GPG Sign DEB and RPM packages generated by build pipeline (#3144)

* adding package signing steps for rpm and deb * first spike at GPG signing with CI and containers * refine ubuntu portion * get correct gpg package version * adding CentOS support * fixing errors in installing gpg on ubuntu * base64 decode the GPG key * fixing line continuations * revised package signing, looking for package artifacts * add dpkg-sig to ubuntu image * sign all deb packges * add passphrase to GPG process * repeat yo slef on dpkg * sign all the rpm packages too * install rpm-sign in the CentOS docker image * loop through rpm files * no need for PIN on GPG signing
2025-11-04 10:45:50 +00:00 · 2019-11-03 12:08:40 -06:00
parent 98d55b988f
commit 9e1ccb900e
3 changed files with 108 additions and 2 deletions
--- a/Builds/containers/gitlab-ci/pkgbuild.yml
+++ b/Builds/containers/gitlab-ci/pkgbuild.yml
@@ -21,6 +21,7 @@ variables:
 stages:
  - build_containers
  - build_packages
+  - sign_packages
  - smoketest
  - verify_sig
  - tag_images
@@ -131,6 +132,73 @@ dpkg_build:
  script:
    - . ./Builds/containers/gitlab-ci/build_package.sh dpkg

+#########################################################################
+##                                                                     ##
+##  stage: sign_packages                                               ##
+##                                                                     ##
+##  build packages using containers from previous stage.               ##
+##                                                                     ##
+#########################################################################
+
+rpm_sign:
+  stage: sign_packages
+  dependencies:
+    - rpm_build
+  image:
+    name: centos:7
+    # <<: *dind_param
+  before_script:
+  - |
+    # Make sure GnuPG is installed
+    yum -y install gnupg rpm-sign
+    # checking GPG signing support
+    if [ -n "$GPG_KEY_B64" ]; then
+      echo "$GPG_KEY_B64"| base64 -d | gpg --batch --no-tty --allow-secret-key-import --import -
+      unset GPG_KEY_B64
+      export GPG_PASSPHRASE=$(echo $GPG_KEY_PASS_B64 | base64 -di)
+      unset GPG_KEY_PASS_B64
+      export GPG_KEYID=$(gpg --with-colon --list-secret-keys | head -n1 | cut -d : -f 5)
+    else
+      echo -e "\033[0;31m****** GPG signing disabled ******\033[0m"
+      exit 1
+    fi
+  artifacts:
+    paths:
+      - build/rpm/packages/
+  script:
+    - ls -alh build/rpm/packages
+    - . ./Builds/containers/gitlab-ci/sign_package.sh rpm
+
+dpkg_sign:
+  stage: sign_packages
+  dependencies:
+    - dpkg_build
+  image:
+    name: ubuntu:19.04
+    # <<: *dind_param
+  before_script:
+  - |
+    # make sure we have GnuPG
+    apt update
+    apt install -y gpg dpkg-sig
+    # checking GPG signing support
+    if [ -n "$GPG_KEY_B64" ]; then
+      echo "$GPG_KEY_B64"| base64 -d | gpg --batch --no-tty --allow-secret-key-import --import -
+      unset GPG_KEY_B64
+      export GPG_PASSPHRASE=$(echo $GPG_KEY_PASS_B64 | base64 -di)
+      unset GPG_KEY_PASS_B64
+      export GPG_KEYID=$(gpg --with-colon --list-secret-keys | head -n1 | cut -d : -f 5)
+    else
+      echo -e "\033[0;31m****** GPG signing disabled ******\033[0m"
+      exit 1
+    fi
+  artifacts:
+    paths:
+      - build/dpkg/packages/
+  script:
+    - ls -alh build/dpkg/packages
+    - . ./Builds/containers/gitlab-ci/sign_package.sh dpkg
+     
 #########################################################################
 ##                                                                     ##
 ##  stage: smoketest                                                   ##
--- a/Builds/containers/gitlab-ci/sign_package.sh
+++ b/Builds/containers/gitlab-ci/sign_package.sh
@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+
+set -eo pipefail
+
+sign_dpkg() {
+  if [ -n "${GPG_KEYID}" ]; then
+    dpkg-sig \
+      -g "--no-tty --digest-algo 'sha512' --passphrase '${GPG_PASSPHRASE}' --pinentry-mode=loopback" \
+			-k "${GPG_KEYID}" \
+			--sign builder \
+			"build/dpkg/packages/*.deb"
+	fi
+}
+
+sign_rpm() {
+  if [ -n "${GPG_KEYID}" ] ; then
+    find build/rpm/packages -name "*.rpm" -exec bash -c '
+	echo "yes" | setsid rpm \
+			--define "_gpg_name ${GPG_KEYID}" \
+			--define "_signature gpg" \
+			--define "__gpg_check_password_cmd /bin/true" \
+			--define "__gpg_sign_cmd %{__gpg} gpg --batch --no-armor --digest-algo 'sha512' --passphrase '${GPG_PASSPHRASE}' --no-secmem-warning -u '%{_gpg_name}' --sign --detach-sign --output %{__signature_filename} %{__plaintext_filename}" \
+			--addsign '{} \;
+	fi
+}
+
+case "${1}" in
+    dpkg)
+        sign_dpkg
+        ;;
+    rpm)
+        sign_rpm
+        ;;
+    *)
+        echo "Usage: ${0} (dpkg|rpm)"
+        ;;
+esac
+
--- a/Builds/containers/gitlab-ci/verify_head_commit.sh
+++ b/Builds/containers/gitlab-ci/verify_head_commit.sh
@@ -8,8 +8,8 @@ if git verify-commit HEAD; then
    echo "git commit signature check passed"
 else
    echo "git commit signature check failed"
-    git log -n 5 --color
-        --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an> [%G?]%Creset'
+    git log -n 5 --color \
+        --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an> [%G?]%Creset' \
        --abbrev-commit
    exit 1
 fi