Implement Sigul for signing packages
Signing rpm packages Signing deb packages Signing metadata of repositories Related Jira-ticket: https://mirantis.jira.com/browse/PROD-3854 Change-Id: I31cfe16bab67c003fa8687ac33a7fc6cc420cdf6
This commit is contained in:
parent
d22cdcd2e2
commit
6ec20fb23a
@ -19,6 +19,12 @@ info () {
|
|||||||
echo
|
echo
|
||||||
}
|
}
|
||||||
|
|
||||||
|
_sigul () {
|
||||||
|
local PASSWD=$1
|
||||||
|
shift
|
||||||
|
printf '%s\0' "$PASSWD" | sigul --batch $@
|
||||||
|
}
|
||||||
|
|
||||||
check-gpg() {
|
check-gpg() {
|
||||||
local RESULT=0
|
local RESULT=0
|
||||||
[ -z "$SIGKEYID" ] && echo "WARNING: No secret keys given" && RESULT=1
|
[ -z "$SIGKEYID" ] && echo "WARNING: No secret keys given" && RESULT=1
|
||||||
@ -33,6 +39,55 @@ check-gpg() {
|
|||||||
return $RESULT
|
return $RESULT
|
||||||
}
|
}
|
||||||
|
|
||||||
|
check-sigul() {
|
||||||
|
local SIGKEYID=$1
|
||||||
|
local SIGUL_USER=$2
|
||||||
|
local SIGUL_ADMIN_PASSWD=$3
|
||||||
|
local RESULT=0
|
||||||
|
# Test of secret key and definiton of sigul
|
||||||
|
[ -z "$SIGKEYID" ] && echo "WARNING: No secret keys given" && RESULT=1
|
||||||
|
[ -z "$SIGUL_USER" ] && echo "WARNING: No Sigul user given" && RESULT=1
|
||||||
|
[ -z "$SIGUL_ADMIN_PASSWD" ] && echo "WARNING: No Sigul Administration's password given" && RESULT=1
|
||||||
|
[ -z "$(which sigul)" ] && echo "WARNING: Sigul is not found" && RESULT=1
|
||||||
|
# Test of sigul or secret key availability
|
||||||
|
if [ $RESULT -eq 0 ] ; then
|
||||||
|
retry -c4 -s1 _sigul "$SIGUL_ADMIN_PASSWD" -u "$SIGUL_USER" list-keys > keys_list.tmp
|
||||||
|
[ $? -ne 0 ] && echo "WARNING: Something went wrong" && RESULT=1
|
||||||
|
fi
|
||||||
|
[ $RESULT -eq 0 ] && [ $(grep -c "$SIGKEYID" keys_list.tmp) -ne 1 ] && RESULT=1
|
||||||
|
[ $RESULT -ne 0 ] && echo "WARNING:No secret keys found or Sigul is unavailable. Fall back to local signed"
|
||||||
|
return $RESULT
|
||||||
|
}
|
||||||
|
|
||||||
|
retry() {
|
||||||
|
local count=3
|
||||||
|
local sleep=5
|
||||||
|
local optname
|
||||||
|
while getopts 'c:s:' optname
|
||||||
|
do
|
||||||
|
case $optname in
|
||||||
|
c) count=$OPTARG ;;
|
||||||
|
s) sleep=$OPTARG ;;
|
||||||
|
?) return 1 ;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
shift $((OPTIND - 1))
|
||||||
|
local ec
|
||||||
|
while true
|
||||||
|
do
|
||||||
|
"$@" && true
|
||||||
|
ec=$?
|
||||||
|
(( count-- ))
|
||||||
|
if [[ $ec -eq 0 || $count -eq 0 ]]
|
||||||
|
then
|
||||||
|
break
|
||||||
|
else
|
||||||
|
sleep "$sleep"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
return "$ec"
|
||||||
|
}
|
||||||
|
|
||||||
sync-repo() {
|
sync-repo() {
|
||||||
local LOCAL_DIR=$1
|
local LOCAL_DIR=$1
|
||||||
local REMOTE_DIR=$2
|
local REMOTE_DIR=$2
|
||||||
|
@ -6,7 +6,12 @@ source $(dirname $(readlink -e $0))/functions/locking.sh
|
|||||||
|
|
||||||
main() {
|
main() {
|
||||||
local SIGN_STRING=""
|
local SIGN_STRING=""
|
||||||
check-gpg && SIGN_STRING="true"
|
if check-sigul "$SIGKEYID" "$SIGUL_USER" "$SIGUL_ADMIN_PASSWD" ; then
|
||||||
|
USE_SIGUL="true"
|
||||||
|
SIGN_STRING="true"
|
||||||
|
else
|
||||||
|
check-gpg && SIGN_STRING="true"
|
||||||
|
fi
|
||||||
|
|
||||||
## Download sources from worker
|
## Download sources from worker
|
||||||
[ -d $TMP_DIR ] && rm -rf $TMP_DIR
|
[ -d $TMP_DIR ] && rm -rf $TMP_DIR
|
||||||
@ -76,9 +81,13 @@ main() {
|
|||||||
-i ${release_file}
|
-i ${release_file}
|
||||||
rm -f ${release_file}.gpg
|
rm -f ${release_file}.gpg
|
||||||
# ReSign Release file
|
# ReSign Release file
|
||||||
[ -n "${SIGN_STRING}" ] \
|
if [ "${USE_SIGUL}" = "true" ] ; then
|
||||||
|
retry -c4 -s1 _sigul "$KEY_PASSPHRASE" -u "$SIGUL_USER" sign-data --armor -o "${release_file}.gpg" "${SIGKEYID}" "${release_file}"
|
||||||
|
else
|
||||||
|
[ -n "${SIGN_STRING}" ] \
|
||||||
&& gpg --sign --local-user ${SIGKEYID} -ba \
|
&& gpg --sign --local-user ${SIGKEYID} -ba \
|
||||||
-o ${release_file}.gpg ${release_file}
|
-o ${release_file}.gpg ${release_file}
|
||||||
|
fi
|
||||||
done
|
done
|
||||||
job_lock ${CONFIGDIR}.lock unset
|
job_lock ${CONFIGDIR}.lock unset
|
||||||
fi
|
fi
|
||||||
@ -183,9 +192,14 @@ main() {
|
|||||||
rm -f ${release_file}.gpg
|
rm -f ${release_file}.gpg
|
||||||
local pub_key_file="${LOCAL_REPO_PATH}/public/archive-${PROJECT_NAME}${PROJECT_VERSION}.key"
|
local pub_key_file="${LOCAL_REPO_PATH}/public/archive-${PROJECT_NAME}${PROJECT_VERSION}.key"
|
||||||
if [ -n "${SIGN_STRING}" ] ; then
|
if [ -n "${SIGN_STRING}" ] ; then
|
||||||
gpg --sign --local-user ${SIGKEYID} -ba -o ${release_file}.gpg ${release_file}
|
|
||||||
[ ! -f "${pub_key_file}" ] && touch ${pub_key_file}
|
[ ! -f "${pub_key_file}" ] && touch ${pub_key_file}
|
||||||
gpg -o ${pub_key_file}.tmp --armor --export ${SIGKEYID}
|
if [ "${USE_SIGUL}" = "true" ] ; then
|
||||||
|
retry -c4 -s1 _sigul "$KEY_PASSPHRASE" -u "$SIGUL_USER" sign-data --armor -o "${release_file}.gpg" "${SIGKEYID}" "${release_file}"
|
||||||
|
retry -c4 -s1 _sigul "$KEY_PASSPHRASE" -u "$SIGUL_ADMIN" get-public-key "${SIGKEYID}" > "${pub_key_file}.tmp"
|
||||||
|
else
|
||||||
|
gpg --sign --local-user ${SIGKEYID} -ba -o ${release_file}.gpg ${release_file}
|
||||||
|
gpg -o ${pub_key_file}.tmp --armor --export ${SIGKEYID}
|
||||||
|
fi
|
||||||
if diff -q ${pub_key_file} ${pub_key_file}.tmp &>/dev/null ; then
|
if diff -q ${pub_key_file} ${pub_key_file}.tmp &>/dev/null ; then
|
||||||
rm ${pub_key_file}.tmp
|
rm ${pub_key_file}.tmp
|
||||||
else
|
else
|
||||||
|
@ -8,10 +8,18 @@ source $(dirname $(readlink -e $0))/functions/locking.sh
|
|||||||
|
|
||||||
main() {
|
main() {
|
||||||
if [ -n "${SIGKEYID}" ] ; then
|
if [ -n "${SIGKEYID}" ] ; then
|
||||||
check-gpg || :
|
# Is sigul availble and signed key exist
|
||||||
gpg --export -a ${SIGKEYID} > RPM-GPG-KEY
|
[ -n "${SIGUL_USER}" ] && check-sigul "$SIGKEYID" "$SIGUL_USER" "$SIGUL_ADMIN_PASSWD" && USE_SIGUL=true
|
||||||
if [ $(rpm -qa | grep gpg-pubkey | grep -ci ${SIGKEYID}) -eq 0 ]; then
|
if [ "${USE_SIGUL}" = "true" ] ; then
|
||||||
rpm --import RPM-GPG-KEY
|
# Use sigul for sign
|
||||||
|
retry -c4 -s1 _sigul "$SIGUL_ADMIN_PASSWD" -u "$SIGUL_ADMIN" get-public-key "$SIGKEYID" > RPM-GPG-KEY
|
||||||
|
else
|
||||||
|
# Use local sign
|
||||||
|
check-gpg || :
|
||||||
|
gpg --export -a ${SIGKEYID} > RPM-GPG-KEY
|
||||||
|
if [ $(rpm -qa | grep gpg-pubkey | grep -ci ${SIGKEYID}) -eq 0 ]; then
|
||||||
|
rpm --import RPM-GPG-KEY
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -183,7 +191,12 @@ main() {
|
|||||||
##
|
##
|
||||||
if [ -n "${SIGKEYID}" ] ; then
|
if [ -n "${SIGKEYID}" ] ; then
|
||||||
# rpmsign requires pass phrase. use `expect` to skip it
|
# rpmsign requires pass phrase. use `expect` to skip it
|
||||||
LANG=C expect <<EOL
|
if [ "${USE_SIGUL}" = "true" ] ; then
|
||||||
|
mv "${binary}" "${binary}_unsign"
|
||||||
|
retry -c4 -s1 _sigul "$KEY_PASSPHRASE" -u "$SIGUL_USER" sign-rpm -o "${binary}" "$SIGKEYID" "${binary}_unsign"
|
||||||
|
rm -f "${binary}_unsign"
|
||||||
|
else
|
||||||
|
LANG=C expect <<EOL
|
||||||
spawn rpmsign --define "%__gpg_check_password_cmd /bin/true" --define "%_signature gpg" --define "%_gpg_name ${SIGKEYID}" --resign ${binary}
|
spawn rpmsign --define "%__gpg_check_password_cmd /bin/true" --define "%_signature gpg" --define "%_gpg_name ${SIGKEYID}" --resign ${binary}
|
||||||
expect -exact "Enter pass phrase:"
|
expect -exact "Enter pass phrase:"
|
||||||
send -- "Doesn't matter\r"
|
send -- "Doesn't matter\r"
|
||||||
@ -192,7 +205,8 @@ lassign [wait] pid spawnid os_error_flag value
|
|||||||
puts "exit status: \$value"
|
puts "exit status: \$value"
|
||||||
exit \$value
|
exit \$value
|
||||||
EOL
|
EOL
|
||||||
[ $? -ne 0 ] && error "Something went wrong. Can't sign package ${binary#*/}"
|
fi
|
||||||
|
[ $? -ne 0 ] && error "Something went wrong. Can't sign package ${binary#*/}"
|
||||||
fi
|
fi
|
||||||
##
|
##
|
||||||
###########
|
###########
|
||||||
@ -213,8 +227,14 @@ EOL
|
|||||||
if [ -n "${SIGKEYID}" ] ; then
|
if [ -n "${SIGKEYID}" ] ; then
|
||||||
rm -f ${LOCAL_REPO_PATH}/x86_64/repodata/repomd.xml.asc
|
rm -f ${LOCAL_REPO_PATH}/x86_64/repodata/repomd.xml.asc
|
||||||
rm -f ${LOCAL_REPO_PATH}/Source/repodata/repomd.xml.asc
|
rm -f ${LOCAL_REPO_PATH}/Source/repodata/repomd.xml.asc
|
||||||
gpg --armor --local-user ${SIGKEYID} --detach-sign ${LOCAL_REPO_PATH}/x86_64/repodata/repomd.xml
|
if [ "${USE_SIGUL}" = true ] ; then
|
||||||
gpg --armor --local-user ${SIGKEYID} --detach-sign ${LOCAL_REPO_PATH}/Source/repodata/repomd.xml
|
for TYPE in x86_64 Source ; do
|
||||||
|
retry -c4 -s1 _sigul "$KEY_PASSPHRASE" -u "$SIGUL_USER" sign-data --armor -o "${LOCAL_REPO_PATH}/${TYPE}/repodata/repomd.asc" "${SIGKEYID}" "${LOCAL_REPO_PATH}/${TYPE}/repodata/repomd.xml"
|
||||||
|
done
|
||||||
|
else
|
||||||
|
gpg --armor --local-user ${SIGKEYID} --detach-sign ${LOCAL_REPO_PATH}/x86_64/repodata/repomd.xml
|
||||||
|
gpg --armor --local-user ${SIGKEYID} --detach-sign ${LOCAL_REPO_PATH}/Source/repodata/repomd.xml
|
||||||
|
fi
|
||||||
[ -f "RPM-GPG-KEY" ] && cp RPM-GPG-KEY ${LOCAL_REPO_PATH}/RPM-GPG-KEY-${PROJECT_NAME}${PROJECT_VERSION}
|
[ -f "RPM-GPG-KEY" ] && cp RPM-GPG-KEY ${LOCAL_REPO_PATH}/RPM-GPG-KEY-${PROJECT_NAME}${PROJECT_VERSION}
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user