From 0e0eb67ca2dcf4402b81b7ccdd873bbefdc19e52 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Fri, 3 Jun 2022 14:52:17 +0200 Subject: [PATCH] ci-automation: Set up keys for signing Not used for anything yet. This sets up a temporary GPGHOME directory and a trap that will remove it after we are done. --- ci-automation/gpg_setup.sh | 31 +++++++++++++++++++++++++++++++ ci-automation/image.sh | 12 ++++++++++++ ci-automation/packages.sh | 10 ++++++++++ ci-automation/push_pkgs.sh | 12 ++++++++++++ ci-automation/sdk_bootstrap.sh | 10 ++++++++++ ci-automation/sdk_container.sh | 12 +++++++++++- ci-automation/vms.sh | 12 ++++++++++++ 7 files changed, 98 insertions(+), 1 deletion(-) create mode 100644 ci-automation/gpg_setup.sh diff --git a/ci-automation/gpg_setup.sh b/ci-automation/gpg_setup.sh new file mode 100644 index 0000000000..d88eea2334 --- /dev/null +++ b/ci-automation/gpg_setup.sh @@ -0,0 +1,31 @@ +# Common gpg setup code to be sourced by other scripts in this +# directory. It will set up GnuPG home directory, possibly with a key +# from SIGNING_KEY environment variable. +# +# After this file is sourced, SIGNER is always defined and exported, +# even if empty. SIGNING_KEY is clobbered. + +: ${SIGNING_KEY:=''} +: ${SIGNER:=''} + +if [[ "${HOME}/.gnupg" -ef "${PWD}/.gnupg" ]]; then + echo 'Do not source ${BASH_SOURCE} directly in your home directory - it will clobber your GnuPG directory!' >&2 + exit 1 +fi + +export GNUPGHOME="${PWD}/.gnupg" +rm -rf "${GNUPGHOME}" +trap 'rm -rf "${GNUPGHOME}"' EXIT +mkdir --mode=0700 "${GNUPGHOME}" +# Sometimes this directory is not automatically created thus making +# further private key imports to fail. Let's create it here as a +# workaround. +mkdir -p --mode=0700 "${GNUPGHOME}/private-keys-v1.d/" +if [[ -n "${SIGNING_KEY}" ]] && [[ -n "${SIGNER}" ]]; then + gpg --import "${SIGNING_KEY}" +else + SIGNER='' +fi +export SIGNER +# Clobber signing key variable, we don't need it any more. +export SIGNING_KEY='' diff --git a/ci-automation/image.sh b/ci-automation/image.sh index 5c0234a9a6..9fff6b8e10 100644 --- a/ci-automation/image.sh +++ b/ci-automation/image.sh @@ -23,6 +23,16 @@ # # 1. Architecture (ARCH) of the TARGET OS image ("arm64", "amd64"). # +# OPTIONAL INPUT: +# +# 1. SIGNER. Environment variable. Name of the owner of the artifact signing key. +# Defaults to nothing if not set - in such case, artifacts will not be signed. +# If provided, SIGNING_KEY environment variable should also be provided, otherwise this environment variable will be ignored. +# +# 2. SIGNING_KEY. Environment variable. The artifact signing key. +# Defaults to nothing if not set - in such case, artifacts will not be signed. +# If provided, SIGNER environment variable should also be provided, otherwise this environment variable will be ignored. +# # OUTPUT: # # 1. Exported container image with OS image, dev container, and related artifacts at @@ -31,6 +41,7 @@ # pushed to buildcache. # 2. "./ci-cleanup.sh" with commands to clean up temporary build resources, # to be run after this step finishes / when this step is aborted. +# 3. If signer key was passed, signatures of artifacts from point 1, pushed along to buildcache. function image_build() { # Run a subshell, so the traps, environment changes and global @@ -50,6 +61,7 @@ function _image_build_impl() { local channel="" channel="$(get_git_channel)" source ci-automation/ci_automation_common.sh + source ci-automation/gpg_setup.sh init_submodules source sdk_container/.repo/manifests/version.txt diff --git a/ci-automation/packages.sh b/ci-automation/packages.sh index a3ae052d21..be1775b0c5 100644 --- a/ci-automation/packages.sh +++ b/ci-automation/packages.sh @@ -45,6 +45,14 @@ # This version will be checked out / pulled from remote in the portage-stable git submodule. # The submodule config will be updated to point to this version before the TARGET SDK tag is created and pushed. # +# 5. SIGNER. Environment variable. Name of the owner of the artifact signing key. +# Defaults to nothing if not set - in such case, artifacts will not be signed. +# If provided, SIGNING_KEY environment variable should also be provided, otherwise this environment variable will be ignored. +# +# 6. SIGNING_KEY. Environment variable. The artifact signing key. +# Defaults to nothing if not set - in such case, artifacts will not be signed. +# If provided, SIGNER environment variable should also be provided, otherwise this environment variable will be ignored. +# # OUTPUT: # # 1. Exported container image "flatcar-packages-[ARCH]-[VERSION].tar.gz" with binary packages @@ -55,6 +63,7 @@ # - sdk_container/.repo/manifests/version.txt denotes new FLATCAR OS version # 3. "./ci-cleanup.sh" with commands to clean up temporary build resources, # to be run after this step finishes / when this step is aborted. +# 4. If signer key was passed, signatures of artifacts from point 1, pushed along to buildcache. function packages_build() { # Run a subshell, so the traps, environment changes and global @@ -74,6 +83,7 @@ function _packages_build_impl() { local portage_git="${4:-}" source ci-automation/ci_automation_common.sh + source ci-automation/gpg_setup.sh init_submodules check_version_string "${version}" diff --git a/ci-automation/push_pkgs.sh b/ci-automation/push_pkgs.sh index 78e25af599..bb4c0e1b9a 100644 --- a/ci-automation/push_pkgs.sh +++ b/ci-automation/push_pkgs.sh @@ -25,11 +25,22 @@ # # 1. Architecture (ARCH) of the TARGET OS image ("arm64", "amd64"). # +# OPTIONAL INPUT: +# +# 1. SIGNER. Environment variable. Name of the owner of the artifact signing key. +# Defaults to nothing if not set - in such case, artifacts will not be signed. +# If provided, SIGNING_KEY environment variable should also be provided, otherwise this environment variable will be ignored. +# +# 2. SIGNING_KEY. Environment variable. The artifact signing key. +# Defaults to nothing if not set - in such case, artifacts will not be signed. +# If provided, SIGNER environment variable should also be provided, otherwise this environment variable will be ignored. +# # OUTPUT: # # 1. Binary packages published to buildcache at "boards/[ARCH]-usr/[VERSION]/pkgs". # 2. "./ci-cleanup.sh" with commands to clean up temporary build resources, # to be run after this step finishes / when this step is aborted. +# 3. If signer key was passed, signatures of artifacts from point 1, pushed along to buildcache. # This function is run _inside_ the SDK container function image_build__copy_to_bincache() { @@ -58,6 +69,7 @@ function _push_packages_impl() { local arch="$1" source ci-automation/ci_automation_common.sh + source ci-automation/gpg_setup.sh init_submodules source sdk_container/.repo/manifests/version.txt diff --git a/ci-automation/sdk_bootstrap.sh b/ci-automation/sdk_bootstrap.sh index 13b0c88020..c09388cb7e 100644 --- a/ci-automation/sdk_bootstrap.sh +++ b/ci-automation/sdk_bootstrap.sh @@ -39,6 +39,14 @@ # 5. ARCH. Environment variable. Target architecture for the SDK to run on. # Either "amd64" or "arm64"; defaults to "amd64" if not set. # +# 6. SIGNER. Environment variable. Name of the owner of the artifact signing key. +# Defaults to nothing if not set - in such case, artifacts will not be signed. +# If provided, SIGNING_KEY environment variable should also be provided, otherwise this environment variable will be ignored. +# +# 7. SIGNING_KEY. Environment variable. The artifact signing key. +# Defaults to nothing if not set - in such case, artifacts will not be signed. +# If provided, SIGNER environment variable should also be provided, otherwise this environment variable will be ignored. +# # OUTPUT: # # 1. SDK tarball (gentoo catalyst output) of the new SDK, pushed to buildcache. @@ -47,6 +55,7 @@ # - sdk_container/.repo/manifests/version.txt denotes new SDK version # 3. "./ci-cleanup.sh" with commands to clean up temporary build resources, # to be run after this step finishes / when this step is aborted. +# 4. If signer key was passed, signatures of artifacts from point 1, pushed along to buildcache. function sdk_bootstrap() { # Run a subshell, so the traps, environment changes and global @@ -67,6 +76,7 @@ function _sdk_bootstrap_impl() { : ${ARCH:="amd64"} source ci-automation/ci_automation_common.sh + source ci-automation/gpg_setup.sh init_submodules check_version_string "${version}" diff --git a/ci-automation/sdk_container.sh b/ci-automation/sdk_container.sh index 6234eb783c..0677743b8a 100644 --- a/ci-automation/sdk_container.sh +++ b/ci-automation/sdk_container.sh @@ -19,15 +19,24 @@ # SDK tarball is available on BUILDCACHE/sdk/[ARCH]/[VERSION]/flatcar-sdk-[ARCH]-[VERSION].tar.bz2 # # OPTIONAL INPUT: - +# # 2. ARCH. Environment variable. Target architecture for the SDK to run on. # Either "amd64" or "arm64"; defaults to "amd64" if not set. # +# 3. SIGNER. Environment variable. Name of the owner of the artifact signing key. +# Defaults to nothing if not set - in such case, artifacts will not be signed. +# If provided, SIGNING_KEY environment variable should also be provided, otherwise this environment variable will be ignored. +# +# 4. SIGNING_KEY. Environment variable. The artifact signing key. +# Defaults to nothing if not set - in such case, artifacts will not be signed. +# If provided, SIGNER environment variable should also be provided, otherwise this environment variable will be ignored. +# # OUTPUT: # # 1. SDK container image of the new SDK, published to buildcache. # 2. "./ci-cleanup.sh" with commands to clean up temporary build resources, # to be run after this step finishes / when this step is aborted. +# 3. If signer key was passed, signatures of artifacts from point 1, pushed along to buildcache. function sdk_container_build() { # Run a subshell, so the traps, environment changes and global @@ -44,6 +53,7 @@ function _sdk_container_build_impl() { : ${ARCH:="amd64"} source ci-automation/ci_automation_common.sh + source ci-automation/gpg_setup.sh init_submodules diff --git a/ci-automation/vms.sh b/ci-automation/vms.sh index 37da63af1a..cfcc6e3a95 100644 --- a/ci-automation/vms.sh +++ b/ci-automation/vms.sh @@ -25,11 +25,22 @@ # 2. Image formats to be built. Can be multiple, separated by spaces. # Run ./image_to_vm.sh -h in the SDK to get a list of supported images. # +# OPTIONAL INPUT: +# +# 1. SIGNER. Environment variable. Name of the owner of the artifact signing key. +# Defaults to nothing if not set - in such case, artifacts will not be signed. +# If provided, SIGNING_KEY environment variable should also be provided, otherwise this environment variable will be ignored. +# +# 2. SIGNING_KEY. Environment variable. The artifact signing key. +# Defaults to nothing if not set - in such case, artifacts will not be signed. +# If provided, SIGNER environment variable should also be provided, otherwise this environment variable will be ignored. +# # OUTPUT: # # 1. Exported VM image(s), pushed to buildcache ( images/[ARCH]/[FLATCAR_VERSION]/ ) # 2. "./ci-cleanup.sh" with commands to clean up temporary build resources, # to be run after this step finishes / when this step is aborted. +# 3. If signer key was passed, signatures of artifacts from point 1, pushed along to buildcache. function vm_build() { # Run a subshell, so the traps, environment changes and global @@ -48,6 +59,7 @@ function _vm_build_impl() { # $@ now contains image formats to build source ci-automation/ci_automation_common.sh + source ci-automation/gpg_setup.sh init_submodules source sdk_container/.repo/manifests/version.txt