* chore: Fix upload of RPM repo file during double signing
This commit fixes a variable that was supposed to hold the path of the repo file, but instead was being overwritten with the repo file handle
* chore: Fix import of GPG keys when two keys are provided
We were only retrieving the first output of gpg.list keys because previously we were only running import_gpg_keys once. Now that we run it twice we need to ensure that the key we select from the list matches the one we've imported.
* TUN-9776: Support signing Debian packages with two keys for rollover
Debian Trixie doesn't support the SHA-1 algo for GPG keys.
This commit leverages the ability of providing two keys in the reprepro configuration in order to have two signatures in InRelease and Release.gpg files.
This allows users that have the old key to continue fetching the binaries with the old key while allowing us to provide a new key that can be used in Trixie.
Unfortunately current versions of RPM (since 2002) don't support double signing, so we can't apply the same logic for RPM
Closes TUN-9776
## Summary
This commit removes configurations and references for Debian-based releases that are no longer supported in the build and packaging processes.
For Ubuntu versions for most of them only PRO users still have support, so we might decide remove some of them as well. Information available in:
- Debian Releases: https://wiki.debian.org/LTS (we no longer support bullseye at Cloudflare)
- Ubuntu Releases: https://ubuntu.com/about/release-cycle
Closes TUN-9542
## Summary
Ubuntu has released a new LTS version, and there are people starting to use it, this makes
our installation recommendation, that automatically detecs the release flavor, to fail for
Noble users. Therefore, this commit adds this new version to our release packages.
It also adds an `any` package so that we can update our documentation to use it since
we are using the same binaries across all debian flavors, so there is no reason to keep
adding more release flavors when we can just take advantage of the `any` release flavor
like other repositories do.
## Summary
The default-flavour of cfsetup changed from bullseye to bookworm and in the latter the createrepo package was renamed to createrepo_c.
Closes TUN-8795
We now will have `armhf` based debs on our github pages
This will also sync to our R2 Release process allowing legacy rpi users to
eventually be able to apt-get install cloudflared.
This PR provides a cloudflared.repo template that can simply then be
added to yum repos by running
```
sudo dnf config-manager --add-repo
```
removing the requirement for yum installers to handcraft this or run
echo commands.
This PR mostly raises exceptions so we are aware if release deb or
release pkgs fail. It also makes release_version optional if backup pkgs
are not needed.
We now keep the gpg key inputs configurable. This PR imports base64
encoded gpg details into the build environment and uses this information
to sign the linux builds.
This PR extends release_pkgs.py to now also support uploading rpm based
assets to R2. The packages are not signed yet and will be done in a
subsequent PR.
This PR
- Packs the .rpm assets into relevant directories
- Calls createrepo on them to make them yum repo ready
- Uploads them to R2
The way apt works is:
1. It looks at the release file based on the `deb` added to sources.list.
2. It uses this release file to find the relative location of Packages or Packages.gz
3. It uses the pool information from packages to find the relative location of where the .deb file is located and then downloads and installs it.
This PR seeks to take advantage of this information by simply arranging
the files in a way apt expects thereby eliminating the need for an
orchestrating endpoint.
This PR does the following:
1. Creates packages.gz, signed InRelease files for debs in
built_artifacts for configured debian releases.
2. Uploads them to Cloudflare R2.
3. Adds a Workers KV entry that talks about where these assets are
uploaded.
João "Pisco" Fernandes
Gonçalo Garcia
Luis Neto
Sudarsan Reddy
Igor Postelnik