#!/usr/bin/env bash # Build a signed RAUC .raucb bundle from pre-extracted slot images. # # The repartition-image.sh script (run earlier in CI) already extracts # rootfs.ext4 + bootfs.vfat from the pi-gen output, so this script just # stages them with a rendered manifest + runs `rauc bundle`. # # Usage: # build-bundle.sh \ # set -euo pipefail ROOTFS_IN="${1:?rootfs.ext4 path required}" BOOTFS_IN="${2:?bootfs.vfat path required}" OUT_RAUCB="${3:?output .raucb path required}" VERSION="${4:?version required}" GIT_SHA="${5:?git sha required}" SIGNING_CERT="${6:?signing cert path required}" SIGNING_KEY="${7:?signing key path required}" SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" MANIFEST_IN="${SCRIPT_DIR}/manifest.raucm.in" WORK_DIR="$(mktemp -d)" trap 'rm -rf "$WORK_DIR"' EXIT STAGE="${WORK_DIR}/bundle" mkdir -p "$STAGE" cp "$ROOTFS_IN" "${STAGE}/rootfs.ext4" cp "$BOOTFS_IN" "${STAGE}/bootfs.vfat" echo "==> Rendering manifest" sed -e "s|@VERSION@|${VERSION}|g" \ -e "s|@GIT_SHA@|${GIT_SHA}|g" \ "$MANIFEST_IN" > "${STAGE}/manifest.raucm" ls -la "$STAGE" cat "${STAGE}/manifest.raucm" echo "==> Building RAUC bundle" rm -f "$OUT_RAUCB" rauc bundle \ --cert="$SIGNING_CERT" \ --key="$SIGNING_KEY" \ "$STAGE" "$OUT_RAUCB" echo "==> Verifying bundle" # Keyring must be the CA cert that issued the signing cert, not the signing # cert itself. CA cert lives in the repo; fall back to signing cert if the # repo path isn't available (still validates structure, just not chain). CA_CERT="${SCRIPT_DIR}/ca-cert.pem" if [ ! -f "$CA_CERT" ]; then CA_CERT="$SIGNING_CERT"; fi rauc info --keyring="$CA_CERT" "$OUT_RAUCB" || { echo "WARNING: rauc info verify failed (bundle may still be valid — kiosk verifies at install time)" } echo echo "==> Bundle: $(ls -la "$OUT_RAUCB")"