[package-archive] add repo online keys to archive
This is technically a kind of security regression, as any infrastructure
should instead be managing it's own key material, but as we're using these
keys everywhere presently, this helps with the nascent infra scripts. This
should be undone along with other actions in IN-915.
Bug: INTK-781 #comment added insecure dev keys to package-archive.tgz, to be undone later.
Bug: IN-915 #comment added insecure dev keys to package-archive.tgz, to be undone later.
Change-Id: I3c75331ef6d96d2f08a38a93b73837ffaf568c61
diff --git a/gn/BUILD.gn b/gn/BUILD.gn
index 8e0f16f..a17cbfd 100644
--- a/gn/BUILD.gn
+++ b/gn/BUILD.gn
@@ -185,11 +185,15 @@
}
# Generates an archive of package metadata.
-amber_repo = rebase_path("$root_build_dir/amber-files/repository")
+amber_files = rebase_path("$root_build_dir/amber-files")
host_out_dir = get_label_info("//anything($host_toolchain)", "root_out_dir")
pm_tool = rebase_path("$host_out_dir/pm")
pkg_archive_contents = [
- "amber-files/repository=$amber_repo",
+ "amber-files/repository=$amber_files/repository",
+ # TODO(IN-915): this should never contain the root key. In the future, this
+ # should contain no keys, once infra is managing key material itself.
+ # These keys are consumed by the infra train promote scripts.
+ "amber-files/keys=$amber_files/keys",
"pm=$pm_tool",
]
pkg_archive_manifest = "$target_gen_dir/package_archive_manifest"
