diff --git a/.github/workflows/yocto-build-deploy.yml b/.github/workflows/yocto-build-deploy.yml index 0bda64b6c..59bb78b74 100644 --- a/.github/workflows/yocto-build-deploy.yml +++ b/.github/workflows/yocto-build-deploy.yml @@ -521,15 +521,17 @@ jobs: env: BUILD_ARTIFACTS: '${{ env.DEPLOY_PATH }}/image/balena.img ${{ env.DEPLOY_PATH }}/balena-image.docker' run: | - result="$(openssl enc -aes-256-cbc -k '${{ secrets.PBDKF2_PASSPHRASE }}' -P -pbkdf2)" - salt="$(echo "${result}" | sed 's/iv =/iv=/g' | tr ' ' '\n' | awk -F'=' '{print $2}' | head -n1)" - iv="$(echo "${result}" | sed 's/iv =/iv=/g' | tr ' ' '\n' | awk -F'=' '{print $2}' | tail -n1)" - key="$(echo "${result}" | sed 's/iv =/iv=/g' | tr ' ' '\n' | awk -F'=' '{print $2}' | head -n2 | tail -n1)" - for artifact in ${BUILD_ARTIFACTS}; do - cat <"${artifact}" | openssl enc -e -aes-256-cbc -in - -out - -K "${key}" -iv "${iv}" -S "${salt}" >"${artifact}.enc" + cat <"${artifact}" | openssl enc -e -aes-256-cbc -k '${{ secrets.PBDKF2_PASSPHRASE }}' -pbkdf2 -iter 310000 -md sha256 -salt -in - -out - >"${artifact}.enc" done - echo "artifacts='${{ env.DEPLOY_PATH }}/image/balena.img.enc ${{ env.DEPLOY_PATH }}/balena-image.docker.enc'" >>"${GITHUB_OUTPUT}" + + EOF="$(openssl rand -hex 16)" + { + echo "artifacts <<${EOF}" ; + echo '${{ env.DEPLOY_PATH }}/image/balena.img.enc' ; + echo '${{ env.DEPLOY_PATH }}/balena-image.docker.enc' ; + echo "${EOF}" ; + } >>"${GITHUB_OUTPUT}" # https://github.com/actions/upload-artifact # We upload only `balena.img` for use with the leviathan tests - this is the artifact that is presented to users @@ -543,7 +545,8 @@ jobs: if-no-files-found: error retention-days: 3 compression-level: 7 - path: ${{ steps.encrypt.outputs.artifacts }} + path: | + ${{ steps.encrypt.outputs.artifacts }} # Separate this evaluation into its own step + output, as we use this logic in several places and its easier to manage this way - name: Evaluate whether to finalize release @@ -1138,16 +1141,11 @@ jobs: - name: Decrypt artifacts working-directory: ${{ env.WORKSPACE }} run: | - result="$(openssl enc -aes-256-cbc -k '${{ secrets.PBDKF2_PASSPHRASE }}' -P -pbkdf2)" - salt="$(echo "${result}" | sed 's/iv =/iv=/g' | tr ' ' '\n' | awk -F'=' '{print $2}' | head -n1)" - iv="$(echo "${result}" | sed 's/iv =/iv=/g' | tr ' ' '\n' | awk -F'=' '{print $2}' | tail -n1)" - key="$(echo "${result}" | sed 's/iv =/iv=/g' | tr ' ' '\n' | awk -F'=' '{print $2}' | head -n2 | tail -n1)" - # shellcheck disable=SC2038 - find . -type f -print0 -name '*.enc' \ + find . -type f -name '*.enc' \ | xargs -I{} echo {} \ | sed 's/\.enc//g' \ - | xargs -I{} openssl enc -d -aes-256-cbc -in {}.enc -out {} -K "${key}" -iv "${iv}" -S "${salt}" + | xargs -I{} openssl enc -d -aes-256-cbc -k '${{ secrets.PBDKF2_PASSPHRASE }}' -pbkdf2 -iter 310000 -md sha256 -salt -in {}.enc -out {} - name: Install gzip run: |