Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add repo sign and change rpm tool #53

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Add repo sign and change rpm tool #53

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
230e1b6
feat: add new sign and upload tool script for publish
vitorsavian Feb 14, 2025
c88cf47
refac: remove the necessity for a sign step and a upload step
vitorsavian Feb 14, 2025
1da92ad
fix: yml is wrong because it needs a \ after setting a env
vitorsavian Feb 14, 2025
83f781a
feat: make the changes to rpm_tooling to be downloaded and set as a b…
vitorsavian Feb 17, 2025
3c91d5b
fix: change the dep for the scripts and download the rpm tool
vitorsavian Feb 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 12 additions & 20 deletions .github/workflows/publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,13 +24,13 @@ jobs:
- "arm64"
include:
- arch: "srcrpm"
upload-script: "upload-srcrpm-repo"
upload-script: "sign-and-upload"
build: "x86_64-amd64"
- arch: "amd64"
upload-script: "upload-repo"
upload-script: "sign-and-upload"
build: "x86_64-amd64"
- arch: "arm64"
upload-script: "upload-repo"
upload-script: "sign-and-upload"
build: "aarch64-arm64"
steps:
- name: Checkout
Expand Down Expand Up @@ -69,28 +69,15 @@ jobs:
TESTING_AWS_SECRET_ACCESS_KEY: ${{ env.TESTING_AWS_SECRET_ACCESS_KEY }}
run: |
dapper -f Dockerfile.${{ matrix.os }}.dapper rpm/${{ matrix.os }}/scripts/build
- name: Sign
- name: Sign and upload to S3
env:
TAG: ${{ github.ref_name }}
COMBARCH: ${{ matrix.build }}
UPLOAD_ARCH: ${{ matrix.arch }}
PRIVATE_KEY: ${{ env.PRIVATE_KEY }}
PRIVATE_KEY_PASS_PHRASE: ${{ env.PRIVATE_KEY_PASS_PHRASE }}
TESTING_PRIVATE_KEY: ${{ env.TESTING_PRIVATE_KEY }}
TESTING_PRIVATE_KEY_PASS_PHRASE: ${{ env.TESTING_PRIVATE_KEY_PASS_PHRASE }}
run: |
docker run --rm \
-v "$(pwd):/workspace" \
-w /workspace \
-e TAG="$TAG" \
-e PRIVATE_KEY="$PRIVATE_KEY" \
-e PRIVATE_KEY_PASS_PHRASE="$PRIVATE_KEY_PASS_PHRASE" \
-e TESTING_PRIVATE_KEY="$TESTING_PRIVATE_KEY" \
-e TESTING_PRIVATE_KEY_PASS_PHRASE="$TESTING_PRIVATE_KEY_PASS_PHRASE" \
centos:7 \
rpm/${{ matrix.os }}/scripts/sign
- name: Upload to S3
env:
TAG: ${{ github.ref_name }}
COMBARCH: ${{ matrix.build }}
AWS_S3_BUCKET: ${{ env.AWS_S3_BUCKET }}
AWS_ACCESS_KEY_ID: ${{ env.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ env.AWS_SECRET_ACCESS_KEY }}
Expand All @@ -102,14 +89,19 @@ jobs:
-v "$(pwd):/workspace" \
-w /workspace \
-e TAG="$TAG" \
-e PRIVATE_KEY="$PRIVATE_KEY" \
-e PRIVATE_KEY_PASS_PHRASE="$PRIVATE_KEY_PASS_PHRASE" \
-e TESTING_PRIVATE_KEY="$TESTING_PRIVATE_KEY" \
-e TESTING_PRIVATE_KEY_PASS_PHRASE="$TESTING_PRIVATE_KEY_PASS_PHRASE" \
-e COMBARCH="$COMBARCH" \
-e UPLOAD_ARCH="$UPLOAD_ARCH" \
-e AWS_S3_BUCKET="$AWS_S3_BUCKET" \
-e AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" \
-e AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" \
-e TESTING_AWS_S3_BUCKET="$TESTING_AWS_S3_BUCKET" \
-e TESTING_AWS_ACCESS_KEY_ID="$TESTING_AWS_ACCESS_KEY_ID" \
-e TESTING_AWS_SECRET_ACCESS_KEY="$TESTING_AWS_SECRET_ACCESS_KEY" \
centos:7 \
quay.io/centos/centos:stream9 \
rpm/${{ matrix.os }}/scripts/${{ matrix.upload-script }}
- name: Checksum
run: |
Expand Down
106 changes: 106 additions & 0 deletions rpm/centos7/scripts/sign-and-upload
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,106 @@
#!/bin/bash
set -e -x

dnf install -y epel-release wget

dnf install -y python3 python3-pip python3-devel \
rpm-sign expect git

dnf install -y ca-certificates createrepo_c

pip install --upgrade boto3 pexpect

pushd $(dirname $0)/..
. ./scripts/version
popd

cat <<\EOF >~/.rpmmacros
%_signature gpg
%_gpg_name [email protected]
%__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --verbose --no-armor --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename}
%_source_filedigest_algorithm 8
%_binary_filedigest_algorithm 8
EOF

if [ -z "$COMBARCH" ]; then
echo "Combined architecture was not defined, failing RPM upload"
exit 1
fi

if [ -z "$RPM_MAJMIN" ]; then
echo "RPM_MAJMIN not defined, failing rpm upload"
exit 1
fi

if [ -z "$RPM_CHANNEL" ]; then
echo "RPM_PATH not defined, failing rpm upload"
exit 1
fi

IFS=- read RPMARCH GOARCH <<<${COMBARCH}
unset IFS

# Desired TARGET_S3_PATH would be something like rke2/<channel>/centos/7/<arch>

TARGET_S3_PATH="rke2/$RPM_CHANNEL/$RPM_MAJMIN/centos/7/$RPMARCH"
TARGET_RPM_PATH="dist/centos7/$RPMARCH/rke2-*.rpm"

if [[ "$UPLOAD_ARCH" == "srcrpm" ]]; then
TARGET_S3_PATH="rke2/$RPM_CHANNEL/$RPM_MAJMIN/centos/7/source"
TARGET_RPM_PATH="dist/centos7/source/rke2-*.src.rpm"

case "$RPM_CHANNEL" in
"testing")
export PRIVATE_KEY_PASS_PHRASE=$TESTING_PRIVATE_KEY_PASS_PHRASE
if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$TESTING_PRIVATE_KEY"; then
echo "TESTING_PRIVATE_KEY not defined, failing rpm sign"
exit 1
fi
gpg --import - <<<"$TESTING_PRIVATE_KEY"
if [ -z "$TESTING_AWS_S3_BUCKET" ]; then
echo "TESTING_AWS_S3_BUCKET not defined, failing rpm upload"
exit 1
fi
if [ -z "$TESTING_AWS_ACCESS_KEY_ID" ]; then
echo "TESTING_AWS_ACCESS_KEY_ID not defined, failing rpm upload"
exit 1
fi
if [ -z "$TESTING_AWS_SECRET_ACCESS_KEY" ]; then
echo "TESTING_AWS_SECRET_ACCESS_KEY not defined, failing rpm upload"
exit 1
fi
export AWS_ACCESS_KEY_ID=$TESTING_AWS_ACCESS_KEY_ID
export AWS_SECRET_ACCESS_KEY=$TESTING_AWS_SECRET_ACCESS_KEY
export AWS_S3_BUCKET=$TESTING_AWS_S3_BUCKET
;;

"latest" | "stable")
if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY"; then
echo "PRIVATE_KEY not defined, failing rpm sign"
exit 1
fi
gpg --import - <<<"$PRIVATE_KEY"
if [ -z "$AWS_S3_BUCKET" ]; then
echo "AWS_S3_BUCKET not defined, failing rpm upload"
exit 1
fi
if [ -z "$AWS_ACCESS_KEY_ID" ]; then
echo "AWS_ACCESS_KEY_ID not defined, failing rpm upload"
exit 1
fi
if [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
echo "AWS_SECRET_ACCESS_KEY not defined, failing rpm upload"
exit 1
fi
;;
*)
echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]"
exit 1
;;
esac

wget https://raw.githubusercontent.com/rancher/ecm-distro-tools/master/bin/rpm_tooling
chmod +x rpm_tooling
mv ./rpm_tooling /usr/bin

rpm_tooling --bucket $AWS_S3_BUCKET/$TARGET_S3_PATH --region us-east-1 --sign --sign-pass $PRIVATE_KEY_PASS_PHRASE --aws-access-key $AWS_ACCESS_KEY_ID --aws-secret-key $AWS_ACCESS_KEY_ID $TARGET_RPM_PATH
106 changes: 106 additions & 0 deletions rpm/centos8/scripts/sign-and-upload
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,106 @@
#!/bin/bash
set -e -x

dnf install -y epel-release wget

dnf install -y python3 python3-pip python3-devel \
rpm-sign expect git

dnf install -y ca-certificates createrepo_c

pip install --upgrade boto3 pexpect

pushd $(dirname $0)/..
. ./scripts/version
popd

cat <<\EOF >~/.rpmmacros
%_signature gpg
%_gpg_name [email protected]
%__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --verbose --no-armor --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename}
%_source_filedigest_algorithm 8
%_binary_filedigest_algorithm 8
EOF

if [ -z "$COMBARCH" ]; then
echo "Combined architecture was not defined, failing RPM upload"
exit 1
fi

if [ -z "$RPM_MAJMIN" ]; then
echo "RPM_MAJMIN not defined, failing rpm upload"
exit 1
fi

if [ -z "$RPM_CHANNEL" ]; then
echo "RPM_PATH not defined, failing rpm upload"
exit 1
fi

IFS=- read RPMARCH GOARCH <<<${COMBARCH}
unset IFS

# Desired TARGET_S3_PATH would be something like rke2/<channel>/centos/7/<arch>

TARGET_S3_PATH="rke2/$RPM_CHANNEL/$RPM_MAJMIN/centos/8/$RPMARCH"
TARGET_RPM_PATH="dist/centos7/$RPMARCH/rke2-*.rpm"

if [[ "$UPLOAD_ARCH" == "srcrpm" ]]; then
TARGET_S3_PATH="rke2/$RPM_CHANNEL/$RPM_MAJMIN/centos/8/source"
TARGET_RPM_PATH="dist/centos8/source/rke2-*.src.rpm"

case "$RPM_CHANNEL" in
"testing")
export PRIVATE_KEY_PASS_PHRASE=$TESTING_PRIVATE_KEY_PASS_PHRASE
if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$TESTING_PRIVATE_KEY"; then
echo "TESTING_PRIVATE_KEY not defined, failing rpm sign"
exit 1
fi
gpg --import - <<<"$TESTING_PRIVATE_KEY"
if [ -z "$TESTING_AWS_S3_BUCKET" ]; then
echo "TESTING_AWS_S3_BUCKET not defined, failing rpm upload"
exit 1
fi
if [ -z "$TESTING_AWS_ACCESS_KEY_ID" ]; then
echo "TESTING_AWS_ACCESS_KEY_ID not defined, failing rpm upload"
exit 1
fi
if [ -z "$TESTING_AWS_SECRET_ACCESS_KEY" ]; then
echo "TESTING_AWS_SECRET_ACCESS_KEY not defined, failing rpm upload"
exit 1
fi
export AWS_ACCESS_KEY_ID=$TESTING_AWS_ACCESS_KEY_ID
export AWS_SECRET_ACCESS_KEY=$TESTING_AWS_SECRET_ACCESS_KEY
export AWS_S3_BUCKET=$TESTING_AWS_S3_BUCKET
;;

"latest" | "stable")
if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY"; then
echo "PRIVATE_KEY not defined, failing rpm sign"
exit 1
fi
gpg --import - <<<"$PRIVATE_KEY"
if [ -z "$AWS_S3_BUCKET" ]; then
echo "AWS_S3_BUCKET not defined, failing rpm upload"
exit 1
fi
if [ -z "$AWS_ACCESS_KEY_ID" ]; then
echo "AWS_ACCESS_KEY_ID not defined, failing rpm upload"
exit 1
fi
if [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
echo "AWS_SECRET_ACCESS_KEY not defined, failing rpm upload"
exit 1
fi
;;
*)
echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]"
exit 1
;;
esac

wget https://raw.githubusercontent.com/rancher/ecm-distro-tools/master/bin/rpm_tooling
chmod +x rpm_tooling
mv ./rpm_tooling /usr/bin

rpm_tooling --bucket $AWS_S3_BUCKET/$TARGET_S3_PATH --region us-east-1 --sign --sign-pass $PRIVATE_KEY_PASS_PHRASE --aws-access-key $AWS_ACCESS_KEY_ID --aws-secret-key $AWS_ACCESS_KEY_ID $TARGET_RPM_PATH
107 changes: 107 additions & 0 deletions rpm/centos9/scripts/sign-and-upload
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,107 @@
#!/bin/bash
set -e -x

dnf install -y epel-release wget

dnf install -y python3 python3-pip python3-devel \
rpm-sign expect git

dnf install -y ca-certificates createrepo_c

pip install --upgrade boto3 pexpect

pushd $(dirname $0)/..
. ./scripts/version
popd

cat <<\EOF >~/.rpmmacros
%_signature gpg
%_gpg_name [email protected]
%__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --verbose --no-armor --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename}
%_source_filedigest_algorithm 8
%_binary_filedigest_algorithm 8
EOF

if [ -z "$COMBARCH" ]; then
echo "Combined architecture was not defined, failing RPM upload"
exit 1
fi

if [ -z "$RPM_MAJMIN" ]; then
echo "RPM_MAJMIN not defined, failing rpm upload"
exit 1
fi

if [ -z "$RPM_CHANNEL" ]; then
echo "RPM_PATH not defined, failing rpm upload"
exit 1
fi

IFS=- read RPMARCH GOARCH <<<${COMBARCH}
unset IFS

# Desired TARGET_S3_PATH would be something like rke2/<channel>/centos/7/<arch>

TARGET_S3_PATH="rke2/$RPM_CHANNEL/$RPM_MAJMIN/centos/9/$RPMARCH"
TARGET_RPM_PATH="dist/centos9/$RPMARCH/rke2-*.rpm"

if [[ "$UPLOAD_ARCH" == "srcrpm" ]]; then
TARGET_S3_PATH="rke2/$RPM_CHANNEL/$RPM_MAJMIN/centos/9/source"
TARGET_RPM_PATH="dist/centos9/source/rke2-*.src.rpm"

case "$RPM_CHANNEL" in
"testing")
export PRIVATE_KEY_PASS_PHRASE=$TESTING_PRIVATE_KEY_PASS_PHRASE
if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$TESTING_PRIVATE_KEY"; then
echo "TESTING_PRIVATE_KEY not defined, failing rpm sign"
exit 1
fi
gpg --import - <<<"$TESTING_PRIVATE_KEY"
if [ -z "$TESTING_AWS_S3_BUCKET" ]; then
echo "TESTING_AWS_S3_BUCKET not defined, failing rpm upload"
exit 1
fi
if [ -z "$TESTING_AWS_ACCESS_KEY_ID" ]; then
echo "TESTING_AWS_ACCESS_KEY_ID not defined, failing rpm upload"
exit 1
fi
if [ -z "$TESTING_AWS_SECRET_ACCESS_KEY" ]; then
echo "TESTING_AWS_SECRET_ACCESS_KEY not defined, failing rpm upload"
exit 1
fi
export AWS_ACCESS_KEY_ID=$TESTING_AWS_ACCESS_KEY_ID
export AWS_SECRET_ACCESS_KEY=$TESTING_AWS_SECRET_ACCESS_KEY
export AWS_S3_BUCKET=$TESTING_AWS_S3_BUCKET
;;

"latest" | "stable")
if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY"; then
echo "PRIVATE_KEY not defined, failing rpm sign"
exit 1
fi
gpg --import - <<<"$PRIVATE_KEY"
if [ -z "$AWS_S3_BUCKET" ]; then
echo "AWS_S3_BUCKET not defined, failing rpm upload"
exit 1
fi
if [ -z "$AWS_ACCESS_KEY_ID" ]; then
echo "AWS_ACCESS_KEY_ID not defined, failing rpm upload"
exit 1
fi
if [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
echo "AWS_SECRET_ACCESS_KEY not defined, failing rpm upload"
exit 1
fi
;;
*)
echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]"
exit 1
;;
esac

wget https://raw.githubusercontent.com/rancher/ecm-distro-tools/master/bin/rpm_tooling
chmod +x rpm_tooling
mv ./rpm_tooling /usr/bin

rpm_tooling --bucket $AWS_S3_BUCKET/$TARGET_S3_PATH --region us-east-1 --sign --sign-pass $PRIVATE_KEY_PASS_PHRASE --aws-access-key $AWS_ACCESS_KEY_ID --aws-secret-key $AWS_ACCESS_KEY_ID $TARGET_RPM_PATH

Loading