TUN-6270: Import gpg keys from environment variables

We now keep the gpg key inputs configurable. This PR imports base64
encoded gpg details into the build environment and uses this information
to sign the linux builds.
This commit is contained in:
Sudarsan Reddy 2022-05-23 14:51:26 +01:00
parent 6f78ccde04
commit 7ce2bb8b2f
2 changed files with 28 additions and 4 deletions

View File

@ -48,6 +48,7 @@ stretch: &stretch
- pip3 install pynacl==1.4.0
- pip3 install pygithub==1.55
- pip3 install boto3==1.22.9
- pip3 install gnupg==2.3.1
post-cache:
# build all packages (except macos and FIPS) and move them to /cfsetup/built_artifacts
- ./build-packages.sh

View File

@ -11,10 +11,12 @@
import subprocess
import os
import argparse
import base64
import logging
import shutil
from hashlib import sha256
import gnupg
import boto3
from botocore.client import Config
from botocore.exceptions import ClientError
@ -134,6 +136,20 @@ class PkgCreator:
new_path = os.path.join(new_dir, file)
shutil.copyfile(old_path, new_path)
"""
imports gpg keys into the system so reprepro and createrepo can use it to sign packages.
it returns the GPG ID after a successful import
"""
def import_gpg_keys(self, private_key, public_key):
gpg = gnupg.GPG()
private_key = base64.b64decode(private_key)
gpg.import_keys(private_key)
public_key = base64.b64decode(public_key)
gpg.import_keys(public_key)
data = gpg.list_keys(secret=True)
return (data[0]["fingerprint"])
"""
Walks through a directory and uploads it's assets to R2.
directory : root directory to walk through (String).
@ -231,8 +247,13 @@ def parse_args():
)
parser.add_argument(
"--gpg-key-id", default=os.environ.get("GPG_KEY_ID"), help="gpg key ID that's being used to sign release\
packages."
"--gpg-private-key", default=os.environ.get("LINUX_SIGNING_PRIVATE_KEY"), help="GPG private key to sign the\
packages"
)
parser.add_argument(
"--gpg-public-key", default=os.environ.get("LINUX_SIGNING_PUBLIC_KEY"), help="GPG public key used for\
signing packages"
)
parser.add_argument(
@ -257,8 +278,10 @@ if __name__ == "__main__":
exit(1)
pkg_creator = PkgCreator()
gpg_key_id = pkg_creator.import_gpg_keys(args.gpg_private_key, args.gpg_public_key)
pkg_uploader = PkgUploader(args.account, args.bucket, args.id, args.secret)
create_deb_packaging(pkg_creator, pkg_uploader, args.deb_based_releases, args.gpg_key_id, args.binary,
args.archs, "main", args.release_tag)
create_deb_packaging(pkg_creator, pkg_uploader, args.deb_based_releases, gpg_key_id, args.binary, args.archs,
"main", args.release_tag)
create_rpm_packaging(pkg_creator, pkg_uploader, "./built_artifacts", args.release_tag, args.binary )