Update the sigul-sign-dir.sh to sign artifacts using docker.
The docker image is built on CentOS Streams 8/9. The newer version
of sigul 1.1.1 available for CentOS 8 is not backwords compatible
with the version of sigul on CentOS 7.
As a temporary workaround build a CentOS7 docker image with
sigul installed and use it for signing artificats on platforms
where sigul is not readly available.
Issue-ID: IT-23826
Change-Id: Ie22e23240f7fe388219c0afc4d4c229f390efa9c
Signed-off-by: Anil Belur <abelur@linuxfoundation.org>
--- /dev/null
+FROM centos:7
+SHELL ["/bin/bash", "-c"]
+
+RUN echo $'[fedora-infra-sigul] \n\
+name=Fedora builder packages for sigul \n\
+baseurl=https://kojipkgs.fedoraproject.org/repos-dist/epel\$releasever-infra/latest/\$basearch/ \n\
+enabled=1 \n\
+gpgcheck=1 \n\
+gpgkey=https://infrastructure.fedoraproject.org/repo/infra/RPM-GPG-KEY-INFRA-TAGS \n\
+includepkgs=sigul* \n\
+skip_if_unavailable=True' > /etc/yum.repos.d/fedora-infra-sigul.repo
+
+RUN yum install -y -q sigul
+
+RUN mkdir -p /w/workspace && mkdir -p /home/jenkins
+
+COPY ./sigul-sign.sh /
+USER root
+
+ENTRYPOINT ["/bin/bash", "/sigul-sign.sh"]
+CMD ["${SIGN_DIR}"]
--- /dev/null
+---
+fixes:
+ - |
+ Update the sigul-sign-dir.sh to sign artifacts using docker. The docker
+ image is built on CentOS Streams 8/9. The newer version of sigul 1.1.1
+ available for CentOS 8 is not backwords compatible with the version of
+ sigul on CentOS 7.
+
+ As a temporary workaround build a CentOS7 docker image with sigul
+ installed and use it for signing artificats on platforms where sigul is
+ not readly available.
+
+ Note: the executor node needs to have docker installed, so it can't be
+ a "vanilla" build node but must be a docker node.
# Ensure we fail the job if any steps fail.
set -e -o pipefail
-lftools sign sigul -m "${SIGN_MODE}" "${SIGN_DIR}"
+OS=$(facter operatingsystem | tr '[:upper:]' '[:lower:]')
+OS_RELEASE=$(facter lsbdistrelease | tr '[:upper:]' '[:lower:]')
+if [[ "$OS_RELEASE" == "8" && "$OS" == 'centos' ]]; then
+ # Get Dockerfile and the enterpoint to build the docker image.
+ wget -O "${WORKSPACE}/sigul-sign.sh" "https://raw.githubusercontent.com/"\
+ "lfit/releng-global-jjb/master/shell/sigul-sign.sh"
+ wget -O "${WORKSPACE}/Dockerfile" "https://raw.githubusercontent.com/"\
+ "lfit/releng-global-jjb/master/docker/Dockerfile"
+
+ # Setup the docker environment for jenkins user
+ docker build -f ${WORKSPACE}/Dockerfile \
+ --build-arg SIGN_DIR=${SIGN_DIR} \
+ -t sigul-sign .
+
+ docker volume create --driver local \
+ --opt type=none \
+ --opt device=/w/workspace \
+ --opt o=bind \
+ wrkspc_vol
+
+ docker volume inspect wrkspc_vol
+
+ docker run -e SIGUL_KEY="${SIGUL_KEY}" \
+ -e SIGUL_PASSWORD="${SIGUL_PASSWORD}" \
+ -e SIGUL_CONFIG=${SIGUL_CONFIG} \
+ -e SIGN_DIR=${SIGN_DIR} \
+ -e WORKSPACE=${WORKSPACE} \
+ --name sigul-sign \
+ --security-opt label:disable \
+ --mount type=bind,source="/w/workspace",target="/w/workspace" \
+ --mount type=bind,source="/home/jenkins",target="/home/jenkins" \
+ -u root:root -w $(pwd) sigul-sign
+else
+ lftools sign sigul -m "${SIGN_MODE}" "${SIGN_DIR}"
+fi
--- /dev/null
+#!/bin/bash
+# SPDX-License-Identifier: EPL-1.0
+##############################################################################
+# Copyright (c) 2022 The Linux Foundation and others.
+#
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+##############################################################################
+# Script to run the sigul signing from within a CentOS7 docker container
+
+echo "Sign files in: $SIGN_DIR"
+
+set -e # Fail immediately if any if signing fails
+find "${SIGN_DIR}" -type f ! -name "*.asc" \
+ ! -name "*.md5" \
+ ! -name "*.sha1" \
+ ! -name "_maven.repositories" \
+ ! -name "_remote.repositories" \
+ ! -name "*.lastUpdated" \
+ ! -name "maven-metadata-local.xml" \
+ ! -name "maven-metadata.xml" > ${WORKSPACE}/sign.lst
+
+if [ -s ${WORKSPACE}/sign.lst ]; then
+ echo "Sign list is not empty"
+fi
+
+files_to_sign=()
+while IFS= read -rd $'\n' line; do
+ files_to_sign+=("$line")
+ sigul --batch -c "${SIGUL_CONFIG}" sign-data -a -o "${line}.asc" "${SIGUL_KEY}" "${line}" < "${SIGUL_PASSWORD}"
+done < ${WORKSPACE}/sign.lst
+
+if [ "${#files_to_sign[@]}" -eq 0 ]; then
+ echo "ERROR: No files to sign. Quitting..."
+ exit 1
+fi