Fix: Sign artifacts on CentOS Stream 8/9

Update the sigul-sign-dir.sh to sign artifacts using docker.
The docker image is built on CentOS Streams 8/9. The newer version
of sigul 1.1.1 available for CentOS 8 is not backwords compatible
with the version of sigul on CentOS 7.

As a temporary workaround build a CentOS7 docker image with
sigul installed and use it for signing artificats on platforms
where sigul is not readly available.

Issue-ID: IT-23826
Change-Id: Ie22e23240f7fe388219c0afc4d4c229f390efa9c
Signed-off-by: Anil Belur <abelur@linuxfoundation.org>

diff --git a/docker/Dockerfile b/docker/Dockerfile
new file mode 100644 (file)
index 0000000..a84d564
--- /dev/null
+++ b/docker/Dockerfile
@@ -0,0 +1,21 @@
+FROM centos:7
+SHELL ["/bin/bash", "-c"]
+
+RUN echo $'[fedora-infra-sigul] \n\
+name=Fedora builder packages for sigul \n\
+baseurl=https://kojipkgs.fedoraproject.org/repos-dist/epel\$releasever-infra/latest/\$basearch/ \n\
+enabled=1 \n\
+gpgcheck=1 \n\
+gpgkey=https://infrastructure.fedoraproject.org/repo/infra/RPM-GPG-KEY-INFRA-TAGS \n\
+includepkgs=sigul* \n\
+skip_if_unavailable=True' > /etc/yum.repos.d/fedora-infra-sigul.repo
+
+RUN yum install -y -q sigul
+
+RUN mkdir -p /w/workspace && mkdir -p /home/jenkins
+
+COPY ./sigul-sign.sh /
+USER root
+
+ENTRYPOINT ["/bin/bash", "/sigul-sign.sh"]
+CMD ["${SIGN_DIR}"]

diff --git a/releasenotes/notes/sigul-sign-using-docker-fcabb59ccdf8d4d8.yaml b/releasenotes/notes/sigul-sign-using-docker-fcabb59ccdf8d4d8.yaml
new file mode 100644 (file)
index 0000000..7fc74ae
--- /dev/null
+++ b/releasenotes/notes/sigul-sign-using-docker-fcabb59ccdf8d4d8.yaml
@@ -0,0 +1,14 @@
+---
+fixes:
+  - |
+    Update the sigul-sign-dir.sh to sign artifacts using docker. The docker
+    image is built on CentOS Streams 8/9. The newer version of sigul 1.1.1
+    available for CentOS 8 is not backwords compatible with the version of
+    sigul on CentOS 7.
+
+    As a temporary workaround build a CentOS7 docker image with sigul
+    installed and use it for signing artificats on platforms where sigul is
+    not readly available.
+
+    Note: the executor node needs to have docker installed, so it can't be
+    a "vanilla" build node but must be a docker node.

diff --git a/shell/sigul-sign-dir.sh b/shell/sigul-sign-dir.sh
index 2bcf589..92380cc 100644 (file)
--- a/shell/sigul-sign-dir.sh
+++ b/shell/sigul-sign-dir.sh
@@ -13,4 +13,38 @@ echo "---> sigul-sign-dir.sh"
 # Ensure we fail the job if any steps fail.
 set -e -o pipefail
 
-lftools sign sigul -m "${SIGN_MODE}" "${SIGN_DIR}"
+OS=$(facter operatingsystem | tr '[:upper:]' '[:lower:]')
+OS_RELEASE=$(facter lsbdistrelease | tr '[:upper:]' '[:lower:]')
+if [[ "$OS_RELEASE" == "8" && "$OS" == 'centos' ]]; then
+    # Get Dockerfile and the enterpoint to build the docker image.
+    wget -O "${WORKSPACE}/sigul-sign.sh" "https://raw.githubusercontent.com/"\
+    "lfit/releng-global-jjb/master/shell/sigul-sign.sh"
+    wget -O "${WORKSPACE}/Dockerfile" "https://raw.githubusercontent.com/"\
+    "lfit/releng-global-jjb/master/docker/Dockerfile"
+
+    # Setup the docker environment for jenkins user
+    docker build -f ${WORKSPACE}/Dockerfile \
+        --build-arg SIGN_DIR=${SIGN_DIR} \
+        -t sigul-sign .
+
+    docker volume create --driver local \
+        --opt type=none \
+        --opt device=/w/workspace \
+        --opt o=bind \
+        wrkspc_vol
+
+    docker volume inspect wrkspc_vol
+
+    docker run -e SIGUL_KEY="${SIGUL_KEY}" \
+        -e SIGUL_PASSWORD="${SIGUL_PASSWORD}" \
+        -e SIGUL_CONFIG=${SIGUL_CONFIG} \
+        -e SIGN_DIR=${SIGN_DIR} \
+        -e WORKSPACE=${WORKSPACE} \
+        --name sigul-sign \
+        --security-opt label:disable \
+        --mount type=bind,source="/w/workspace",target="/w/workspace" \
+        --mount type=bind,source="/home/jenkins",target="/home/jenkins" \
+        -u root:root -w $(pwd) sigul-sign
+else
+    lftools sign sigul -m "${SIGN_MODE}" "${SIGN_DIR}"
+fi

diff --git a/shell/sigul-sign.sh b/shell/sigul-sign.sh
new file mode 100644 (file)
index 0000000..d5c674f
--- /dev/null
+++ b/shell/sigul-sign.sh
@@ -0,0 +1,38 @@
+#!/bin/bash
+# SPDX-License-Identifier: EPL-1.0
+##############################################################################
+# Copyright (c) 2022 The Linux Foundation and others.
+#
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+##############################################################################
+# Script to run the sigul signing from within a CentOS7 docker container
+
+echo "Sign files in: $SIGN_DIR"
+
+set -e  # Fail immediately if any if signing fails
+find "${SIGN_DIR}" -type f ! -name "*.asc" \
+        ! -name "*.md5" \
+        ! -name "*.sha1" \
+        ! -name "_maven.repositories" \
+        ! -name "_remote.repositories" \
+        ! -name "*.lastUpdated" \
+        ! -name "maven-metadata-local.xml" \
+        ! -name "maven-metadata.xml" > ${WORKSPACE}/sign.lst
+
+if [ -s ${WORKSPACE}/sign.lst ]; then
+    echo "Sign list is not empty"
+fi
+
+files_to_sign=()
+while IFS= read -rd $'\n' line; do
+    files_to_sign+=("$line")
+    sigul --batch -c "${SIGUL_CONFIG}" sign-data -a -o "${line}.asc" "${SIGUL_KEY}" "${line}" < "${SIGUL_PASSWORD}"
+done < ${WORKSPACE}/sign.lst
+
+if [ "${#files_to_sign[@]}" -eq 0 ]; then
+    echo "ERROR: No files to sign. Quitting..."
+    exit 1
+fi