From: Eric Ball <eball@linuxfoundation.org>
Date: Thu, 4 Apr 2019 13:56:25 +0000 (-0700)
Subject: Add git tag and Docker container sigul signing
X-Git-Tag: v0.23.0^2
X-Git-Url: https://gerrit.linuxfoundation.org/infra/gitweb?a=commitdiff_plain;h=8b5bee673cabc5b1992d84771872202476bc7d77;p=releng%2Flftools.git

Add git tag and Docker container sigul signing

Issue: RELENG-1851
Change-Id: I02ecde037ff603dafd5820f15b454f2a0f2571f1
Signed-off-by: Eric Ball <eball@linuxfoundation.org>
---

diff --git a/lftools/cli/sign.py b/lftools/cli/sign.py
index c3997502..5a4a00a8 100644
--- a/lftools/cli/sign.py
+++ b/lftools/cli/sign.py
@@ -38,6 +38,25 @@ def directory(ctx, directory, mode):
     sys.exit(status)
 
 
+@click.command(name='git-tag')
+@click.argument('tag')
+@click.pass_context
+def git_tag(ctx, tag):
+    """Sigul sign a git tag."""
+    status = subprocess.call(['sign', 'git-tag', tag])
+    sys.exit(status)
+
+
+@click.command(name='container')
+@click.argument('manifest')
+@click.argument('tag')
+@click.pass_context
+def container(ctx, manifest, tag):
+    """Sigul sign a Docker container."""
+    status = subprocess.call(['sign', 'container', manifest, tag])
+    sys.exit(status)
+
+
 @click.command(name='nexus')
 @click.argument('nexus-repo-url')
 @click.option(
@@ -117,6 +136,8 @@ def deploy_nexus(ctx, nexus_url, nexus_repo, staging_profile_id, sign_dir, sign_
 
 
 sign.add_command(directory)
+sign.add_command(git_tag)
+sign.add_command(container)
 sign.add_command(nexus)
 sign.add_command(deploy_nexus)
 sign.add_command(sigul)
diff --git a/releasenotes/notes/tag-and-container-signing-734e0b8cfcabd3dc.yaml b/releasenotes/notes/tag-and-container-signing-734e0b8cfcabd3dc.yaml
new file mode 100644
index 00000000..174c1f29
--- /dev/null
+++ b/releasenotes/notes/tag-and-container-signing-734e0b8cfcabd3dc.yaml
@@ -0,0 +1,4 @@
+---
+features:
+  - |
+    Add sigul signing for git tags and Docker containers.
diff --git a/shell/sign b/shell/sign
index 23e22ecd..e61a36e5 100755
--- a/shell/sign
+++ b/shell/sign
@@ -49,6 +49,16 @@ sign() {
             sign_dir 'sigul' "$@"
             exit 0
             ;;
+        git-tag )
+            echo "Signing Git tag with Sigul..."
+            sign_git_tag "$@"
+            exit 0
+            ;;
+        container )
+            echo "Signing container with Sigul..."
+            sign_container "$@"
+            exit 0
+            ;;
         * )
             echo "Invalid command: $subcommand" 1>&2
             exit 1
@@ -57,6 +67,36 @@ sign() {
 }
 
 
+sign_git_tag() {
+    # Signs the specified git tag.
+    #
+    # Parameters:
+    #
+    #     <tag>: The name of the git tag to be signed.
+    local tag="$1"
+
+    echo "Signing $tag"
+    sigul --batch -c "$SIGUL_CONFIG" sign-git-tag \
+        "$SIGUL_KEY" "$tag" < "$SIGUL_PASSWORD"
+}
+
+
+sign_container() {
+    # Signs the specified Docker container.
+    #
+    # Parameters:
+    #
+    #     <manifest>: Manifest of the container to be signed.
+    #     <tag>: The container's tag.
+    local manifest="$1"
+    local tag="$2"
+
+    echo "Signing $manifest:$tag"
+    sigul --batch -c "$SIGUL_CONFIG" sign-container -o "$manifest-$tag.asc" \
+        "$SIGUL_KEY" "$manifest" "$tag" < "$SIGUL_PASSWORD"
+}
+
+
 sign_dir() {
     # GPG signs all of the files in a directory
     #