From 63b56462bc4354a94e52f8bcf05374c984cc175a Mon Sep 17 00:00:00 2001
From: Jeremy Stanley <fungi@yuggoth.org>
Date: Fri, 15 Jul 2016 15:48:25 +0000
Subject: [PATCH] Add a job to sign tarballs and wheels

Add an initial job to exercise the signing node, which can retrieve
tarballs and wheels, sign them and upload those signatures. Only use
it for the git-review project to start, while we iron out any bugs.

Change-Id: Ic8b69f5ee2c5f203bb443263bca10218e8d20be7
---
 jenkins/jobs/projects.yaml         |  1 +
 jenkins/jobs/signing-jobs.yaml     | 21 ++++++++++++++
 jenkins/scripts/tarball-signing.sh | 46 ++++++++++++++++++++++++++++++
 zuul/layout.yaml                   | 20 ++++++++++++-
 zuul/openstack_functions.py        |  2 +-
 5 files changed, 88 insertions(+), 2 deletions(-)
 create mode 100644 jenkins/jobs/signing-jobs.yaml
 create mode 100755 jenkins/scripts/tarball-signing.sh

diff --git a/jenkins/jobs/projects.yaml b/jenkins/jobs/projects.yaml
index 97085edba9..49998b7c6f 100644
--- a/jenkins/jobs/projects.yaml
+++ b/jenkins/jobs/projects.yaml
@@ -2560,6 +2560,7 @@
           suffix: '-nv'
       - pypi-jobs
       - infra-publish-jobs
+      - '{name}-tarball-signing'
 
 - project:
     name: git-upstream
diff --git a/jenkins/jobs/signing-jobs.yaml b/jenkins/jobs/signing-jobs.yaml
new file mode 100644
index 0000000000..925a2161b7
--- /dev/null
+++ b/jenkins/jobs/signing-jobs.yaml
@@ -0,0 +1,21 @@
+- job-template:
+    name: '{name}-tarball-signing'
+    node: signing
+
+    builders:
+      - print-template-name:
+          template-name: "{template-name}"
+      - revoke-sudo
+      - gerrit-git-prep
+      - shell: |
+          /usr/local/jenkins/slave_scripts/tarball-signing.sh {name} \
+              {tarball-site}
+
+    publishers:
+      - scp:
+          site: '{tarball-site}'
+          files:
+            - target: 'tarballs/{name}/'
+              source: '*.asc'
+      - console-log
+
diff --git a/jenkins/scripts/tarball-signing.sh b/jenkins/scripts/tarball-signing.sh
new file mode 100755
index 0000000000..103437e524
--- /dev/null
+++ b/jenkins/scripts/tarball-signing.sh
@@ -0,0 +1,46 @@
+#!/bin/bash -xe
+#
+# Copyright 2012 Hewlett-Packard Development Company, L.P.
+# Copyright 2013, 2016 OpenStack Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# Retrieve python tarballs/wheels and make detached OpenPGP signatures.
+
+PROJECT=$1
+TARBALL_SITE=$2
+TAG=$(echo $ZUUL_REF | sed 's/^refs.tags.//')
+
+# Look in the setup.cfg to determine if a package name is specified, but
+# fall back on the project name if necessary. Also look in the setup.cfg
+# to see if this is a universal wheel or not
+DISTNAME=$(/usr/local/jenkins/slave_scripts/pypi-extract-name.py --wheel \
+    || echo $PROJECT)
+TARBALL="$(/usr/local/jenkins/slave_scripts/pypi-extract-name.py
+    --tarball || echo $PROJECT)-${TAG}.tar.gz"
+WHEEL="$(/usr/local/jenkins/slave_scripts/pypi-extract-name.py
+    --wheel || echo $PROJECT)-${TAG}-$(
+    /usr/local/jenkins/slave_scripts/pypi-extract-universal.py ||
+    true)-none-any.whl"
+
+rm -rf *.asc *.tar.gz *.whl
+
+curl --fail -o $TARBALL https://${TARBALL_SITE}/${PROJECT}/${TARBALL}
+file -b $TARBALL | grep gzip # Make sure we actually got a tarball
+gpg --armor --detach-sign $TARBALL
+
+# Wheels are not mandatory, so only sign if we have one
+if curl --fail -o $WHEEL https://${TARBALL_SITE}/${PROJECT}/${WHEEL}; then
+    file -b $WHEEL | grep -i zip # Make sure we actually got a wheel
+    gpg --armor --detach-sign $WHEEL
+fi
diff --git a/zuul/layout.yaml b/zuul/layout.yaml
index 3afdaafb8e..34752328f6 100755
--- a/zuul/layout.yaml
+++ b/zuul/layout.yaml
@@ -3366,11 +3366,29 @@ projects:
       - name: python-jobs
       - name: python34-jobs
       - name: python35-jobs-nv
-      - name: publish-to-pypi
     check:
       - gate-git-review-python34
+    pre-release:
+      - git-review-tarball:
+          - git-review-pypi-both-upload
     release:
       - git-review-infra-docs-tags-only
+      - git-review-tarball:
+        - git-review-tarball-signing
+        - git-review-pypi-both-upload:
+            - wheel-build-ubuntu-trusty-amd64-python2:
+              - wheel-release-trustyx64
+            - wheel-build-ubuntu-trusty-amd64-python3:
+              - wheel-release-trustyx64
+            - wheel-build-ubuntu-xenial-amd64-python2:
+              - wheel-release-xenialx64
+            - wheel-build-ubuntu-xenial-amd64-python3:
+              - wheel-release-xenialx64
+            - wheel-build-centos-7-amd64-python2:
+              - wheel-release-cent7x64
+            - wheel-build-centos-7-amd64-python3:
+              - wheel-release-cent7x64
+            - git-review-announce-release
 
   - name: openstack-infra/gitdm
     template:
diff --git a/zuul/openstack_functions.py b/zuul/openstack_functions.py
index 26a48544b7..06d3dbeb04 100644
--- a/zuul/openstack_functions.py
+++ b/zuul/openstack_functions.py
@@ -52,7 +52,7 @@ def set_node_options(item, job, params):
     hook_re = r'^hook-(.*?)-(rtfd)$'
     wheel_re = r'^wheel-(build|release)-.*$'
     reprepro_re = r'^reprepro-(import|release)-.*$'
-    signing_re = r'^tag-releases$'
+    signing_re = r'^(.*-tarball-signing|tag-releases)$'
     # jobs run on the persistent proposal, release, signing, and wheel
     # build workers
     if (re.match(proposal_re, job.name) or