From 7ce2bb8b2f079f252d8ad87a8c94e224dbe5df51 Mon Sep 17 00:00:00 2001 From: Sudarsan Reddy Date: Mon, 23 May 2022 14:51:26 +0100 Subject: [PATCH] TUN-6270: Import gpg keys from environment variables We now keep the gpg key inputs configurable. This PR imports base64 encoded gpg details into the build environment and uses this information to sign the linux builds. --- cfsetup.yaml | 1 + release_pkgs.py | 31 +++++++++++++++++++++++++++---- 2 files changed, 28 insertions(+), 4 deletions(-) diff --git a/cfsetup.yaml b/cfsetup.yaml index cdad6ce8..87bb6390 100644 --- a/cfsetup.yaml +++ b/cfsetup.yaml @@ -48,6 +48,7 @@ stretch: &stretch - pip3 install pynacl==1.4.0 - pip3 install pygithub==1.55 - pip3 install boto3==1.22.9 + - pip3 install gnupg==2.3.1 post-cache: # build all packages (except macos and FIPS) and move them to /cfsetup/built_artifacts - ./build-packages.sh diff --git a/release_pkgs.py b/release_pkgs.py index 67b1fb3d..cd6a7c85 100644 --- a/release_pkgs.py +++ b/release_pkgs.py @@ -11,10 +11,12 @@ import subprocess import os import argparse +import base64 import logging import shutil from hashlib import sha256 +import gnupg import boto3 from botocore.client import Config from botocore.exceptions import ClientError @@ -133,6 +135,20 @@ class PkgCreator: old_path = os.path.join(root, file) new_path = os.path.join(new_dir, file) shutil.copyfile(old_path, new_path) + + """ + imports gpg keys into the system so reprepro and createrepo can use it to sign packages. + it returns the GPG ID after a successful import + """ + def import_gpg_keys(self, private_key, public_key): + gpg = gnupg.GPG() + private_key = base64.b64decode(private_key) + gpg.import_keys(private_key) + public_key = base64.b64decode(public_key) + gpg.import_keys(public_key) + data = gpg.list_keys(secret=True) + return (data[0]["fingerprint"]) + """ Walks through a directory and uploads it's assets to R2. @@ -231,8 +247,13 @@ def parse_args(): ) parser.add_argument( - "--gpg-key-id", default=os.environ.get("GPG_KEY_ID"), help="gpg key ID that's being used to sign release\ - packages." + "--gpg-private-key", default=os.environ.get("LINUX_SIGNING_PRIVATE_KEY"), help="GPG private key to sign the\ + packages" + ) + + parser.add_argument( + "--gpg-public-key", default=os.environ.get("LINUX_SIGNING_PUBLIC_KEY"), help="GPG public key used for\ + signing packages" ) parser.add_argument( @@ -257,8 +278,10 @@ if __name__ == "__main__": exit(1) pkg_creator = PkgCreator() + gpg_key_id = pkg_creator.import_gpg_keys(args.gpg_private_key, args.gpg_public_key) + pkg_uploader = PkgUploader(args.account, args.bucket, args.id, args.secret) - create_deb_packaging(pkg_creator, pkg_uploader, args.deb_based_releases, args.gpg_key_id, args.binary, - args.archs, "main", args.release_tag) + create_deb_packaging(pkg_creator, pkg_uploader, args.deb_based_releases, gpg_key_id, args.binary, args.archs, + "main", args.release_tag) create_rpm_packaging(pkg_creator, pkg_uploader, "./built_artifacts", args.release_tag, args.binary )