change approach: override keys using builderCtx.CustomBuildProperties

Author: umbynos

commands/compile/compile.go

@@ -129,6 +129,7 @@ func Compile(ctx context.Context, req *rpc.CompileRequest, outStream, errStream
 	// so, if the flags to override the default keys are used, we try override the corresponding platform property nonetheless.
 	// It's not possible to use the default name for the keys since there could be more tools to sign and encrypt.
 	// So it's mandatory to use all the tree flags to sign and encrypt the binary
+	securityKeysOverride := []string{}
 	if req.KeysKeychain != "" && req.SignKey != "" && req.EncryptKey != "" {
 		keysDirPath := paths.New(req.KeysKeychain)
 		if !keysDirPath.IsDir() {
@@ -142,8 +143,8 @@ func Compile(ctx context.Context, req *rpc.CompileRequest, outStream, errStream
 		if !encryptKeyPath.Exist() {
 			return nil, &arduino.NotFoundError{Message: tr("The path of the specified encryption key does not exist: %s", encryptKeyPath), Cause: err}
 		}
-		InstalledPlatformRelease := pm.GetInstalledPlatformRelease(targetPlatform)
-		ReplaceSecurityKeys(InstalledPlatformRelease.Properties, req.KeysKeychain, req.SignKey, req.EncryptKey)
+		securityKeysOverride = append(securityKeysOverride, "build.keys.keychain="+req.KeysKeychain, "build.keys.sign_key="+req.GetSignKey(), "build.keys.encrypt_key="+req.EncryptKey)
+		// ReplaceSecurityKeys(req.KeysKeychain, req.SignKey, req.EncryptKey)
 	}
 
 	builderCtx := &types.Context{}
@@ -186,6 +187,7 @@ func Compile(ctx context.Context, req *rpc.CompileRequest, outStream, errStream
 	builderCtx.WarningsLevel = req.GetWarnings()
 
 	builderCtx.CustomBuildProperties = append(req.GetBuildProperties(), "build.warn_data_percentage=75")
+	builderCtx.CustomBuildProperties = append(req.GetBuildProperties(), securityKeysOverride...)
 
 	if req.GetBuildCachePath() != "" {
 		builderCtx.BuildCachePath = paths.New(req.GetBuildCachePath())
@@ -317,28 +319,3 @@ func Compile(ctx context.Context, req *rpc.CompileRequest, outStream, errStream
 
 	return r, nil
 }
-
-// ReplaceSecurityKeys function will override the properties representing the security keys specified in the platform.txt file of a platform with the ones provided by the user.
-// The keys are stored in the keyPath
-// signKey is the key used to sign a binary
-// encryptKey is the key used to encrypt it
-func ReplaceSecurityKeys(properties *properties.Map, keysKKeysKeychain, signKey, encryptKey string) {
-	toolsProps := properties.SubTree("tools").FirstLevelOf()
-	for toolName, toolProps := range toolsProps {
-		if toolProps.ContainsKey("keys.path") {
-			key := "tools." + toolName + ".keys.path"
-			properties.Set(key, keysKKeysKeychain)
-			logrus.Tracef("Overriding Property: %s: %s", key, keysKKeysKeychain)
-		}
-		if toolProps.ContainsKey("sign.name") {
-			key := "tools." + toolName + ".sign.name"
-			properties.Set(key, signKey)
-			logrus.Tracef("Overriding Property: %s: %s", key, signKey)
-		}
-		if toolProps.ContainsKey("encrypt.name") {
-			key := "tools." + toolName + ".encrypt.name"
-			properties.Set(key, encryptKey)
-			logrus.Tracef("Overriding Property: %s: %s", key, encryptKey)
-		}
-	}
-}

commands/compile/compile_test.go

@@ -5,3 +5,8 @@ uno.menu.security.sien=Signature + Encryption
 
 uno.menu.security.sien.build.postbuild.cmd="{tools.imgtool.cmd}" {tools.imgtool.build.pattern}
 uno.menu.security.none.build.postbuild.cmd="{tools.imgtool.cmd}" exit
+
+uno.menu.security.sien.build.keys.type=public_keys
+uno.menu.security.sien.build.keys.keychain={runtime.hardware.path}/Default_Keys
+uno.menu.security.sien.build.keys.sign_key=default-signing-key.pem
+uno.menu.security.sien.build.keys.encrypt_key=default-encrypt-key.pem

test/testdata/platform_with_secure_boot/boards.local.txt

@@ -5,8 +5,4 @@ recipe.hooks.objcopy.postobjcopy.1.pattern={build.postbuild.cmd}
 #
 
 tools.imgtool.cmd=echo
-tools.imgtool.keys.path={runtime.hardware.path}/Default_Keys
-tools.imgtool.sign.name=default-signing-key.pem
-tools.imgtool.encrypt.name=default-encrypt-key.pem
-
-tools.imgtool.build.pattern=sign --key "{tools.imgtool.keys.path}/{tools.imgtool.sign.name}"  --encrypt "{tools.imgtool.keys.path}/{tools.imgtool.encrypt.name}" "{build.path}/{build.project_name}.bin" "{build.path}/{build.project_name}.bin" --align {build.alignment} --max-align {build.alignment} --version {build.version} --header-size {build.header_size} --pad-header --slot-size {build.slot_size}
+tools.imgtool.build.pattern=sign --key "{build.keys.keychain}/{build.keys.sign_key}" --encrypt "{build.keys.keychain}/{build.keys.encrypt_key}" "{build.path}/{build.project_name}.bin" "{build.path}/{build.project_name}.bin" --align {build.alignment} --max-align {build.alignment} --version {build.version} --header-size {build.header_size} --pad-header --slot-size {build.slot_size}