Merge pull request #4399 from esl/sign-mim-packages

Add package signing script to the CI pipeline
esl · Nov 28, 2024 · 96818b2 · 96818b2
2 parents a9697a3 + 290aaec
commit 96818b2
Show file tree

Hide file tree

Showing 5 changed files with 85 additions and 4 deletions.
diff --git a/tools/pkg/Dockerfile_deb b/tools/pkg/Dockerfile_deb
@@ -1,3 +1,4 @@
+# syntax=docker/dockerfile:1
 # vi: ft=dockerfile
 ARG builder_image
 ARG target_image
@@ -7,7 +8,15 @@ FROM $builder_image AS builder
 # Install build deps
 ENV DEBIAN_FRONTEND=noninteractive
 RUN apt-get update
-RUN apt-get install -y locales git make zlib1g-dev unixodbc-dev gcc g++ libssl-dev curl
+RUN apt-get install -y locales git make zlib1g-dev unixodbc-dev gcc g++ libssl-dev curl gpg wget gnupg
+
+# The signing script requires debsigs version 0.2 or higher, which is unavailable in
+# package repositories of Ubuntu versions earlier than 24.10 and Debian versions earlier than 13.
+# TODO: Switch to installing debsigs via apt once support for these older versions is dropped.
+RUN wget http://ftp.de.debian.org/debian/pool/main/d/debsigs/debsigs_0.2.2-1_all.deb && \
+    dpkg -i debsigs_0.2.2-1_all.deb && \
+    rm debsigs_0.2.2-1_all.deb && \
+    which debsigs
 
 ARG erlang_version
 
@@ -27,6 +36,12 @@ ARG revision
 
 RUN ./deb/build_package.sh $version $revision $erlang_version
 
+# Sign the built package with the keys provided
+RUN --mount=type=secret,id=GPG_PUBLIC_KEY,env=GPG_PUBLIC_KEY \
+    --mount=type=secret,id=GPG_PRIVATE_KEY,env=GPG_PRIVATE_KEY \
+    --mount=type=secret,id=GPG_PASS,env=GPG_PASS \
+    ./mongooseim/tools/pkg/sign.sh
+
 # Create image for sharing and validation of built package
 FROM $target_image AS target
 

diff --git a/tools/pkg/Dockerfile_rpm b/tools/pkg/Dockerfile_rpm
@@ -1,3 +1,4 @@
+# syntax=docker/dockerfile:1
 # vi: ft=dockerfile
 ARG builder_image
 ARG target_image
@@ -6,7 +7,7 @@ FROM $builder_image AS builder
 
 # Install the build dependencies
 RUN dnf install -y rpm-build rpmdevtools git make zlib-devel unixODBC-devel gcc gcc-c++ \
-    openssl openssl-devel chrpath glibc-locale-source systemd-rpm-macros
+    openssl openssl-devel chrpath glibc-locale-source systemd-rpm-macros rpm-sign
 
 # Fix locale setup
 # See https://github.com/CentOS/sig-cloud-instance-images/issues/71#issuecomment-266957519
@@ -31,12 +32,18 @@ ARG revision
 
 RUN ./BUILD/mongooseim/tools/pkg/scripts/rpm/build_package.sh $version $revision $erlang_version
 
+# Sign the built package with the keys provided
+RUN --mount=type=secret,id=GPG_PUBLIC_KEY,env=GPG_PUBLIC_KEY \
+    --mount=type=secret,id=GPG_PRIVATE_KEY,env=GPG_PRIVATE_KEY \
+    --mount=type=secret,id=GPG_PASS,env=GPG_PASS \
+    ./BUILD/mongooseim/tools/pkg/sign.sh
+
 # Create image for sharing and validation of built package
 FROM $target_image AS target
 
 # Copy built package from previous image and install it with required dependencies
 WORKDIR /root/
-COPY --from=builder /root/mongooseim*.rpm .
+COPY --from=builder /root/rpmbuild/mongooseim*.rpm .
 RUN dnf -y update && dnf install -y mongooseim*.rpm
 
 # Simple check if MiM works

diff --git a/tools/pkg/build.sh b/tools/pkg/build.sh
@@ -80,6 +80,9 @@ docker build -t mongooseim-${platform}:${version}-${revision} \
     --build-arg version=${version} \
     --build-arg revision=${revision} \
     --build-arg erlang_version=${erlang_version} \
+    --secret id=GPG_PUBLIC_KEY \
+    --secret id=GPG_PRIVATE_KEY \
+    --secret id=GPG_PASS \
     -f ${dockerfile_path} \
     $context_path
 

diff --git a/tools/pkg/scripts/rpm/build_package.sh b/tools/pkg/scripts/rpm/build_package.sh
@@ -21,4 +21,4 @@ os_version=$VERSION_ID
 package_os_file_name=${os}~${os_version}
 
 mv ~/rpmbuild/RPMS/${arch}/mongooseim-${version}-${revision}.${arch}.rpm \
-    ~/mongooseim_${version}_${revision}_otp_${otp_version}~${package_os_file_name}_${package_name_arch}.rpm
+    ~/rpmbuild/mongooseim_${version}_${revision}_otp_${otp_version}~${package_os_file_name}_${package_name_arch}.rpm
diff --git a/tools/pkg/sign.sh b/tools/pkg/sign.sh
@@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+set -e
+
+trap 'rm -f ~/.rpmmacros' EXIT
+
+PACKAGE_NAME=$(find . -maxdepth 1 -type f \( -name "*.deb" -o -name "*.rpm" \))
+
+echo "$GPG_PRIVATE_KEY" | base64 -d | gpg --batch --pinentry-mode loopback --import
+
+GPG_KEY_ID=$(gpg --list-keys --with-colons | grep '^pub' | cut -d':' -f5)
+if [ -z "$GPG_KEY_ID" ]; then
+    echo "Error: Failed to import GPG key."
+    exit 1
+fi
+
+GPG_KEY_EMAIL=$(gpg --list-keys --with-colons | grep '^uid' | cut -d':' -f10 | head -n 1)
+
+echo "$GPG_PUBLIC_KEY" | base64 -d > public.key
+
+if [[ "$PACKAGE_NAME" == *.deb ]]; then
+    gpg --import public.key
+    rm -f public.key
+
+    debsigs --gpgopts "--no-tty --pinentry-mode loopback --passphrase $GPG_PASS" \
+            --sign=origin -k="$GPG_KEY_ID" "$PACKAGE_NAME"
+    echo "DEB package signed successfully: $PACKAGE_NAME"
+
+    debsigs --verify "$PACKAGE_NAME"
+    echo "DEB package verified successfully: $PACKAGE_NAME"
+elif [[ "$PACKAGE_NAME" == *.rpm ]]; then
+    rpm --import public.key
+    rm -f public.key
+
+    cat > ~/.rpmmacros <<EOF
+          %__gpg $(type -p gpg)
+          %_gpg_path $HOME/.gnupg
+          %_gpg_name $GPG_KEY_EMAIL
+          %_signature gpg
+          %_gpg_pass $GPG_PASS
+          %__gpg_sign_cmd %{__gpg} gpg --no-verbose --no-armor --batch \
+            --pinentry-mode loopback --passphrase "%{_gpg_pass}" \
+            --no-secmem-warning -u "%{_gpg_name}" \
+            -sbo %{__signature_filename} %{__plaintext_filename}
+EOF
+
+    rpm --addsign "$PACKAGE_NAME"
+    echo "RPM package signed successfully: $PACKAGE_NAME"
+
+    rpm --checksig "$PACKAGE_NAME"
+    echo "RPM package verified successfully: $PACKAGE_NAME"
+
+    rm -f ~/.rpmmacros
+else
+    echo "No packages found to sign"
+    exit 1
+fi