newrelic · abhishuraina · Jan 7, 2025 · paologallinaharbur · Jan 9, 2025 · paologallinaharbur
@@ -47,5 +47,6 @@ ENV GOFLAGS="-buildvcs=false"
 # Since the user does not match the owners of the repo "git rev-parse --is-inside-work-tree" fails and goreleaser does not populate projectName
 # https://stackoverflow.com/questions/72978485/git-submodule-update-failed-with-fatal-detected-dubious-ownership-in-repositor
 RUN git config --global --add safe.directory '*'
+COPY ./sign.sh ./sign_deb.exp ./sign_rpm.exp ./sign_tar.exp /usr/local/bin
 RUN curl -L https://github.com/cli/cli/releases/download/v${GH_VERSION}/gh_${GH_VERSION}_linux_amd64.deb -o gh_${GH_VERSION}_linux_amd64.deb
 RUN dpkg -i gh_${GH_VERSION}_linux_amd64.deb
@@ -0,0 +1,84 @@
+#!/usr/bin/env sh
+set -e
+#
+#
+#
+# Sign RPM's & DEB's in /dist artifacts to GH Release Assets
+#
+#
+#
+# Function to start gpg-agent if not running
+start_gpg_agent() {
+    if ! pgrep -x "gpg-agent" > /dev/null
+    then
+        echo "Starting gpg-agent..."
+        eval $(gpg-agent --daemon)
+    else
+        echo "gpg-agent is already running."
+    fi
+}
+
+# Ensure gpg-agent is running
+start_gpg_agent
+
+
+# Sign RPM's
+echo "===> Create .rpmmacros to sign rpm's from Goreleaser"
+echo "%_gpg_name ${GPG_MAIL}" >> ~/.rpmmacros
+echo "%_signature gpg" >> ~/.rpmmacros
+echo "%_gpg_path /root/.gnupg" >> ~/.rpmmacros
+echo "%_gpgbin /usr/bin/gpg" >> ~/.rpmmacros
+echo "%__gpg_sign_cmd   %{__gpg} gpg --no-verbose --no-armor --passphrase ${GPG_PASSPHRASE} --no-secmem-warning --digest-algo sha256 -u "%{_gpg_name}" -sbo %{__signature_filename} %{__plaintext_filename}" >> ~/.rpmmacros
+
+echo "===> Importing GPG private key from GHA secrets..."
+printf %s ${GPG_PRIVATE_KEY_BASE64} | base64 -d | gpg --batch --import -
+
+echo "===> Importing GPG signature, needed from Goreleaser to verify signature"
+gpg --export -a ${GPG_MAIL} > /tmp/RPM-GPG-KEY-${GPG_MAIL}
+rpm --import /tmp/RPM-GPG-KEY-${GPG_MAIL}
+
+cd dist
+
+sles_regex="(.*sles12.*)"
+
+for rpm_file in $(find -regex ".*\.\(rpm\)");do
+  echo "===> Signing $rpm_file"
+
+  ./sign_rpm.exp $rpm_file ${GPG_PASSPHRASE}
+
+  echo "===> Sign verification $rpm_file"
+  rpm -v --checksig $rpm_file
+done
+
+# Sign DEB's
+GNUPGHOME="/root/.gnupg"
+echo "${GPG_PASSPHRASE}" > "${GNUPGHOME}/gpg-passphrase"
+echo "passphrase-file ${GNUPGHOME}/gpg-passphrase" >> "$GNUPGHOME/gpg.conf"
+# echo 'allow-loopback-pinentry' >> "${GNUPGHOME}/gpg-agent.conf"
+# echo 'pinentry-mode loopback' >> "${GNUPGHOME}/gpg.conf"
+echo 'use-agent' >> "${GNUPGHOME}/gpg.conf"
+echo RELOADAGENT | gpg-connect-agent
+
+for deb_file in $(find -regex ".*\.\(deb\)"); do
+  echo "===> Signing $deb_file"
+
+  # Run the sign_deb.exp script to sign the .deb file
+./sign_deb.exp $deb_file ${GPG_PASSPHRASE} ${GPG_MAIL}
+
+
+  echo "===> Sign verification $deb_file"
+  dpkg-sig --verify $deb_file
+done
+
+# Sign TARGZ files
+for targz_file in $(find . -type f -name "*.tar.gz"); do
+  echo "===> Signing $targz_file"
+  ./sign_tar.exp $targz_file ${GPG_PASSPHRASE}
+  asc_file="${targz_file}.asc"
+  if [ -f "$asc_file" ]; then
+    echo "===> Sign verification $targz_file"
+    gpg --verify "$asc_file" "$targz_file"
+  else
+    echo "Error: Signature file $asc_file not found."
+  fi
+done
@@ -0,0 +1,20 @@
+#!/usr/bin/expect -f
+
+# Retrieve the arguments
+set deb_file [lindex $argv 0];
+set GPG_PASSPHRASE [lindex $argv 1];
+set GPG_MAIL [lindex $argv 2];  # Capture GPG_MAIL
+
+# Set an infinite timeout to allow for longer operations
+set timeout -1
+
+# Start the signing process using dpkg-sig
+spawn dpkg-sig --sign builder -k $GPG_MAIL $deb_file
+
+# Handle the passphrase prompt
+expect "Enter passphrase:"
+send -- "$GPG_PASSPHRASE\r"
+
+# Wait until the process completes
+expect eof
+
@@ -0,0 +1,10 @@
+#!/usr/bin/expect -f
+
+set rpm_file [lindex $argv 0];
+set GPG_PASSPHRASE [lindex $argv 1];
+
+set timeout -1
+spawn rpmsign -v --addsign $rpm_file
+expect "Enter pass phrase:"
+send -- "${GPG_PASSPHRASE}\r"
+expect eof
@@ -0,0 +1,23 @@
+#!/usr/bin/expect -f
+
+set timeout -1
+set targz_file [lindex $argv 0]
+set passphrase [lindex $argv 1]
+
+# Ensure the GPG_TTY is set correctly
+set env(GPG_TTY) [exec /bin/sh -c "tty"]
+
+# Debug output to verify the correct file is being processed
+puts "Expect script signing file: $targz_file"
+
+spawn gpg --sign --armor --detach-sig $targz_file
+expect {
+    "Enter passphrase:" {
+        send -- "$passphrase\r"
+        exp_continue
+    }
+    eof {
+        catch wait result
+        exit [lindex $result 3]
+    }
+}