From b2ac88537073b3578624efd80b6091abfbd59f93 Mon Sep 17 00:00:00 2001
From: Sudarsan Reddy <sreddy@cloudflare.com>
Date: Wed, 25 May 2022 13:57:57 +0100
Subject: [PATCH] TUN-6209: Sign RPM packages

This PR uses a provided key to
- sign all the .rpms before they are uploaded to R2.
- detach signs the repomd.xml after createrepo is run.
---
 release_pkgs.py | 53 +++++++++++++++++++++++++++++++++++++++----------
 1 file changed, 43 insertions(+), 10 deletions(-)

diff --git a/release_pkgs.py b/release_pkgs.py
index 2754636d..7333b842 100644
--- a/release_pkgs.py
+++ b/release_pkgs.py
@@ -109,17 +109,32 @@ class PkgCreator:
             print(f"create deb_pkgs result => {out}, {err}")
             raise
 
-    # TODO https://jira.cfops.it/browse/TUN-6209 : Sign these packages.
-    def create_rpm_pkgs(self, artifacts_path):
-        self._setup_rpm_pkg_directories(artifacts_path)
+    def create_rpm_pkgs(self, artifacts_path, gpg_key_name):
+        self._setup_rpm_pkg_directories(artifacts_path, gpg_key_name)
         p = Popen(["createrepo", "./rpm"], stdout=PIPE, stderr=PIPE)
         out, err = p.communicate()
         if p.returncode != 0:
             print(f"create rpm_pkgs result => {out}, {err}")
             raise
 
+        self._sign_repomd()
+
+    def _sign_rpms(self, file_path):
+        p = Popen(["rpm" , "--define", f"_gpg_name {gpg_key_name}", "--addsign", file_path], stdout=PIPE, stderr=PIPE)
+        out, err = p.communicate()
+        if p.returncode != 0:
+            print(f"rpm sign result result => {out}, {err}")
+            raise
+
+    def _sign_repomd(self):
+        p = Popen(["gpg", "--batch", "--detach-sign", "--armor", "./rpm/repodata/repomd.xml"], stdout=PIPE, stderr=PIPE) 
+        out, err = p.communicate()
+        if p.returncode != 0:
+            print(f"sign repomd result => {out}, {err}")
+            raise
+        
     """
-        sets up the RPM directories in the following format:
+        sets up and signs the RPM directories in the following format:
         - rpm 
            - aarch64
            - x86_64
@@ -127,7 +142,7 @@ class PkgCreator:
 
         this assumes the assets are in the format <prefix>-<aarch64/x86_64/386>.rpm
     """
-    def _setup_rpm_pkg_directories(self, artifacts_path, archs=["aarch64", "x86_64", "386"]):
+    def _setup_rpm_pkg_directories(self, artifacts_path, gpg_key_name, archs=["aarch64", "x86_64", "386"]):
         for arch in archs:
             for root, _ , files in os.walk(artifacts_path):
                 for file in files:
@@ -137,6 +152,7 @@ class PkgCreator:
                         old_path = os.path.join(root, file)
                         new_path = os.path.join(new_dir, file)
                         shutil.copyfile(old_path, new_path)
+                        self._sign_rpms(new_path)
     
     """
         imports gpg keys into the system so reprepro and createrepo can use it to sign packages.
@@ -149,7 +165,23 @@ class PkgCreator:
         public_key = base64.b64decode(public_key)
         gpg.import_keys(public_key)
         data = gpg.list_keys(secret=True)
-        return (data[0]["fingerprint"])
+        return (data[0]["fingerprint"], data[0]["uids"][0])
+
+    """
+        basically rpm --import <key_file>
+        This enables us to sign rpms.
+    """
+    def import_rpm_key(self, public_key):
+        file_name = "pb.key"
+        with open(file_name, "wb") as f:
+            public_key = base64.b64decode(public_key)
+            f.write(public_key)
+        
+        p = Popen(["rpm", "--import", file_name], stdout=PIPE, stderr=PIPE)
+        out, err = p.communicate()
+        if p.returncode != 0:
+            print(f"create rpm import result => {out}, {err}")
+            raise
 
 
 """
@@ -212,9 +244,9 @@ def create_deb_packaging(pkg_creator, pkg_uploader, releases, gpg_key_id, binary
         upload_from_directories(pkg_uploader, "dists", release_version, binary_name)
         upload_from_directories(pkg_uploader, "pool", release_version, binary_name)
 
-def create_rpm_packaging(pkg_creator, pkg_uploader, artifacts_path, release_version, binary_name):
+def create_rpm_packaging(pkg_creator, pkg_uploader, artifacts_path, release_version, binary_name, gpg_key_name):
     print(f"creating rpm pkgs...")
-    pkg_creator.create_rpm_pkgs(artifacts_path)
+    pkg_creator.create_rpm_pkgs(artifacts_path, gpg_key_name)
 
     print("uploading latest to r2...")
     upload_from_directories(pkg_uploader, "rpm", None, binary_name)
@@ -282,11 +314,12 @@ if __name__ == "__main__":
         exit(1)
 
     pkg_creator = PkgCreator()
-    gpg_key_id = pkg_creator.import_gpg_keys(args.gpg_private_key, args.gpg_public_key)
+    (gpg_key_id, gpg_key_name) = pkg_creator.import_gpg_keys(args.gpg_private_key, args.gpg_public_key)
+    pkg_creator.import_rpm_key(args.gpg_public_key)
 
     pkg_uploader = PkgUploader(args.account, args.bucket, args.id, args.secret)
     print(f"signing with gpg_key: {gpg_key_id}")
     create_deb_packaging(pkg_creator, pkg_uploader, args.deb_based_releases, gpg_key_id, args.binary, args.archs,
             "main", args.release_tag)
     
-    create_rpm_packaging(pkg_creator, pkg_uploader, "./built_artifacts", args.release_tag, args.binary )
+    create_rpm_packaging(pkg_creator, pkg_uploader, "./built_artifacts", args.release_tag, args.binary, gpg_key_name)