Implement GPG signing support
authorJo-Philipp Wich <jo@mein.io>
Tue, 26 Jul 2016 16:07:25 +0000 (18:07 +0200)
committerJo-Philipp Wich <jo@mein.io>
Tue, 26 Jul 2016 16:08:26 +0000 (18:08 +0200)
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
phase1/config.ini.example
phase1/master.cfg
phase1/signall.sh [new file with mode: 0755]
phase2/config.ini.example
phase2/master.cfg

index fdde4859a57e00a6a4e76b4e3fa1376f955aed97..5c109fb4ccad38c633cfe41da0a4939e8e11fd20 100644 (file)
@@ -25,6 +25,11 @@ binary_password = example
 source_url = user@example.org::upload-sources
 source_password = example2
 
+[gpg]
+keyid = 626471F1
+passfile = ./gpg-passphrase.txt
+comment = Unattended build signature
+
 [slave 1]
 name = example-slave-1
 password = example
index 6ae57d9004437e3a132734b4c98f14110a4a888f..ea6d47164885e75619878c34533385ed3ea837b9 100644 (file)
@@ -61,6 +61,20 @@ if ini.has_option("rsync", "source_url"):
        rsync_src_url = ini.get("rsync", "source_url")
        rsync_src_key = ini.get("rsync", "source_password")
 
+gpg_keyid = None
+gpg_comment = "Unattended build signature"
+gpg_passfile = "/dev/null"
+
+if ini.has_option("gpg", "keyid"):
+       gpg_keyid = ini.get("gpg", "keyid")
+
+if ini.has_option("gpg", "comment"):
+       gpg_comment = ini.get("gpg", "comment")
+
+if ini.has_option("gpg", "passfile"):
+       gpg_passfile = ini.get("gpg", "passfile")
+
+
 # find targets
 targets = [ ]
 
@@ -114,7 +128,9 @@ from buildbot.process.factory import BuildFactory
 from buildbot.steps.source import Git
 from buildbot.steps.shell import ShellCommand
 from buildbot.steps.shell import SetProperty
+from buildbot.steps.transfer import FileUpload
 from buildbot.steps.transfer import FileDownload
+from buildbot.steps.master import MasterShellCommand
 from buildbot.process.properties import WithProperties
 
 
@@ -422,6 +438,48 @@ EOT''' %(ts[0], ts[0], ts[1]) ))
                haltOnFailure = True
        ))
 
+       # sign
+       if gpg_keyid is not None:
+               factory.addStep(MasterShellCommand(
+                       name = "signprepare",
+                       description = "Preparing temporary signing directory",
+                       command = ["mkdir", "-p", "%s/signing" %(home_dir)],
+                       haltOnFailure = True
+               ))
+
+               factory.addStep(ShellCommand(
+                       name = "signpack",
+                       description = "Packing files to sign",
+                       command = ["sh", "-c", WithProperties("find bin/targets/%s/%s%%(libc)s/ -mindepth 1 -maxdepth 2 -type f -name sha256sums -or -name Packages -print0 | xargs -0 tar -czf sign.tar.gz" %(ts[0], ts[1]))],
+                       haltOnFailure = True
+               ))
+
+               factory.addStep(FileUpload(
+                       slavesrc = "sign.tar.gz",
+                       masterdest = "%s/signing/%s.%s.tar.gz" %(home_dir, ts[0], ts[1]),
+                       haltOnFailure = True
+               ))
+
+               factory.addStep(MasterShellCommand(
+                       name = "signfiles",
+                       description = "Signing files",
+                       command = ["%s/signall.sh" %(home_dir), "%s/signing/%s.%s.tar.gz" %(home_dir, ts[0], ts[1]), gpg_keyid, gpg_passfile, gpg_comment],
+                       haltOnFailure = True
+               ))
+
+               factory.addStep(FileDownload(
+                       mastersrc = "%s/signing/%s.%s.tar.gz" %(home_dir, ts[0], ts[1]),
+                       slavedest = "sign.tar.gz",
+                       haltOnFailure = True
+               ))
+
+               factory.addStep(ShellCommand(
+                       name = "signunpack",
+                       description = "Unpacking signed files",
+                       command = ["tar", "-xzf", "sign.tar.gz"],
+                       haltOnFailure = True
+               ))
+
        # upload
        factory.addStep(ShellCommand(
                name = "uploadprepare",
@@ -524,12 +582,12 @@ if ini.has_option("irc", "host") and ini.has_option("irc", "nickname") and ini.h
                irc_pass = ini.get("irc", "password")
 
        irc = words.IRC(irc_host, irc_nick, port = irc_port, password = irc_pass,
-                       channels = [{ "channel": irc_chan }],
-                       notify_events = {
-                         'exception': 1,
-                         'successToFailure': 1,
-                         'failureToSuccess': 1
-                       }
+                       channels = [{ "channel": irc_chan }],
+                       notify_events = {
+                         'exception': 1,
+                         'successToFailure': 1,
+                         'failureToSuccess': 1
+                       }
        )
 
        c['status'].append(irc)
diff --git a/phase1/signall.sh b/phase1/signall.sh
new file mode 100755 (executable)
index 0000000..f0d80fe
--- /dev/null
@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+tarball="$1"
+keyid="$2"
+passfile="$3"
+comment="$4"
+
+tmpdir="signall.$$"
+tarball="$(readlink -f "$tarball")"
+
+finish() { rm -rf "$tmpdir"; exit $1; }
+
+trap "finish 255" HUP INT TERM
+
+if [ ! -f "$tarball" ]; then
+       echo "Usage: $0 <tarball> [<keyid> [<passfile> [<comment>]]]"
+       finish 1
+fi
+
+mkdir "$tmpdir" || finish 2
+tar -C "$tmpdir/" -xzf "$tarball" || finish 3
+find "$tmpdir/" -type f -not -name "*.gpg" -exec gpg --no-version --batch --yes -a -b ${keyid:+-u "$keyid"} ${comment:+--comment="$comment"} ${passfile:+--passphrase-file "$passfile"} -o "{}.gpg" "{}" \; || finish 4
+tar -C "$tmpdir/" -czf "$tarball" . || finish 5
+
+finish 0
index f21f0d3791249597729b66f8ff10fcfbc210a0ab..edffc99e2f07adb1302852334b4fb47146d60371 100644 (file)
@@ -18,6 +18,11 @@ binary_password = example
 source_url = user@example.org::upload-sources
 source_password = example2
 
+[gpg]
+keyid = 626471F1
+passfile = ./gpg-passphrase.txt
+comment = Unattended build signature
+
 [slave 1]
 name = slave-example-1
 password = example
index 4154c1d08b61d35acc9076fa99eb2d8c73e15a0c..260186e1a0e6f6e3674492a6fec552f9ecd9c174 100644 (file)
@@ -61,6 +61,20 @@ if ini.has_option("rsync", "source_url"):
        rsync_src_url = ini.get("rsync", "source_url")
        rsync_src_key = ini.get("rsync", "source_password")
 
+gpg_keyid = None
+gpg_comment = "Unattended build signature"
+gpg_passfile = "/dev/null"
+
+if ini.has_option("gpg", "keyid"):
+       gpg_keyid = ini.get("gpg", "keyid")
+
+if ini.has_option("gpg", "comment"):
+       gpg_comment = ini.get("gpg", "comment")
+
+if ini.has_option("gpg", "passfile"):
+       gpg_passfile = ini.get("gpg", "passfile")
+
+
 # find arches
 arches = [ ]
 archnames = [ ]
@@ -120,7 +134,9 @@ from buildbot.process.factory import BuildFactory
 from buildbot.steps.source import Git
 from buildbot.steps.shell import ShellCommand
 from buildbot.steps.shell import SetProperty
+from buildbot.steps.transfer import FileUpload
 from buildbot.steps.transfer import FileDownload
+from buildbot.steps.master import MasterShellCommand
 from buildbot.process.properties import WithProperties
 
 c['builders'] = []
@@ -211,6 +227,49 @@ for arch in arches:
                workdir = "build/sdk",
                command = ["make", WithProperties("-j%(nproc:~4)s"), "V=s", "IGNORE_ERRORS=n m y", "BUILD_LOG=1", "CONFIG_SIGNED_PACKAGES=y"]))
 
+       if gpg_keyid is not None:
+               factory.addStep(MasterShellCommand(
+                       name = "signprepare",
+                       description = "Preparing temporary signing directory",
+                       command = ["mkdir", "-p", "%s/signing" %(home_dir)],
+                       haltOnFailure = True
+               ))
+
+               factory.addStep(ShellCommand(
+                       name = "signpack",
+                       description = "Packing files to sign",
+                       workdir = "build/sdk",
+                       command = ["sh", "-c", "find bin/packages/%s/ -mindepth 2 -maxdepth 2 -type f -name Packages -print0 | xargs -0 tar -czf sign.tar.gz" %(arch[0])],
+                       haltOnFailure = True
+               ))
+
+               factory.addStep(FileUpload(
+                       slavesrc = "sdk/sign.tar.gz",
+                       masterdest = "%s/signing/%s.tar.gz" %(home_dir, arch[0]),
+                       haltOnFailure = True
+               ))
+
+               factory.addStep(MasterShellCommand(
+                       name = "signfiles",
+                       description = "Signing files",
+                       command = ["%s/signall.sh" %(home_dir), "%s/signing/%s.tar.gz" %(home_dir, arch[0]), gpg_keyid, gpg_passfile, gpg_comment],
+                       haltOnFailure = True
+               ))
+
+               factory.addStep(FileDownload(
+                       mastersrc = "%s/signing/%s.tar.gz" %(home_dir, arch[0]),
+                       slavedest = "sdk/sign.tar.gz",
+                       haltOnFailure = True
+               ))
+
+               factory.addStep(ShellCommand(
+                       name = "signunpack",
+                       description = "Unpacking signed files",
+                       workdir = "build/sdk",
+                       command = ["tar", "-xzf", "sign.tar.gz"],
+                       haltOnFailure = True
+               ))
+
        factory.addStep(ShellCommand(
                name = "uploadprepare",
                description = "Preparing package directory",