-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ci: move signing packages to automations repo
- Loading branch information
1 parent
aaf5a8e
commit b1b40c2
Showing
5 changed files
with
138 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,84 @@ | ||
#!/usr/bin/env sh | ||
set -e | ||
# | ||
# | ||
# | ||
# Sign RPM's & DEB's in /dist artifacts to GH Release Assets | ||
# | ||
# | ||
# | ||
# Function to start gpg-agent if not running | ||
start_gpg_agent() { | ||
if ! pgrep -x "gpg-agent" > /dev/null | ||
then | ||
echo "Starting gpg-agent..." | ||
eval $(gpg-agent --daemon) | ||
else | ||
echo "gpg-agent is already running." | ||
fi | ||
} | ||
|
||
# Ensure gpg-agent is running | ||
start_gpg_agent | ||
|
||
|
||
# Sign RPM's | ||
echo "===> Create .rpmmacros to sign rpm's from Goreleaser" | ||
echo "%_gpg_name ${GPG_MAIL}" >> ~/.rpmmacros | ||
echo "%_signature gpg" >> ~/.rpmmacros | ||
echo "%_gpg_path /root/.gnupg" >> ~/.rpmmacros | ||
echo "%_gpgbin /usr/bin/gpg" >> ~/.rpmmacros | ||
echo "%__gpg_sign_cmd %{__gpg} gpg --no-verbose --no-armor --passphrase ${GPG_PASSPHRASE} --no-secmem-warning --digest-algo sha256 -u "%{_gpg_name}" -sbo %{__signature_filename} %{__plaintext_filename}" >> ~/.rpmmacros | ||
|
||
echo "===> Importing GPG private key from GHA secrets..." | ||
printf %s ${GPG_PRIVATE_KEY_BASE64} | base64 -d | gpg --batch --import - | ||
|
||
echo "===> Importing GPG signature, needed from Goreleaser to verify signature" | ||
gpg --export -a ${GPG_MAIL} > /tmp/RPM-GPG-KEY-${GPG_MAIL} | ||
rpm --import /tmp/RPM-GPG-KEY-${GPG_MAIL} | ||
|
||
cd dist | ||
|
||
sles_regex="(.*sles12.*)" | ||
|
||
for rpm_file in $(find -regex ".*\.\(rpm\)");do | ||
echo "===> Signing $rpm_file" | ||
|
||
./sign_rpm.exp $rpm_file ${GPG_PASSPHRASE} | ||
|
||
echo "===> Sign verification $rpm_file" | ||
rpm -v --checksig $rpm_file | ||
done | ||
|
||
# Sign DEB's | ||
GNUPGHOME="/root/.gnupg" | ||
echo "${GPG_PASSPHRASE}" > "${GNUPGHOME}/gpg-passphrase" | ||
echo "passphrase-file ${GNUPGHOME}/gpg-passphrase" >> "$GNUPGHOME/gpg.conf" | ||
# echo 'allow-loopback-pinentry' >> "${GNUPGHOME}/gpg-agent.conf" | ||
# echo 'pinentry-mode loopback' >> "${GNUPGHOME}/gpg.conf" | ||
echo 'use-agent' >> "${GNUPGHOME}/gpg.conf" | ||
echo RELOADAGENT | gpg-connect-agent | ||
|
||
for deb_file in $(find -regex ".*\.\(deb\)"); do | ||
echo "===> Signing $deb_file" | ||
|
||
# Run the sign_deb.exp script to sign the .deb file | ||
./sign_deb.exp $deb_file ${GPG_PASSPHRASE} ${GPG_MAIL} | ||
|
||
|
||
echo "===> Sign verification $deb_file" | ||
dpkg-sig --verify $deb_file | ||
done | ||
|
||
# Sign TARGZ files | ||
for targz_file in $(find . -type f -name "*.tar.gz"); do | ||
echo "===> Signing $targz_file" | ||
./sign_tar.exp $targz_file ${GPG_PASSPHRASE} | ||
asc_file="${targz_file}.asc" | ||
if [ -f "$asc_file" ]; then | ||
echo "===> Sign verification $targz_file" | ||
gpg --verify "$asc_file" "$targz_file" | ||
else | ||
echo "Error: Signature file $asc_file not found." | ||
fi | ||
done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
#!/usr/bin/expect -f | ||
|
||
# Retrieve the arguments | ||
set deb_file [lindex $argv 0]; | ||
set GPG_PASSPHRASE [lindex $argv 1]; | ||
set GPG_MAIL [lindex $argv 2]; # Capture GPG_MAIL | ||
|
||
# Set an infinite timeout to allow for longer operations | ||
set timeout -1 | ||
|
||
# Start the signing process using dpkg-sig | ||
spawn dpkg-sig --sign builder -k $GPG_MAIL $deb_file | ||
|
||
# Handle the passphrase prompt | ||
expect "Enter passphrase:" | ||
send -- "$GPG_PASSPHRASE\r" | ||
|
||
# Wait until the process completes | ||
expect eof | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
#!/usr/bin/expect -f | ||
|
||
set rpm_file [lindex $argv 0]; | ||
set GPG_PASSPHRASE [lindex $argv 1]; | ||
|
||
set timeout -1 | ||
spawn rpmsign -v --addsign $rpm_file | ||
expect "Enter pass phrase:" | ||
send -- "${GPG_PASSPHRASE}\r" | ||
expect eof |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
#!/usr/bin/expect -f | ||
|
||
set timeout -1 | ||
set targz_file [lindex $argv 0] | ||
set passphrase [lindex $argv 1] | ||
|
||
# Ensure the GPG_TTY is set correctly | ||
set env(GPG_TTY) [exec /bin/sh -c "tty"] | ||
|
||
# Debug output to verify the correct file is being processed | ||
puts "Expect script signing file: $targz_file" | ||
|
||
spawn gpg --sign --armor --detach-sig $targz_file | ||
expect { | ||
"Enter passphrase:" { | ||
send -- "$passphrase\r" | ||
exp_continue | ||
} | ||
eof { | ||
catch wait result | ||
exit [lindex $result 3] | ||
} | ||
} |