mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-09-22 06:01:41 +02:00
Code Issues Packages Projects Releases Wiki Activity

ci-automation: Set up keys for signing

Browse Source 
Not used for anything yet. This sets up a temporary GPGHOME directory
and a trap that will remove it after we are done.
This commit is contained in:
Krzesimir Nowak 2022-06-03 14:52:17 +02:00
parent 090d7ec176
commit 0e0eb67ca2
7 changed files with 98 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
ci-automation/gpg_setup.sh Normal file
View File

@ -0,0 +1,31 @@
# Common gpg setup code to be sourced by other scripts in this
# directory. It will set up GnuPG home directory, possibly with a key
# from SIGNING_KEY environment variable.
#
# After this file is sourced, SIGNER is always defined and exported,
# even if empty. SIGNING_KEY is clobbered.
: ${SIGNING_KEY:=''}
: ${SIGNER:=''}
if [[ "${HOME}/.gnupg" -ef "${PWD}/.gnupg" ]]; then
echo 'Do not source ${BASH_SOURCE} directly in your home directory - it will clobber your GnuPG directory!' >&2
exit 1
fi
export GNUPGHOME="${PWD}/.gnupg"
rm -rf "${GNUPGHOME}"
trap 'rm -rf "${GNUPGHOME}"' EXIT
mkdir --mode=0700 "${GNUPGHOME}"
# Sometimes this directory is not automatically created thus making
# further private key imports to fail. Let's create it here as a
# workaround.
mkdir -p --mode=0700 "${GNUPGHOME}/private-keys-v1.d/"
if [[ -n "${SIGNING_KEY}" ]] && [[ -n "${SIGNER}" ]]; then
gpg --import "${SIGNING_KEY}"
else
SIGNER=''
fi
export SIGNER
# Clobber signing key variable, we don't need it any more.
export SIGNING_KEY=''

12
ci-automation/image.sh
View File

@ -23,6 +23,16 @@
# #
# 1. Architecture (ARCH) of the TARGET OS image ("arm64", "amd64"). # 1. Architecture (ARCH) of the TARGET OS image ("arm64", "amd64").
# #
# OPTIONAL INPUT:
#
# 1. SIGNER. Environment variable. Name of the owner of the artifact signing key.
# Defaults to nothing if not set - in such case, artifacts will not be signed.
# If provided, SIGNING_KEY environment variable should also be provided, otherwise this environment variable will be ignored.
#
# 2. SIGNING_KEY. Environment variable. The artifact signing key.
# Defaults to nothing if not set - in such case, artifacts will not be signed.
# If provided, SIGNER environment variable should also be provided, otherwise this environment variable will be ignored.
#
# OUTPUT: # OUTPUT:
# #
# 1. Exported container image with OS image, dev container, and related artifacts at # 1. Exported container image with OS image, dev container, and related artifacts at
@ -31,6 +41,7 @@
# pushed to buildcache. # pushed to buildcache.
# 2. "./ci-cleanup.sh" with commands to clean up temporary build resources, # 2. "./ci-cleanup.sh" with commands to clean up temporary build resources,
# to be run after this step finishes / when this step is aborted. # to be run after this step finishes / when this step is aborted.
# 3. If signer key was passed, signatures of artifacts from point 1, pushed along to buildcache.
function image_build() { function image_build() {
# Run a subshell, so the traps, environment changes and global # Run a subshell, so the traps, environment changes and global
@ -50,6 +61,7 @@ function _image_build_impl() {
local channel="" local channel=""
channel="$(get_git_channel)" channel="$(get_git_channel)"
source ci-automation/ci_automation_common.sh source ci-automation/ci_automation_common.sh
source ci-automation/gpg_setup.sh
init_submodules init_submodules
source sdk_container/.repo/manifests/version.txt source sdk_container/.repo/manifests/version.txt

10
ci-automation/packages.sh
View File

@ -45,6 +45,14 @@
# This version will be checked out / pulled from remote in the portage-stable git submodule. # This version will be checked out / pulled from remote in the portage-stable git submodule.
# The submodule config will be updated to point to this version before the TARGET SDK tag is created and pushed. # The submodule config will be updated to point to this version before the TARGET SDK tag is created and pushed.
# #
# 5. SIGNER. Environment variable. Name of the owner of the artifact signing key.
# Defaults to nothing if not set - in such case, artifacts will not be signed.
# If provided, SIGNING_KEY environment variable should also be provided, otherwise this environment variable will be ignored.
#
# 6. SIGNING_KEY. Environment variable. The artifact signing key.
# Defaults to nothing if not set - in such case, artifacts will not be signed.
# If provided, SIGNER environment variable should also be provided, otherwise this environment variable will be ignored.
#
# OUTPUT: # OUTPUT:
# #
# 1. Exported container image "flatcar-packages-[ARCH]-[VERSION].tar.gz" with binary packages # 1. Exported container image "flatcar-packages-[ARCH]-[VERSION].tar.gz" with binary packages
@ -55,6 +63,7 @@
# - sdk_container/.repo/manifests/version.txt denotes new FLATCAR OS version # - sdk_container/.repo/manifests/version.txt denotes new FLATCAR OS version
# 3. "./ci-cleanup.sh" with commands to clean up temporary build resources, # 3. "./ci-cleanup.sh" with commands to clean up temporary build resources,
# to be run after this step finishes / when this step is aborted. # to be run after this step finishes / when this step is aborted.
# 4. If signer key was passed, signatures of artifacts from point 1, pushed along to buildcache.
function packages_build() { function packages_build() {
# Run a subshell, so the traps, environment changes and global # Run a subshell, so the traps, environment changes and global
@ -74,6 +83,7 @@ function _packages_build_impl() {
local portage_git="${4:-}" local portage_git="${4:-}"
source ci-automation/ci_automation_common.sh source ci-automation/ci_automation_common.sh
source ci-automation/gpg_setup.sh
init_submodules init_submodules
check_version_string "${version}" check_version_string "${version}"

12
ci-automation/push_pkgs.sh
View File

@ -25,11 +25,22 @@
# #
# 1. Architecture (ARCH) of the TARGET OS image ("arm64", "amd64"). # 1. Architecture (ARCH) of the TARGET OS image ("arm64", "amd64").
# #
# OPTIONAL INPUT:
#
# 1. SIGNER. Environment variable. Name of the owner of the artifact signing key.
# Defaults to nothing if not set - in such case, artifacts will not be signed.
# If provided, SIGNING_KEY environment variable should also be provided, otherwise this environment variable will be ignored.
#
# 2. SIGNING_KEY. Environment variable. The artifact signing key.
# Defaults to nothing if not set - in such case, artifacts will not be signed.
# If provided, SIGNER environment variable should also be provided, otherwise this environment variable will be ignored.
#
# OUTPUT: # OUTPUT:
# #
# 1. Binary packages published to buildcache at "boards/[ARCH]-usr/[VERSION]/pkgs". # 1. Binary packages published to buildcache at "boards/[ARCH]-usr/[VERSION]/pkgs".
# 2. "./ci-cleanup.sh" with commands to clean up temporary build resources, # 2. "./ci-cleanup.sh" with commands to clean up temporary build resources,
# to be run after this step finishes / when this step is aborted. # to be run after this step finishes / when this step is aborted.
# 3. If signer key was passed, signatures of artifacts from point 1, pushed along to buildcache.
# This function is run _inside_ the SDK container # This function is run _inside_ the SDK container
function image_build__copy_to_bincache() { function image_build__copy_to_bincache() {
@ -58,6 +69,7 @@ function _push_packages_impl() {
local arch="$1" local arch="$1"
source ci-automation/ci_automation_common.sh source ci-automation/ci_automation_common.sh
source ci-automation/gpg_setup.sh
init_submodules init_submodules
source sdk_container/.repo/manifests/version.txt source sdk_container/.repo/manifests/version.txt

10
ci-automation/sdk_bootstrap.sh
View File

@ -39,6 +39,14 @@
# 5. ARCH. Environment variable. Target architecture for the SDK to run on. # 5. ARCH. Environment variable. Target architecture for the SDK to run on.
# Either "amd64" or "arm64"; defaults to "amd64" if not set. # Either "amd64" or "arm64"; defaults to "amd64" if not set.
# #
# 6. SIGNER. Environment variable. Name of the owner of the artifact signing key.
# Defaults to nothing if not set - in such case, artifacts will not be signed.
# If provided, SIGNING_KEY environment variable should also be provided, otherwise this environment variable will be ignored.
#
# 7. SIGNING_KEY. Environment variable. The artifact signing key.
# Defaults to nothing if not set - in such case, artifacts will not be signed.
# If provided, SIGNER environment variable should also be provided, otherwise this environment variable will be ignored.
#
# OUTPUT: # OUTPUT:
# #
# 1. SDK tarball (gentoo catalyst output) of the new SDK, pushed to buildcache. # 1. SDK tarball (gentoo catalyst output) of the new SDK, pushed to buildcache.
@ -47,6 +55,7 @@
# - sdk_container/.repo/manifests/version.txt denotes new SDK version # - sdk_container/.repo/manifests/version.txt denotes new SDK version
# 3. "./ci-cleanup.sh" with commands to clean up temporary build resources, # 3. "./ci-cleanup.sh" with commands to clean up temporary build resources,
# to be run after this step finishes / when this step is aborted. # to be run after this step finishes / when this step is aborted.
# 4. If signer key was passed, signatures of artifacts from point 1, pushed along to buildcache.
function sdk_bootstrap() { function sdk_bootstrap() {
# Run a subshell, so the traps, environment changes and global # Run a subshell, so the traps, environment changes and global
@ -67,6 +76,7 @@ function _sdk_bootstrap_impl() {
: ${ARCH:="amd64"} : ${ARCH:="amd64"}
source ci-automation/ci_automation_common.sh source ci-automation/ci_automation_common.sh
source ci-automation/gpg_setup.sh
init_submodules init_submodules
check_version_string "${version}" check_version_string "${version}"

12
ci-automation/sdk_container.sh
View File

@ -19,15 +19,24 @@
# SDK tarball is available on BUILDCACHE/sdk/[ARCH]/[VERSION]/flatcar-sdk-[ARCH]-[VERSION].tar.bz2 # SDK tarball is available on BUILDCACHE/sdk/[ARCH]/[VERSION]/flatcar-sdk-[ARCH]-[VERSION].tar.bz2
# #
# OPTIONAL INPUT: # OPTIONAL INPUT:
#
# 2. ARCH. Environment variable. Target architecture for the SDK to run on. # 2. ARCH. Environment variable. Target architecture for the SDK to run on.
# Either "amd64" or "arm64"; defaults to "amd64" if not set. # Either "amd64" or "arm64"; defaults to "amd64" if not set.
# #
# 3. SIGNER. Environment variable. Name of the owner of the artifact signing key.
# Defaults to nothing if not set - in such case, artifacts will not be signed.
# If provided, SIGNING_KEY environment variable should also be provided, otherwise this environment variable will be ignored.
#
# 4. SIGNING_KEY. Environment variable. The artifact signing key.
# Defaults to nothing if not set - in such case, artifacts will not be signed.
# If provided, SIGNER environment variable should also be provided, otherwise this environment variable will be ignored.
#
# OUTPUT: # OUTPUT:
# #
# 1. SDK container image of the new SDK, published to buildcache. # 1. SDK container image of the new SDK, published to buildcache.
# 2. "./ci-cleanup.sh" with commands to clean up temporary build resources, # 2. "./ci-cleanup.sh" with commands to clean up temporary build resources,
# to be run after this step finishes / when this step is aborted. # to be run after this step finishes / when this step is aborted.
# 3. If signer key was passed, signatures of artifacts from point 1, pushed along to buildcache.
function sdk_container_build() { function sdk_container_build() {
# Run a subshell, so the traps, environment changes and global # Run a subshell, so the traps, environment changes and global
@ -44,6 +53,7 @@ function _sdk_container_build_impl() {
: ${ARCH:="amd64"} : ${ARCH:="amd64"}
source ci-automation/ci_automation_common.sh source ci-automation/ci_automation_common.sh
source ci-automation/gpg_setup.sh
init_submodules init_submodules

12
ci-automation/vms.sh
View File

@ -25,11 +25,22 @@
# 2. Image formats to be built. Can be multiple, separated by spaces. # 2. Image formats to be built. Can be multiple, separated by spaces.
# Run ./image_to_vm.sh -h in the SDK to get a list of supported images. # Run ./image_to_vm.sh -h in the SDK to get a list of supported images.
# #
# OPTIONAL INPUT:
#
# 1. SIGNER. Environment variable. Name of the owner of the artifact signing key.
# Defaults to nothing if not set - in such case, artifacts will not be signed.
# If provided, SIGNING_KEY environment variable should also be provided, otherwise this environment variable will be ignored.
#
# 2. SIGNING_KEY. Environment variable. The artifact signing key.
# Defaults to nothing if not set - in such case, artifacts will not be signed.
# If provided, SIGNER environment variable should also be provided, otherwise this environment variable will be ignored.
#
# OUTPUT: # OUTPUT:
# #
# 1. Exported VM image(s), pushed to buildcache ( images/[ARCH]/[FLATCAR_VERSION]/ ) # 1. Exported VM image(s), pushed to buildcache ( images/[ARCH]/[FLATCAR_VERSION]/ )
# 2. "./ci-cleanup.sh" with commands to clean up temporary build resources, # 2. "./ci-cleanup.sh" with commands to clean up temporary build resources,
# to be run after this step finishes / when this step is aborted. # to be run after this step finishes / when this step is aborted.
# 3. If signer key was passed, signatures of artifacts from point 1, pushed along to buildcache.
function vm_build() { function vm_build() {
# Run a subshell, so the traps, environment changes and global # Run a subshell, so the traps, environment changes and global
@ -48,6 +59,7 @@ function _vm_build_impl() {
# $@ now contains image formats to build # $@ now contains image formats to build
source ci-automation/ci_automation_common.sh source ci-automation/ci_automation_common.sh
source ci-automation/gpg_setup.sh
init_submodules init_submodules
source sdk_container/.repo/manifests/version.txt source sdk_container/.repo/manifests/version.txt