From 4d6f6ceebcb0422bfcf3443e7f4eb7a9eb1e4338 Mon Sep 17 00:00:00 2001
From: Rob Austein <sra@hactrn.net>
Date: Mon, 13 Jul 2020 00:36:11 -0400
Subject: Still more fun building packages with Python 3

---
 .gitignore                        |  7 +++++--
 Makefile                          |  1 +
 scripts/build-firmware-package.py | 29 ++++++++++++++---------------
 source/sw/libhal                  |  2 +-
 source/sw/pkcs11                  |  2 +-
 source/sw/stm32                   |  2 +-
 6 files changed, 23 insertions(+), 20 deletions(-)

diff --git a/.gitignore b/.gitignore
index c09a26f..2c60a18 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,12 +1,15 @@
-.pbuilder-sell-by-date
 build
+build.log
 cryptech-alpha*.dsc
-cryptech-alpha*.tar.xz
 cryptech-alpha*_source.build
+cryptech-alpha*_source.buildinfo
 cryptech-alpha*_source.changes
+cryptech-alpha*.tar.xz
+.pbuilder-sell-by-date
 screenlog.*
 source/cryptech-alpha-firmware.tar.gz
 source/cryptech_version.py*
 source/debian/changelog
 source/debian/control
+source/debian/files
 tap
diff --git a/Makefile b/Makefile
index 9afede5..fcbd30c 100644
--- a/Makefile
+++ b/Makefile
@@ -85,6 +85,7 @@ shadow:
 	./scripts/build-shadow-tree.py
 
 ${FIRMWARE_TARBALL}: ${BITSTREAM} $(sort ${ELVES} ${ELVES:.elf=.bin}) ${TAMPER}
+	rm -f $@
 	fakeroot ./scripts/build-firmware-package.py $@ $^
 
 bitstream: ${BITSTREAM}
diff --git a/scripts/build-firmware-package.py b/scripts/build-firmware-package.py
index 4f078f4..6ce49ab 100755
--- a/scripts/build-firmware-package.py
+++ b/scripts/build-firmware-package.py
@@ -6,6 +6,7 @@ import argparse
 import hashlib
 import tarfile
 import json
+import sys
 import os
 
 parser = argparse.ArgumentParser()
@@ -14,8 +15,8 @@ parser.add_argument("firmware", nargs = "+",                    help = "firmware
 args = parser.parse_args()
 
 tar     = tarfile.TarFile.open(fileobj = args.tarfile, mode = "w|gz")
-head    = subprocess.check_output(("git", "rev-parse", "HEAD")).strip().decode()
-time    = subprocess.check_output(("git", "show", "-s", "--format=%ct", "HEAD")).strip().decode()
+head    = subprocess.check_output(("git", "rev-parse", "HEAD")).decode().strip()
+time    = subprocess.check_output(("git", "show", "-s", "--format=%ct", "HEAD")).decode().strip()
 commits = dict((path, hash) for hash, path, branch in
                (line.decode().split() for line in subprocess.check_output(("git", "submodule", "status")).splitlines()))
 sha256  = {}
@@ -25,20 +26,18 @@ for fn in args.firmware:
         sha256[os.path.basename(fn)] = hashlib.sha256(f.read()).hexdigest()
     tar.add(fn, os.path.basename(fn))
 
-with tempfile.NamedTemporaryFile() as f:
+manifest = json.dumps(dict(head = head, time = time, commits = commits, sha256  = sha256), indent = 2, sort_keys = True)
+
+if os.path.isdir(os.getenv("GNUPGHOME", "")):
+    gpg = subprocess.Popen(("gpg", "--clearsign", "--personal-digest-preferences", "SHA256", "--no-permission-warning"),
+                           stdin = subprocess.PIPE, stdout = subprocess.PIPE, universal_newlines = True)
+    manifest = gpg.communicate(manifest)[0]
+    if gpg.returncode:
+        sys.exit("gpg failed")
+
+with tempfile.NamedTemporaryFile("w+") as f:
     os.fchmod(f.fileno(), 0o644)
-    use_gpg = os.path.isdir(os.getenv("GNUPGHOME", ""))
-    if use_gpg:
-        gpg = subprocess.Popen(("gpg", "--clearsign", "--personal-digest-preferences", "SHA256", "--no-permission-warning"),
-                               stdin = subprocess.PIPE, stdout = f)
-        jf = gpg.stdin
-    else:
-        jf = f
-    jf.write(json.dumps(dict(head = head, time = time, commits = commits, sha256  = sha256), indent = 2).encode())
-    if use_gpg:
-        gpg.stdin.close()
-        if gpg.wait():
-            raise subprocess.CalledProcessError(gpg.returncode, "gpg")
+    f.write(manifest)
     f.seek(0)
     tar.add(f.name, "MANIFEST")
 
diff --git a/source/sw/libhal b/source/sw/libhal
index aab1cf4..f120a26 160000
--- a/source/sw/libhal
+++ b/source/sw/libhal
@@ -1 +1 @@
-Subproject commit aab1cf4d694b4d4fefa77f02b4c42d7683a2f43f
+Subproject commit f120a263ec422739d201843a5979bfabdf410708
diff --git a/source/sw/pkcs11 b/source/sw/pkcs11
index 5936bef..bf8e254 160000
--- a/source/sw/pkcs11
+++ b/source/sw/pkcs11
@@ -1 +1 @@
-Subproject commit 5936befa654ce79b2f9ee7cd4f3beb6489bac227
+Subproject commit bf8e254c435c972a7ab28700eab48a2b6ae79c57
diff --git a/source/sw/stm32 b/source/sw/stm32
index 52f72e1..b7e1cf4 160000
--- a/source/sw/stm32
+++ b/source/sw/stm32
@@ -1 +1 @@
-Subproject commit 52f72e1e5dc5d3b646b54363f811ee2fd7958c19
+Subproject commit b7e1cf46f7c88740732dea1d9885193567af2e78
-- 
cgit v1.2.3