Skip to content

Commit

Permalink
feat: implement remote package signing (#24196)
Browse files Browse the repository at this point in the history
  • Loading branch information
bnpfeife authored Apr 12, 2023
1 parent a7a6e92 commit ed9f021
Show file tree
Hide file tree
Showing 2 changed files with 42 additions and 28 deletions.
42 changes: 42 additions & 0 deletions .circleci/config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -164,6 +164,13 @@ workflows:
- build-package-linux-amd64
- changelog:
<<: *any_filter
- sign-packages:
<<: *release_filter
requires:
- build-package-linux-amd64
- build-package-linux-arm64
- build-package-darwin-amd64
- build-package-windows-amd64
- s3-publish-packages:
<<: *release_filter
requires:
Expand All @@ -172,6 +179,7 @@ workflows:
- build-package-linux-amd64
- build-package-linux-arm64
- build-package-windows-amd64
- sign-packages
- s3-publish-changelog:
<<: *release_filter
publish-type: release
Expand Down Expand Up @@ -517,8 +525,42 @@ jobs:
- artifacts
- store_artifacts:
path: /artifacts

destination: artifacts

sign-packages:
circleci_ip_ranges: true
docker:
- image: quay.io/influxdb/rsign:latest
auth:
username: $QUAY_RSIGN_USERNAME
password: $QUAY_RSIGN_PASSWORD
steps:
- add_ssh_keys:
fingerprints:
- fc:7b:6e:a6:38:7c:63:5a:13:be:cb:bb:fa:33:b3:3c
- attach_workspace:
at: /tmp/workspace
- run: |
for target in /tmp/workspace/artifacts/*
do
case "${target}"
in
# rsign is shipped on Alpine Linux which uses "busybox ash" instead
# of bash. ash is somewhat more posix compliant and is missing some
# extensions and niceties from bash.
*.deb|*.rpm|*.tar.gz|*.zip)
rsign "${target}"
;;
esac
done
- persist_to_workspace:
root: /tmp/workspace
paths:
- artifacts
- store_artifacts:
path: /tmp/workspace/artifacts

s3-publish-packages:
docker:
- image: ubuntu:latest
Expand Down
28 changes: 0 additions & 28 deletions .circleci/scripts/build-package
Original file line number Diff line number Diff line change
Expand Up @@ -135,33 +135,5 @@ build_package_linux()
run_fpm rpm
}

sign_artifacts()
{
# If this is not a release version, don't sign the artifacts. This
# prevents unathorized PRs and branches from being signed with our
# signing key.
if [[ ! ${RELEASE:-} ]]
then
return 0
fi

# CircleCI mangles environment variables with newlines. This key contians
# escaped newlines. For `gpg` to import the key, it requires `echo -e` to
# expand the escape sequences.
gpg --batch --import <<<"$(echo -e "${GPG_PRIVATE_KEY}")"

# TODO(bnpfeife): replace with code signing server
for target in /artifacts/*
do
gpg \
--batch \
--pinentry-mode=loopback \
--passphrase "${PASSPHRASE}" \
--detach-sign \
--armor "${target}"
done
}

build_archive
build_package_linux
sign_artifacts

0 comments on commit ed9f021

Please sign in to comment.