Skip to content

Commit

Permalink
ci: move signing packages to automations repo
Browse files Browse the repository at this point in the history
  • Loading branch information
abhishuraina committed Jan 9, 2025
1 parent aaf5a8e commit b1b40c2
Show file tree
Hide file tree
Showing 5 changed files with 138 additions and 0 deletions.
1 change: 1 addition & 0 deletions build/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -47,5 +47,6 @@ ENV GOFLAGS="-buildvcs=false"
# Since the user does not match the owners of the repo "git rev-parse --is-inside-work-tree" fails and goreleaser does not populate projectName
# https://stackoverflow.com/questions/72978485/git-submodule-update-failed-with-fatal-detected-dubious-ownership-in-repositor
RUN git config --global --add safe.directory '*'
COPY ./sign.sh ./sign_deb.exp ./sign_rpm.exp ./sign_tar.exp /usr/local/bin
RUN curl -L https://github.com/cli/cli/releases/download/v${GH_VERSION}/gh_${GH_VERSION}_linux_amd64.deb -o gh_${GH_VERSION}_linux_amd64.deb
RUN dpkg -i gh_${GH_VERSION}_linux_amd64.deb
84 changes: 84 additions & 0 deletions build/sign.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
#!/usr/bin/env sh
set -e
#
#
#
# Sign RPM's & DEB's in /dist artifacts to GH Release Assets
#
#
#
# Function to start gpg-agent if not running
start_gpg_agent() {
if ! pgrep -x "gpg-agent" > /dev/null
then
echo "Starting gpg-agent..."
eval $(gpg-agent --daemon)
else
echo "gpg-agent is already running."
fi
}

# Ensure gpg-agent is running
start_gpg_agent


# Sign RPM's
echo "===> Create .rpmmacros to sign rpm's from Goreleaser"
echo "%_gpg_name ${GPG_MAIL}" >> ~/.rpmmacros
echo "%_signature gpg" >> ~/.rpmmacros
echo "%_gpg_path /root/.gnupg" >> ~/.rpmmacros
echo "%_gpgbin /usr/bin/gpg" >> ~/.rpmmacros
echo "%__gpg_sign_cmd %{__gpg} gpg --no-verbose --no-armor --passphrase ${GPG_PASSPHRASE} --no-secmem-warning --digest-algo sha256 -u "%{_gpg_name}" -sbo %{__signature_filename} %{__plaintext_filename}" >> ~/.rpmmacros

echo "===> Importing GPG private key from GHA secrets..."
printf %s ${GPG_PRIVATE_KEY_BASE64} | base64 -d | gpg --batch --import -

echo "===> Importing GPG signature, needed from Goreleaser to verify signature"
gpg --export -a ${GPG_MAIL} > /tmp/RPM-GPG-KEY-${GPG_MAIL}
rpm --import /tmp/RPM-GPG-KEY-${GPG_MAIL}

cd dist

sles_regex="(.*sles12.*)"

for rpm_file in $(find -regex ".*\.\(rpm\)");do
echo "===> Signing $rpm_file"

./sign_rpm.exp $rpm_file ${GPG_PASSPHRASE}

echo "===> Sign verification $rpm_file"
rpm -v --checksig $rpm_file
done

# Sign DEB's
GNUPGHOME="/root/.gnupg"
echo "${GPG_PASSPHRASE}" > "${GNUPGHOME}/gpg-passphrase"
echo "passphrase-file ${GNUPGHOME}/gpg-passphrase" >> "$GNUPGHOME/gpg.conf"
# echo 'allow-loopback-pinentry' >> "${GNUPGHOME}/gpg-agent.conf"
# echo 'pinentry-mode loopback' >> "${GNUPGHOME}/gpg.conf"
echo 'use-agent' >> "${GNUPGHOME}/gpg.conf"
echo RELOADAGENT | gpg-connect-agent

for deb_file in $(find -regex ".*\.\(deb\)"); do
echo "===> Signing $deb_file"

# Run the sign_deb.exp script to sign the .deb file
./sign_deb.exp $deb_file ${GPG_PASSPHRASE} ${GPG_MAIL}


echo "===> Sign verification $deb_file"
dpkg-sig --verify $deb_file
done

# Sign TARGZ files
for targz_file in $(find . -type f -name "*.tar.gz"); do
echo "===> Signing $targz_file"
./sign_tar.exp $targz_file ${GPG_PASSPHRASE}
asc_file="${targz_file}.asc"
if [ -f "$asc_file" ]; then
echo "===> Sign verification $targz_file"
gpg --verify "$asc_file" "$targz_file"
else
echo "Error: Signature file $asc_file not found."
fi
done
20 changes: 20 additions & 0 deletions build/sign_deb.exp
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
#!/usr/bin/expect -f

# Retrieve the arguments
set deb_file [lindex $argv 0];
set GPG_PASSPHRASE [lindex $argv 1];
set GPG_MAIL [lindex $argv 2]; # Capture GPG_MAIL

# Set an infinite timeout to allow for longer operations
set timeout -1

# Start the signing process using dpkg-sig
spawn dpkg-sig --sign builder -k $GPG_MAIL $deb_file

# Handle the passphrase prompt
expect "Enter passphrase:"
send -- "$GPG_PASSPHRASE\r"

# Wait until the process completes
expect eof

10 changes: 10 additions & 0 deletions build/sign_rpm.exp
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
#!/usr/bin/expect -f

set rpm_file [lindex $argv 0];
set GPG_PASSPHRASE [lindex $argv 1];

set timeout -1
spawn rpmsign -v --addsign $rpm_file
expect "Enter pass phrase:"
send -- "${GPG_PASSPHRASE}\r"
expect eof
23 changes: 23 additions & 0 deletions build/sign_tar.exp
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
#!/usr/bin/expect -f

set timeout -1
set targz_file [lindex $argv 0]
set passphrase [lindex $argv 1]

# Ensure the GPG_TTY is set correctly
set env(GPG_TTY) [exec /bin/sh -c "tty"]

# Debug output to verify the correct file is being processed
puts "Expect script signing file: $targz_file"

spawn gpg --sign --armor --detach-sig $targz_file
expect {
"Enter passphrase:" {
send -- "$passphrase\r"
exp_continue
}
eof {
catch wait result
exit [lindex $result 3]
}
}

0 comments on commit b1b40c2

Please sign in to comment.