From 7ce2bb8b2f079f252d8ad87a8c94e224dbe5df51 Mon Sep 17 00:00:00 2001
From: Sudarsan Reddy <sreddy@cloudflare.com>
Date: Mon, 23 May 2022 14:51:26 +0100
Subject: [PATCH] TUN-6270: Import gpg keys from environment variables

We now keep the gpg key inputs configurable. This PR imports base64
encoded gpg details into the build environment and uses this information
to sign the linux builds.
---
 cfsetup.yaml    |  1 +
 release_pkgs.py | 31 +++++++++++++++++++++++++++----
 2 files changed, 28 insertions(+), 4 deletions(-)

diff --git a/cfsetup.yaml b/cfsetup.yaml
index cdad6ce8..87bb6390 100644
--- a/cfsetup.yaml
+++ b/cfsetup.yaml
@@ -48,6 +48,7 @@ stretch: &stretch
       - pip3 install pynacl==1.4.0
       - pip3 install pygithub==1.55
       - pip3 install boto3==1.22.9
+      - pip3 install gnupg==2.3.1
     post-cache:
       # build all packages (except macos and FIPS) and move them to /cfsetup/built_artifacts
       - ./build-packages.sh
diff --git a/release_pkgs.py b/release_pkgs.py
index 67b1fb3d..cd6a7c85 100644
--- a/release_pkgs.py
+++ b/release_pkgs.py
@@ -11,10 +11,12 @@
 import subprocess
 import os
 import argparse
+import base64
 import logging
 import shutil
 from hashlib import sha256
 
+import gnupg
 import boto3
 from botocore.client import Config
 from botocore.exceptions import ClientError
@@ -133,6 +135,20 @@ class PkgCreator:
                         old_path = os.path.join(root, file)
                         new_path = os.path.join(new_dir, file)
                         shutil.copyfile(old_path, new_path)
+    
+    """
+        imports gpg keys into the system so reprepro and createrepo can use it to sign packages.
+        it returns the GPG ID after a successful import
+    """
+    def import_gpg_keys(self, private_key, public_key):
+        gpg = gnupg.GPG()
+        private_key = base64.b64decode(private_key)
+        gpg.import_keys(private_key)
+        public_key = base64.b64decode(public_key)
+        gpg.import_keys(public_key)
+        data = gpg.list_keys(secret=True)
+        return (data[0]["fingerprint"])
+
 
 """
     Walks through a directory and uploads it's assets to R2.
@@ -231,8 +247,13 @@ def parse_args():
     )
 
     parser.add_argument(
-            "--gpg-key-id", default=os.environ.get("GPG_KEY_ID"), help="gpg key ID that's being used to sign release\
-            packages."
+            "--gpg-private-key", default=os.environ.get("LINUX_SIGNING_PRIVATE_KEY"), help="GPG private key to sign the\
+            packages"
+    )
+
+    parser.add_argument(
+            "--gpg-public-key", default=os.environ.get("LINUX_SIGNING_PUBLIC_KEY"), help="GPG public key used for\
+            signing packages"
     )
 
     parser.add_argument(
@@ -257,8 +278,10 @@ if __name__ == "__main__":
         exit(1)
 
     pkg_creator = PkgCreator()
+    gpg_key_id = pkg_creator.import_gpg_keys(args.gpg_private_key, args.gpg_public_key)
+
     pkg_uploader = PkgUploader(args.account, args.bucket, args.id, args.secret)
-    create_deb_packaging(pkg_creator, pkg_uploader, args.deb_based_releases, args.gpg_key_id, args.binary, 
-            args.archs, "main", args.release_tag)
+    create_deb_packaging(pkg_creator, pkg_uploader, args.deb_based_releases, gpg_key_id, args.binary, args.archs,
+            "main", args.release_tag)
     
     create_rpm_packaging(pkg_creator, pkg_uploader, "./built_artifacts", args.release_tag, args.binary )