Support to use the same certificate to sign image (sonic-net#140)

* Support to use the same certificate to sign image

* Fix script not found issue

* remove build-config.sh

* Change to get certificate from Azure Key Vault

* Revert the change to 201904 Jekinsfile

* Revert the change to 201904 Jekinsfile

jenkins/broadcom/buildimage-brcm-all-pr/Jenkinsfile

@@ -6,6 +6,10 @@ pipeline {
 
     }
 
+    environment {
+        TMP_PATH=sh(script: "mktemp -d", returnStdout: true).trim()
+    }
+
     stages {
         stage('Prepare') {
             steps {
@@ -24,17 +28,23 @@ pipeline {
         }
 
         stage('Build') {
+            options {
+                azureKeyVault([[envVariable: 'PFX_FILE', name: 'sonic-signing-cert', secretType: 'Certificate']])
+            }
             steps {
                 sh '''#!/bin/bash -xe
 
 git submodule foreach --recursive '[ -f .git ] && echo "gitdir: $(realpath --relative-to=. $(cut -d" " -f2 .git))" > .git'
 
+scripts/convert-pfx-cert-format.sh -p $PFX_FILE -k $TMP_PATH/signing.key -c $TMP_PATH/signing.cert -a $TMP_PATH/ca.cert
+SONIC_OVERRIDE_BUILD_VARS="SIGNING_KEY=/tmp/certs/signing.key SIGNING_CERT=/tmp/certs/signing.cert CA_CERT=/tmp/certs/ca.cert"
+DOCKER_BUILDER_MOUNT="$(pwd):/sonic -v $TMP_PATH:/tmp/certs"
 CACHE_OPTIONS="SONIC_DPKG_CACHE_METHOD=rcache SONIC_DPKG_CACHE_SOURCE=/nfs/dpkg_cache/broadcom"
 make configure PLATFORM=broadcom
 
 make SONIC_CONFIG_BUILD_JOBS=1 $CACHE_OPTIONS target/sonic-broadcom.bin
 make SONIC_CONFIG_BUILD_JOBS=1 $CACHE_OPTIONS target/sonic-broadcom.raw
-make SONIC_CONFIG_BUILD_JOBS=1 $CACHE_OPTIONS ENABLE_IMAGE_SIGNATURE=y target/sonic-aboot-broadcom.swi
+make SONIC_CONFIG_BUILD_JOBS=1 $CACHE_OPTIONS ENABLE_IMAGE_SIGNATURE=y SONIC_OVERRIDE_BUILD_VARS="${SONIC_OVERRIDE_BUILD_VARS}" DOCKER_BUILDER_MOUNT="${DOCKER_BUILDER_MOUNT}" target/sonic-aboot-broadcom.swi
 '''
             }
         }
@@ -48,5 +58,8 @@ make SONIC_CONFIG_BUILD_JOBS=1 $CACHE_OPTIONS ENABLE_IMAGE_SIGNATURE=y target/so
         success {
             archiveArtifacts(artifacts: 'target/**')
         }
+        cleanup {
+            sh "[ -d $TMP_PATH ] && rm -rf $TMP_PATH"
+        }
     }
 }

jenkins/broadcom/buildimage-brcm-all-released-pr/Jenkinsfile

@@ -5,6 +5,9 @@ pipeline {
         buildDiscarder(logRotator(artifactDaysToKeepStr: '', artifactNumToKeepStr: '', daysToKeepStr: '', numToKeepStr: '60'))
 
     }
+    environment {
+        TMP_PATH=sh(script: "mktemp -d", returnStdout: true).trim()
+    }
 
     stages {
         stage('Prepare') {
@@ -24,16 +27,22 @@ pipeline {
         }
 
         stage('Build') {
+            options {
+                azureKeyVault([[envVariable: 'PFX_FILE', name: 'sonic-signing-cert', secretType: 'Certificate']])
+            }
             steps {
                 sh '''#!/bin/bash -xe
 
 git submodule foreach --recursive '[ -f .git ] && echo "gitdir: $(realpath --relative-to=. $(cut -d" " -f2 .git))" > .git'
 
 make configure PLATFORM=broadcom
 
+scripts/convert-pfx-cert-format.sh -p $PFX_FILE -k $TMP_PATH/signing.key -c $TMP_PATH/signing.cert -a $TMP_PATH/ca.cert
+SONIC_OVERRIDE_BUILD_VARS="SIGNING_KEY=/tmp/certs/signing.key SIGNING_CERT=/tmp/certs/signing.cert CA_CERT=/tmp/certs/ca.cert"
+DOCKER_BUILDER_MOUNT="$(pwd):/sonic -v $TMP_PATH:/tmp/certs"
 make SONIC_CONFIG_BUILD_JOBS=1 target/sonic-broadcom.bin
 make SONIC_CONFIG_BUILD_JOBS=1 target/sonic-broadcom.raw
-make SONIC_CONFIG_BUILD_JOBS=1 ENABLE_IMAGE_SIGNATURE=y target/sonic-aboot-broadcom.swi
+make SONIC_CONFIG_BUILD_JOBS=1 ENABLE_IMAGE_SIGNATURE=y SONIC_OVERRIDE_BUILD_VARS="${SONIC_OVERRIDE_BUILD_VARS}" DOCKER_BUILDER_MOUNT="${DOCKER_BUILDER_MOUNT}" target/sonic-aboot-broadcom.swi
 '''
             }
         }
@@ -44,5 +53,8 @@ make SONIC_CONFIG_BUILD_JOBS=1 ENABLE_IMAGE_SIGNATURE=y target/sonic-aboot-broad
         success {
             archiveArtifacts(artifacts: 'target/**')
         }
+        cleanup {
+            sh "[ -d $TMP_PATH ] && rm -rf $TMP_PATH"
+        }
     }
 }

jenkins/broadcom/buildimage-brcm-all/Jenkinsfile

@@ -7,6 +7,7 @@ pipeline {
 
     environment {
         SONIC_TEAM_WEBHOOK = credentials('public-jenkins-builder')
+        TMP_PATH=sh(script: "mktemp -d", returnStdout: true).trim()
     }
 
     triggers {
@@ -32,17 +33,23 @@ pipeline {
         }
 
         stage('Build') {
+            options {
+                azureKeyVault([[envVariable: 'PFX_FILE', name: 'sonic-signing-cert', secretType: 'Certificate']])
+            }
             steps {
                 sh '''#!/bin/bash -xe
 
 git submodule foreach --recursive '[ -f .git ] && echo "gitdir: $(realpath --relative-to=. $(cut -d" " -f2 .git))" > .git'
 
+scripts/convert-pfx-cert-format.sh -p $PFX_FILE -k $TMP_PATH/signing.key -c $TMP_PATH/signing.cert -a $TMP_PATH/ca.cert
+SONIC_OVERRIDE_BUILD_VARS="SIGNING_KEY=/tmp/certs/signing.key SIGNING_CERT=/tmp/certs/signing.cert CA_CERT=/tmp/certs/ca.cert"
+DOCKER_BUILDER_MOUNT="$(pwd):/sonic -v $TMP_PATH:/tmp/certs"
 CACHE_OPTIONS="SONIC_DPKG_CACHE_METHOD=wcache SONIC_DPKG_CACHE_SOURCE=/nfs/dpkg_cache/broadcom"
 make configure PLATFORM=broadcom
 make SONIC_CONFIG_BUILD_JOBS=1 $CACHE_OPTIONS INSTALL_DEBUG_TOOLS=y target/sonic-broadcom.bin
 mv target/sonic-broadcom.bin target/sonic-broadcom-dbg.bin
 make SONIC_CONFIG_BUILD_JOBS=1 $CACHE_OPTIONS target/sonic-broadcom.bin
-make SONIC_CONFIG_BUILD_JOBS=1 $CACHE_OPTIONS ENABLE_IMAGE_SIGNATURE=y target/sonic-aboot-broadcom.swi
+make SONIC_CONFIG_BUILD_JOBS=1 $CACHE_OPTIONS ENABLE_IMAGE_SIGNATURE=y SONIC_OVERRIDE_BUILD_VARS="${SONIC_OVERRIDE_BUILD_VARS}" DOCKER_BUILDER_MOUNT="${DOCKER_BUILDER_MOUNT}" target/sonic-aboot-broadcom.swi
 make SONIC_CONFIG_BUILD_JOBS=1 $CACHE_OPTIONS target/sonic-broadcom.raw
 make SONIC_CONFIG_BUILD_JOBS=1 $CACHE_OPTIONS target/docker-syncd-brcm-rpc.gz target/docker-ptf-brcm.gz target/docker-saiserver-brcm.gz
 '''
@@ -65,6 +72,7 @@ make SONIC_CONFIG_BUILD_JOBS=1 $CACHE_OPTIONS target/docker-syncd-brcm-rpc.gz ta
         }
         cleanup {
             cleanWs(disableDeferredWipeout: false, deleteDirs: true, notFailBuild: true)
+            sh "[ -d $TMP_PATH ] && rm -rf $TMP_PATH"
         }
     }
 }

jenkins/broadcom/buildimage-brcm-buster/Jenkinsfile

@@ -7,6 +7,7 @@ pipeline {
 
     environment {
         SONIC_TEAM_WEBHOOK = credentials('public-jenkins-builder')
+        TMP_PATH=sh(script: "mktemp -d", returnStdout: true).trim()
     }
 
     triggers {
@@ -32,15 +33,22 @@ pipeline {
         }
 
         stage('Build') {
+            options {
+                azureKeyVault([[envVariable: 'PFX_FILE', name: 'sonic-signing-cert', secretType: 'Certificate']])
+            }
             steps {
                 sh '''#!/bin/bash -xe
 
 git submodule foreach --recursive '[ -f .git ] && echo "gitdir: $(realpath --relative-to=. $(cut -d" " -f2 .git))" > .git'
 
 make configure PLATFORM=broadcom
+
+scripts/convert-pfx-cert-format.sh -p $PFX_FILE -k $TMP_PATH/signing.key -c $TMP_PATH/signing.cert -a $TMP_PATH/ca.cert
+SONIC_OVERRIDE_BUILD_VARS="SIGNING_KEY=/tmp/certs/signing.key SIGNING_CERT=/tmp/certs/signing.cert CA_CERT=/tmp/certs/ca.cert"
+DOCKER_BUILDER_MOUNT="$(pwd):/sonic -v $TMP_PATH:/tmp/certs"
 CACHE_OPTIONS="SONIC_DPKG_CACHE_METHOD=rwcache SONIC_DPKG_CACHE_SOURCE=/nfs/dpkg_cache/broadcom"
 make SONIC_CONFIG_BUILD_JOBS=1 INSTALL_DEBUG_TOOLS=y $CACHE_OPTIONS target/sonic-broadcom.bin
-# make SONIC_CONFIG_BUILD_JOBS=1 ENABLE_IMAGE_SIGNATURE=y target/sonic-aboot-broadcom.swi
+# make SONIC_CONFIG_BUILD_JOBS=1 ENABLE_IMAGE_SIGNATURE=y SONIC_OVERRIDE_BUILD_VARS="${SONIC_OVERRIDE_BUILD_VARS}" DOCKER_BUILDER_MOUNT="${DOCKER_BUILDER_MOUNT}" target/sonic-aboot-broadcom.swi
 # make SONIC_CONFIG_BUILD_JOBS=1 target/sonic-broadcom.raw
 # make SONIC_CONFIG_BUILD_JOBS=1 target/docker-syncd-brcm-rpc.gz target/docker-ptf-brcm.gz target/docker-saiserver-brcm.gz
 '''
@@ -63,6 +71,7 @@ make SONIC_CONFIG_BUILD_JOBS=1 INSTALL_DEBUG_TOOLS=y $CACHE_OPTIONS target/sonic
         }
         cleanup {
             cleanWs(disableDeferredWipeout: false, deleteDirs: true, notFailBuild: true)
+            sh "[ -d $TMP_PATH ] && rm -rf $TMP_PATH"
         }
     }
 }