From a16febf43237f22881a9fcb2545dfb783a67e9bb Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Tue, 26 Jul 2016 18:07:25 +0200 Subject: [PATCH] Implement GPG signing support Signed-off-by: Jo-Philipp Wich --- phase1/config.ini.example | 5 +++ phase1/master.cfg | 70 +++++++++++++++++++++++++++++++++++---- phase1/signall.sh | 25 ++++++++++++++ phase2/config.ini.example | 5 +++ phase2/master.cfg | 59 +++++++++++++++++++++++++++++++++ 5 files changed, 158 insertions(+), 6 deletions(-) create mode 100755 phase1/signall.sh diff --git a/phase1/config.ini.example b/phase1/config.ini.example index fdde485..5c109fb 100644 --- a/phase1/config.ini.example +++ b/phase1/config.ini.example @@ -25,6 +25,11 @@ binary_password = example source_url = user@example.org::upload-sources source_password = example2 +[gpg] +keyid = 626471F1 +passfile = ./gpg-passphrase.txt +comment = Unattended build signature + [slave 1] name = example-slave-1 password = example diff --git a/phase1/master.cfg b/phase1/master.cfg index 6ae57d9..ea6d471 100644 --- a/phase1/master.cfg +++ b/phase1/master.cfg @@ -61,6 +61,20 @@ if ini.has_option("rsync", "source_url"): rsync_src_url = ini.get("rsync", "source_url") rsync_src_key = ini.get("rsync", "source_password") +gpg_keyid = None +gpg_comment = "Unattended build signature" +gpg_passfile = "/dev/null" + +if ini.has_option("gpg", "keyid"): + gpg_keyid = ini.get("gpg", "keyid") + +if ini.has_option("gpg", "comment"): + gpg_comment = ini.get("gpg", "comment") + +if ini.has_option("gpg", "passfile"): + gpg_passfile = ini.get("gpg", "passfile") + + # find targets targets = [ ] @@ -114,7 +128,9 @@ from buildbot.process.factory import BuildFactory from buildbot.steps.source import Git from buildbot.steps.shell import ShellCommand from buildbot.steps.shell import SetProperty +from buildbot.steps.transfer import FileUpload from buildbot.steps.transfer import FileDownload +from buildbot.steps.master import MasterShellCommand from buildbot.process.properties import WithProperties @@ -422,6 +438,48 @@ EOT''' %(ts[0], ts[0], ts[1]) )) haltOnFailure = True )) + # sign + if gpg_keyid is not None: + factory.addStep(MasterShellCommand( + name = "signprepare", + description = "Preparing temporary signing directory", + command = ["mkdir", "-p", "%s/signing" %(home_dir)], + haltOnFailure = True + )) + + factory.addStep(ShellCommand( + name = "signpack", + description = "Packing files to sign", + command = ["sh", "-c", WithProperties("find bin/targets/%s/%s%%(libc)s/ -mindepth 1 -maxdepth 2 -type f -name sha256sums -or -name Packages -print0 | xargs -0 tar -czf sign.tar.gz" %(ts[0], ts[1]))], + haltOnFailure = True + )) + + factory.addStep(FileUpload( + slavesrc = "sign.tar.gz", + masterdest = "%s/signing/%s.%s.tar.gz" %(home_dir, ts[0], ts[1]), + haltOnFailure = True + )) + + factory.addStep(MasterShellCommand( + name = "signfiles", + description = "Signing files", + command = ["%s/signall.sh" %(home_dir), "%s/signing/%s.%s.tar.gz" %(home_dir, ts[0], ts[1]), gpg_keyid, gpg_passfile, gpg_comment], + haltOnFailure = True + )) + + factory.addStep(FileDownload( + mastersrc = "%s/signing/%s.%s.tar.gz" %(home_dir, ts[0], ts[1]), + slavedest = "sign.tar.gz", + haltOnFailure = True + )) + + factory.addStep(ShellCommand( + name = "signunpack", + description = "Unpacking signed files", + command = ["tar", "-xzf", "sign.tar.gz"], + haltOnFailure = True + )) + # upload factory.addStep(ShellCommand( name = "uploadprepare", @@ -524,12 +582,12 @@ if ini.has_option("irc", "host") and ini.has_option("irc", "nickname") and ini.h irc_pass = ini.get("irc", "password") irc = words.IRC(irc_host, irc_nick, port = irc_port, password = irc_pass, - channels = [{ "channel": irc_chan }], - notify_events = { - 'exception': 1, - 'successToFailure': 1, - 'failureToSuccess': 1 - } + channels = [{ "channel": irc_chan }], + notify_events = { + 'exception': 1, + 'successToFailure': 1, + 'failureToSuccess': 1 + } ) c['status'].append(irc) diff --git a/phase1/signall.sh b/phase1/signall.sh new file mode 100755 index 0000000..f0d80fe --- /dev/null +++ b/phase1/signall.sh @@ -0,0 +1,25 @@ +#!/usr/bin/env bash + +tarball="$1" +keyid="$2" +passfile="$3" +comment="$4" + +tmpdir="signall.$$" +tarball="$(readlink -f "$tarball")" + +finish() { rm -rf "$tmpdir"; exit $1; } + +trap "finish 255" HUP INT TERM + +if [ ! -f "$tarball" ]; then + echo "Usage: $0 [ [ []]]" + finish 1 +fi + +mkdir "$tmpdir" || finish 2 +tar -C "$tmpdir/" -xzf "$tarball" || finish 3 +find "$tmpdir/" -type f -not -name "*.gpg" -exec gpg --no-version --batch --yes -a -b ${keyid:+-u "$keyid"} ${comment:+--comment="$comment"} ${passfile:+--passphrase-file "$passfile"} -o "{}.gpg" "{}" \; || finish 4 +tar -C "$tmpdir/" -czf "$tarball" . || finish 5 + +finish 0 diff --git a/phase2/config.ini.example b/phase2/config.ini.example index f21f0d3..edffc99 100644 --- a/phase2/config.ini.example +++ b/phase2/config.ini.example @@ -18,6 +18,11 @@ binary_password = example source_url = user@example.org::upload-sources source_password = example2 +[gpg] +keyid = 626471F1 +passfile = ./gpg-passphrase.txt +comment = Unattended build signature + [slave 1] name = slave-example-1 password = example diff --git a/phase2/master.cfg b/phase2/master.cfg index 4154c1d..260186e 100644 --- a/phase2/master.cfg +++ b/phase2/master.cfg @@ -61,6 +61,20 @@ if ini.has_option("rsync", "source_url"): rsync_src_url = ini.get("rsync", "source_url") rsync_src_key = ini.get("rsync", "source_password") +gpg_keyid = None +gpg_comment = "Unattended build signature" +gpg_passfile = "/dev/null" + +if ini.has_option("gpg", "keyid"): + gpg_keyid = ini.get("gpg", "keyid") + +if ini.has_option("gpg", "comment"): + gpg_comment = ini.get("gpg", "comment") + +if ini.has_option("gpg", "passfile"): + gpg_passfile = ini.get("gpg", "passfile") + + # find arches arches = [ ] archnames = [ ] @@ -120,7 +134,9 @@ from buildbot.process.factory import BuildFactory from buildbot.steps.source import Git from buildbot.steps.shell import ShellCommand from buildbot.steps.shell import SetProperty +from buildbot.steps.transfer import FileUpload from buildbot.steps.transfer import FileDownload +from buildbot.steps.master import MasterShellCommand from buildbot.process.properties import WithProperties c['builders'] = [] @@ -211,6 +227,49 @@ for arch in arches: workdir = "build/sdk", command = ["make", WithProperties("-j%(nproc:~4)s"), "V=s", "IGNORE_ERRORS=n m y", "BUILD_LOG=1", "CONFIG_SIGNED_PACKAGES=y"])) + if gpg_keyid is not None: + factory.addStep(MasterShellCommand( + name = "signprepare", + description = "Preparing temporary signing directory", + command = ["mkdir", "-p", "%s/signing" %(home_dir)], + haltOnFailure = True + )) + + factory.addStep(ShellCommand( + name = "signpack", + description = "Packing files to sign", + workdir = "build/sdk", + command = ["sh", "-c", "find bin/packages/%s/ -mindepth 2 -maxdepth 2 -type f -name Packages -print0 | xargs -0 tar -czf sign.tar.gz" %(arch[0])], + haltOnFailure = True + )) + + factory.addStep(FileUpload( + slavesrc = "sdk/sign.tar.gz", + masterdest = "%s/signing/%s.tar.gz" %(home_dir, arch[0]), + haltOnFailure = True + )) + + factory.addStep(MasterShellCommand( + name = "signfiles", + description = "Signing files", + command = ["%s/signall.sh" %(home_dir), "%s/signing/%s.tar.gz" %(home_dir, arch[0]), gpg_keyid, gpg_passfile, gpg_comment], + haltOnFailure = True + )) + + factory.addStep(FileDownload( + mastersrc = "%s/signing/%s.tar.gz" %(home_dir, arch[0]), + slavedest = "sdk/sign.tar.gz", + haltOnFailure = True + )) + + factory.addStep(ShellCommand( + name = "signunpack", + description = "Unpacking signed files", + workdir = "build/sdk", + command = ["tar", "-xzf", "sign.tar.gz"], + haltOnFailure = True + )) + factory.addStep(ShellCommand( name = "uploadprepare", description = "Preparing package directory", -- 2.30.2