Skip to content

Test rpm-signing #1151

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
poorndm wants to merge 33 commits into
base: main
Choose a base branch
from
Draft

Test rpm-signing #1151

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
33 commits
Select commit Hold shift + click to select a range
20f274e
Test rpm-signing
poorndm May 10, 2024
f794f25
Correction - syntax
poorndm May 10, 2024
babc448
Debugging stmt
poorndm May 10, 2024
3c98848
signing-pass-phrase
poorndm May 13, 2024
c80781f
debug- signing script
poorndm May 13, 2024
236199c
debug stmt to know signign script
poorndm May 13, 2024
68518f0
add debugging stmt for signing script
poorndm May 14, 2024
6c8a8a4
add debugging stmt for signing script - fix syntax
poorndm May 14, 2024
0c2ed20
rpm-signing - test-keys
poorndm Jul 2, 2024
706d768
rpm-signing - test-keys
poorndm Jul 2, 2024
0ec298f
syntax correction
poorndm Jul 2, 2024
d7733ec
modified to import gpg-key
poorndm Jul 2, 2024
7c70818
syntax correction
poorndm Jul 2, 2024
aa3ffb4
update rpm-sign cmd to test el-7
poorndm Jul 3, 2024
b1c91b2
modify rpm-sign cmd
poorndm Jul 3, 2024
79a9ed0
modified rpm-sign cmd
poorndm Jul 3, 2024
70a5096
syntax correction
poorndm Jul 3, 2024
94962bc
modify rpm-sign cmd to sign as SHA-256
poorndm Jul 3, 2024
8664920
modify rpm macro to use SHA-256
poorndm Jul 3, 2024
6ce8fcf
modify algorithm-256
poorndm Jul 8, 2024
002dfe6
add debug stmt to cat rpm-macro
poorndm Jul 8, 2024
91a2ea1
syntax correction
poorndm Jul 8, 2024
621c9c2
syntax correction
poorndm Jul 8, 2024
96ea5e9
update rpmmacros.erb to use SHA-256
poorndm Jul 10, 2024
a6423c4
update rpmmacros.erb to use SHA-256
poorndm Jul 10, 2024
649b82e
Pin ffi and public_suffix gem
poorndm Jul 10, 2024
d5f1508
update gemspec to fix the issue
poorndm Jul 10, 2024
d5b8c51
update gemspec to fix the issue
poorndm Jul 10, 2024
8918ace
modify gemspec to fix gem error specific to ruby-version
poorndm Jul 10, 2024
18e6381
modify gemspec-public_suffix
poorndm Jul 10, 2024
8474a25
remove ruby-2.7 from verifypipeline
poorndm Jul 10, 2024
b01e5b7
update rpm-sign_cmd
poorndm Jul 11, 2024
b1787cd
fix syntax error
poorndm Jul 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 0 additions & 7 deletions .expeditor/verify.pipeline.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,13 +10,6 @@ expeditor:
timeout_in_minutes: 30

steps:
- label: run-lint-and-specs-ruby-2.7
command:
- .expeditor/run_linux_tests.sh rake
expeditor:
executor:
docker:
image: ruby:2.7-buster

- label: run-lint-and-specs-ruby-3.0
command:
Expand Down
26 changes: 21 additions & 5 deletions lib/omnibus/packagers/rpm.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -421,13 +421,15 @@ def create_rpm_file

log.info(log_key) { "Creating .rpm file" }
shellout!("#{command}")

log.info(log_key) { "<<<DEBUGGING Stmt - omnibus-rpm.rb to check signing_passphrase : #{signing_passphrase} " }
if signing_passphrase
log.info(log_key) { "Signing enabled for .rpm file" }

log.info(log_key) { "<<<DEBUGGING Stmt - omnibus-rpm.rb to signing_passphrase : #{signing_passphrase} is enabled checking for RPM-macros " }
if File.exist?("#{ENV["HOME"]}/.rpmmacros")
log.info(log_key) { "Detected .rpmmacros file at `#{ENV["HOME"]}'" }
log.info(log_key) { "Detected .rpmmacros file at `#{ENV["HOME"]}' \n rpmmacros:" }
home = ENV["HOME"]
command2 = "cat #{ENV["HOME"]}/.rpmmacros "
shellout!("#{command2}")
else
log.info(log_key) { "Using default .rpmmacros file from Omnibus" }

Expand All @@ -441,15 +443,29 @@ def create_rpm_file
gpg_path: "#{ENV["HOME"]}/.gnupg", # TODO: Make this configurable
})
end

# private_key_file = "/home/chef-ci/private_key"
# import_command = "gpg --import #{private_key_file}"
# stdout, stderr, status = Open3.capture3(import_command)
# if status.success?
# puts "Key imported successfully"
# else
# puts "Error importing key: #{stderr}"
# end
# gpg_key_id = "E3531A01"
# sign_cmd = "rpmsign --addsign --define '_gpg_name #{gpg_key_id}' #{rpm_file}"
sign_cmd = "rpmsign --addsign #{rpm_file}"
log.info(log_key) { " DEBUGGING Stmt - omnibus-rpm.rb Sign_cmd -#{sign_cmd} - rpm file - #{rpm_file}" }
with_rpm_signing do |signing_script|
log.info(log_key) { "Signing the built rpm file" }

# RHEL 8 and Amazon-2023 has gpg-agent running so we can skip the expect script since the agent
# takes care of the passphrase entering on the signing
if dist_tag != ".el8" && dist_tag != ".el9" && dist_tag != ".amazon2023"
sign_cmd.prepend("#{signing_script} \"").concat("\"")
log.info(log_key) { " DEBUGGING Stmt - omnibus-rpm.rb RHEL 8 and Amazon-2023 has gpg-agent running so skipping the expect script -sign_cmd - #{sign_cmd} AND signing_script -> #{signing_script}" }
log.info(log_key) { "<<<<<< signing_script - cat #{signing_script} " }
command1 = "cat #{signing_script} "
shellout!("#{command1}")
end

shellout!("#{sign_cmd}", environment: { "HOME" => home })
Expand Down Expand Up @@ -510,7 +526,7 @@ def rpm_file
def with_rpm_signing(&block)
directory = Dir.mktmpdir
destination = "#{directory}/sign-rpm"

log.info(log_key) { " <<<DEBUGGING Stmt - omnibus-rpm.rb - with_rpm_signing defn - render signing.erb & passphrase: signing_passphrase : #{signing_passphrase}" }
render_template(resource_path("signing.erb"),
destination: destination,
mode: 0700,
Expand Down
5 changes: 5 additions & 0 deletions omnibus.gemspec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,11 @@ Gem::Specification.new do |gem|
gem.add_dependency "license_scout", "~> 1.0"
gem.add_dependency "contracts", ">= 0.16.0", "< 0.17.0"
gem.add_dependency "rexml", "~> 3.2"
if Gem::Version.new(RUBY_VERSION) <= Gem::Version.new("3.1.0")
gem.add_dependency "ffi", "< 1.17.0"
gem.add_dependency "train-core", "< 3.12.5"
gem.add_dependency "public_suffix", "< 6.0.0"
end

gem.add_dependency "mixlib-versioning"
gem.add_dependency "pedump"
Expand Down
2 changes: 2 additions & 0 deletions resources/rpm/rpmmacros.erb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
%_signature gpg
%_gpg_path <%= gpg_path %>
%_gpg_name <%= gpg_name %>
%__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --verbose --no-armor --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} \
--digest-algo sha256 %{__plaintext_filename}
1 change: 1 addition & 0 deletions resources/rpm/signing.erb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ password = '<%= passphrase %>'
require 'pty'

puts rpm_cmd
puts " <<< DEBUGGING Stmt - omnibus-signing.erb rpm_cmd - #{rpm_cmd}"
PTY.spawn(rpm_cmd) do |r, w, pid|
# Older versions of rpmsign will prompt right away for the passphrase
prompt = r.read(19)
Expand Down