space on build drive
         run: |

diff --git a/buildroot-external/scripts/post-build.sh b/buildroot-external/scripts/post-build.sh
@@ -41,6 +41,7 @@ install_tini_docker
 
 
 # Setup RAUC
+prepare_rauc_signing
 write_rauc_config
 install_rauc_certs
 install_bootloader_config

diff --git a/buildroot-external/scripts/rauc.sh b/buildroot-external/scripts/rauc.sh
@@ -2,6 +2,19 @@
 set -e
 
 
+function prepare_rauc_signing() {
+    local key="/build/key.pem"
+    local cert="/build/cert.pem"
+
+    if [ ! -f "${key}" ]; then
+        echo "Generating a self-signed certificate for development"
+        openssl req -x509 -newkey rsa:4096 -keyout "${key}" \
+                -out "${cert}" -days 3650 -nodes \
+                -subj "/O=HassOS/CN=HassOS Self-signed Development Certificate"
+    fi
+}
+
+
 function write_rauc_config() {
     mkdir -p "${TARGET_DIR}/etc/rauc"
 
@@ -19,10 +32,20 @@ function write_rauc_config() {
 
 
 function install_rauc_certs() {
-    if [ "${DEPLOYMENT}" == "production" ]; then
-        cp "${BR2_EXTERNAL_HASSOS_PATH}/ota/rel-ca.pem" "${TARGET_DIR}/etc/rauc/keyring.pem"
-    else
+    local cert="/build/cert.pem"
+
+    if [ "${DEPLOYMENT}" == "development" ]; then
+        # Contains development and release certificate
         cp "${BR2_EXTERNAL_HASSOS_PATH}/ota/dev-ca.pem" "${TARGET_DIR}/etc/rauc/keyring.pem"
+    else
+        cp "${BR2_EXTERNAL_HASSOS_PATH}/ota/rel-ca.pem" "${TARGET_DIR}/etc/rauc/keyring.pem"
+    fi
+
+    # Add local self-signed certificate (if not trusted by the dev or release
+    # certificate it is a self-signed certificate, dev-ca.pem contains both)
+    if ! openssl verify -CAfile "${BR2_EXTERNAL_HASSOS_PATH}/ota/dev-ca.pem" -no-CApath "${cert}"; then
+        echo "Adding self-signed certificate to keyring."
+        openssl x509 -in "${cert}" -text >> "${TARGET_DIR}/etc/rauc/keyring.pem"
     fi
 }