From 4a23005d82c59a983cb1aa95eaf01fe643337f53 Mon Sep 17 00:00:00 2001 From: Anil Belur Date: Fri, 27 May 2022 09:58:32 +1000 Subject: [PATCH] Fix: Sign artifacts on CentOS Stream 8/9 Update the sigul-sign-dir.sh to sign artifacts using docker. The docker image is built on CentOS Streams 8/9. The newer version of sigul 1.1.1 available for CentOS 8 is not backwords compatible with the version of sigul on CentOS 7. As a temporary workaround build a CentOS7 docker image with sigul installed and use it for signing artificats on platforms where sigul is not readly available. Issue-ID: IT-23826 Change-Id: Ie22e23240f7fe388219c0afc4d4c229f390efa9c Signed-off-by: Anil Belur --- docker/Dockerfile | 21 ++++++++++++ .../sigul-sign-using-docker-fcabb59ccdf8d4d8.yaml | 14 ++++++++ shell/sigul-sign-dir.sh | 36 +++++++++++++++++++- shell/sigul-sign.sh | 38 ++++++++++++++++++++++ 4 files changed, 108 insertions(+), 1 deletion(-) create mode 100644 docker/Dockerfile create mode 100644 releasenotes/notes/sigul-sign-using-docker-fcabb59ccdf8d4d8.yaml create mode 100644 shell/sigul-sign.sh diff --git a/docker/Dockerfile b/docker/Dockerfile new file mode 100644 index 00000000..a84d564c --- /dev/null +++ b/docker/Dockerfile @@ -0,0 +1,21 @@ +FROM centos:7 +SHELL ["/bin/bash", "-c"] + +RUN echo $'[fedora-infra-sigul] \n\ +name=Fedora builder packages for sigul \n\ +baseurl=https://kojipkgs.fedoraproject.org/repos-dist/epel\$releasever-infra/latest/\$basearch/ \n\ +enabled=1 \n\ +gpgcheck=1 \n\ +gpgkey=https://infrastructure.fedoraproject.org/repo/infra/RPM-GPG-KEY-INFRA-TAGS \n\ +includepkgs=sigul* \n\ +skip_if_unavailable=True' > /etc/yum.repos.d/fedora-infra-sigul.repo + +RUN yum install -y -q sigul + +RUN mkdir -p /w/workspace && mkdir -p /home/jenkins + +COPY ./sigul-sign.sh / +USER root + +ENTRYPOINT ["/bin/bash", "/sigul-sign.sh"] +CMD ["${SIGN_DIR}"] diff --git a/releasenotes/notes/sigul-sign-using-docker-fcabb59ccdf8d4d8.yaml b/releasenotes/notes/sigul-sign-using-docker-fcabb59ccdf8d4d8.yaml new file mode 100644 index 00000000..7fc74ae6 --- /dev/null +++ b/releasenotes/notes/sigul-sign-using-docker-fcabb59ccdf8d4d8.yaml @@ -0,0 +1,14 @@ +--- +fixes: + - | + Update the sigul-sign-dir.sh to sign artifacts using docker. The docker + image is built on CentOS Streams 8/9. The newer version of sigul 1.1.1 + available for CentOS 8 is not backwords compatible with the version of + sigul on CentOS 7. + + As a temporary workaround build a CentOS7 docker image with sigul + installed and use it for signing artificats on platforms where sigul is + not readly available. + + Note: the executor node needs to have docker installed, so it can't be + a "vanilla" build node but must be a docker node. diff --git a/shell/sigul-sign-dir.sh b/shell/sigul-sign-dir.sh index 2bcf5894..92380cc0 100644 --- a/shell/sigul-sign-dir.sh +++ b/shell/sigul-sign-dir.sh @@ -13,4 +13,38 @@ echo "---> sigul-sign-dir.sh" # Ensure we fail the job if any steps fail. set -e -o pipefail -lftools sign sigul -m "${SIGN_MODE}" "${SIGN_DIR}" +OS=$(facter operatingsystem | tr '[:upper:]' '[:lower:]') +OS_RELEASE=$(facter lsbdistrelease | tr '[:upper:]' '[:lower:]') +if [[ "$OS_RELEASE" == "8" && "$OS" == 'centos' ]]; then + # Get Dockerfile and the enterpoint to build the docker image. + wget -O "${WORKSPACE}/sigul-sign.sh" "https://raw.githubusercontent.com/"\ + "lfit/releng-global-jjb/master/shell/sigul-sign.sh" + wget -O "${WORKSPACE}/Dockerfile" "https://raw.githubusercontent.com/"\ + "lfit/releng-global-jjb/master/docker/Dockerfile" + + # Setup the docker environment for jenkins user + docker build -f ${WORKSPACE}/Dockerfile \ + --build-arg SIGN_DIR=${SIGN_DIR} \ + -t sigul-sign . + + docker volume create --driver local \ + --opt type=none \ + --opt device=/w/workspace \ + --opt o=bind \ + wrkspc_vol + + docker volume inspect wrkspc_vol + + docker run -e SIGUL_KEY="${SIGUL_KEY}" \ + -e SIGUL_PASSWORD="${SIGUL_PASSWORD}" \ + -e SIGUL_CONFIG=${SIGUL_CONFIG} \ + -e SIGN_DIR=${SIGN_DIR} \ + -e WORKSPACE=${WORKSPACE} \ + --name sigul-sign \ + --security-opt label:disable \ + --mount type=bind,source="/w/workspace",target="/w/workspace" \ + --mount type=bind,source="/home/jenkins",target="/home/jenkins" \ + -u root:root -w $(pwd) sigul-sign +else + lftools sign sigul -m "${SIGN_MODE}" "${SIGN_DIR}" +fi diff --git a/shell/sigul-sign.sh b/shell/sigul-sign.sh new file mode 100644 index 00000000..d5c674f2 --- /dev/null +++ b/shell/sigul-sign.sh @@ -0,0 +1,38 @@ +#!/bin/bash +# SPDX-License-Identifier: EPL-1.0 +############################################################################## +# Copyright (c) 2022 The Linux Foundation and others. +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Eclipse Public License v1.0 +# which accompanies this distribution, and is available at +# http://www.eclipse.org/legal/epl-v10.html +############################################################################## +# Script to run the sigul signing from within a CentOS7 docker container + +echo "Sign files in: $SIGN_DIR" + +set -e # Fail immediately if any if signing fails +find "${SIGN_DIR}" -type f ! -name "*.asc" \ + ! -name "*.md5" \ + ! -name "*.sha1" \ + ! -name "_maven.repositories" \ + ! -name "_remote.repositories" \ + ! -name "*.lastUpdated" \ + ! -name "maven-metadata-local.xml" \ + ! -name "maven-metadata.xml" > ${WORKSPACE}/sign.lst + +if [ -s ${WORKSPACE}/sign.lst ]; then + echo "Sign list is not empty" +fi + +files_to_sign=() +while IFS= read -rd $'\n' line; do + files_to_sign+=("$line") + sigul --batch -c "${SIGUL_CONFIG}" sign-data -a -o "${line}.asc" "${SIGUL_KEY}" "${line}" < "${SIGUL_PASSWORD}" +done < ${WORKSPACE}/sign.lst + +if [ "${#files_to_sign[@]}" -eq 0 ]; then + echo "ERROR: No files to sign. Quitting..." + exit 1 +fi -- 2.16.6