Merge pull request #718 from jenkinsci/feat/jenkins-gpg-key-2026

feat(deb,rpm) allow custom GPG public key file through a new environment variable 'GPG_PUBLIC_KEY_FILE' and fix missing Debian HTML

Author: dduportal

bin/indexGenerator.py

@@ -60,6 +60,7 @@ def __init__(self, argv):
         self.product_name = os.getenv("PRODUCTNAME", "Jenkins")
         self.distribution = os.getenv("OS_FAMILY", "debian")
         self.gpg_pub_key_info_file = os.getenv("GPGPUBKEYINFO", ".")
+        self.gpg_public_key_filename = os.getenv("GPG_PUBLIC_KEY_FILENAME", "jenkins.io.key")
         self.target_directory = "./target/" + self.distribution
 
         try:
@@ -107,6 +108,7 @@ def show_information(self):
         print("Root header generated: " + self.root_header)
         print("Root footer generated: " + self.root_footer)
         print("GPG Key Info File: " + self.gpg_pub_key_info_file)
+        print("GPG Public Key Filename: " + self.gpg_public_key_filename)
 
     def generate_root_header(self):
 
@@ -169,6 +171,7 @@ def generate_repository_header(self):
             "releaseline": self.releaseline,
             "web_url": self.web_url,
             "pub_key_info": self.fetch_pubkeyinfo(),
+            "gpg_public_key_filename": self.gpg_public_key_filename,
         }
 
         env = jinja2.Environment(
@@ -192,6 +195,7 @@ def generate_repository_index(self):
             "releaseline": self.releaseline,
             "web_url": self.web_url,
             "pub_key_info": self.fetch_pubkeyinfo(),
+            "gpg_public_key_filename": self.gpg_public_key_filename,
         }
 
         env = jinja2.Environment(

deb/publish/publish.sh

@@ -8,6 +8,7 @@ set -euxo pipefail
 : "${DEBDIR:? Require where to put binary files}"
 : "${DEB_WEBDIR:? Require where to put repository index and other web contents}"
 : "${DEB_URL:? Require Debian repository Url}"
+: "${GPG_PUBLIC_KEY_FILENAME:="${ORGANIZATION}.key"}"
 
 # $$ Contains current pid
 D="$AGENT_WORKDIR/$$"
@@ -22,12 +23,14 @@ function clean() {
 function generateSite() {
 	cp -R "$bin/contents/." "$D/contents"
 
-	gpg --export -a --output "$D/contents/${ORGANIZATION}.key" "${GPG_KEYNAME}"
-	gpg --import-options show-only --import "$D/contents/${ORGANIZATION}.key" >"$D/contents/${ORGANIZATION}.key.info"
+	local gpg_publickey_file="$D/contents/${GPG_PUBLIC_KEY_FILENAME}"
+	local gpg_publickey_info_file="$D/contents/${GPG_PUBLIC_KEY_FILENAME}.info"
+	gpg --export -a --output "${gpg_publickey_file}" "${GPG_KEYNAME}"
+	gpg --import-options show-only --import "${gpg_publickey_file}" > "${gpg_publickey_info_file}"
 
 	"$BASE/bin/indexGenerator.py" \
 		--distribution debian \
-		--gpg-key-info-file "${D}/contents/${ORGANIZATION}.key.info" \
+		--gpg-key-info-file "${gpg_publickey_info_file}" \
 		--targetDir "$D/html"
 
 	"$BASE/bin/branding.py" "$D"
@@ -87,14 +90,10 @@ function uploadPackageSite() {
 }
 
 function uploadHtmlSite() {
-	# Html file need to be located in the binary directory
 	rsync --archive \
 		--verbose \
 		--progress \
-		--include "HEADER.html" \
-		--include "FOOTER.html" \
-		--exclude "*" \
-		"$D/html/" "$DEBDIR/"
+		"$D/html/" "$DEB_WEBDIR/"
 }
 
 function show() {
@@ -103,6 +102,7 @@ function show() {
 	echo "DEBDIR: $DEBDIR"
 	echo "DEB_WEBDIR: $DEB_WEBDIR"
 	echo "GPG_KEYNAME: $GPG_KEYNAME"
+	echo "GPG_PUBLIC_KEY_FILENAME: $GPG_PUBLIC_KEY_FILENAME"
 	echo "---"
 }
 

rpm/publish/publish.sh

@@ -8,6 +8,7 @@ set -euxo pipefail
 : "${RPM_URL:?Require rpm repository url}"
 : "${RELEASELINE?Require rpm release line}"
 : "${BASE:?Require base directory}"
+: "${GPG_PUBLIC_KEY_FILENAME:="${ORGANIZATION}.key"}"
 
 # $$ Contains current pid
 D="$AGENT_WORKDIR/$$"
@@ -17,10 +18,14 @@ function clean() {
 }
 
 function generateSite() {
-	local gpg_publickey="$D/repodata/repomd.xml.key"
-	mkdir -p "$(dirname "${gpg_publickey}")"
-	gpg --export -a --output "${gpg_publickey}" "${GPG_KEYNAME}"
-	gpg --import-options show-only --import "${gpg_publickey}" >"$D/${ORGANIZATION}.key.info"
+	local gpg_publickey_repomd="$D/repodata/repomd.xml.key"
+	local gpg_publickey_file="$D/${GPG_PUBLIC_KEY_FILENAME}"
+	local gpg_publickey_info_file="$D/${GPG_PUBLIC_KEY_FILENAME}.info"
+
+	mkdir -p "$(dirname "${gpg_publickey_repomd}")"
+	gpg --export -a --output "${gpg_publickey_repomd}" "${GPG_KEYNAME}"
+	gpg --import-options show-only --import "${gpg_publickey_repomd}" > "${gpg_publickey_info_file}"
+	cp "${gpg_publickey_repomd}" "${gpg_publickey_file}" # Duplicate between repository files and user facing website
 
 	cat >"$D/${ARTIFACTNAME}.repo" <<EOF
 [${ARTIFACTNAME}]
@@ -39,7 +44,7 @@ EOF
 
 	"$BASE/bin/indexGenerator.py" \
 		--distribution rpm \
-		--gpg-key-info-file "${D}/${ORGANIZATION}.key.info" \
+		--gpg-key-info-file "${gpg_publickey_info_file}" \
 		--targetDir "$D"
 
 	"$BASE/bin/branding.py" "$D"
@@ -76,6 +81,7 @@ function show() {
 	echo "RPMDIR: $RPMDIR"
 	echo "RPM_WEBDIR: $RPM_WEBDIR"
 	echo "GPG_KEYNAME: $GPG_KEYNAME"
+	echo "GPG_PUBLIC_KEY_FILENAME: $GPG_PUBLIC_KEY_FILENAME"
 	echo "---"
 }
 

templates/header.debian.html

@@ -10,7 +10,7 @@
   <pre class="text-white bg-dark">
     <code>
   sudo wget -O /etc/apt/keyrings/jenkins-keyring.asc \
-    <a href="{{web_url}}/{{organization}}-2023.key" style="color:white">{{web_url}}/{{organization}}-2023.key</a></code>
+    <a href="{{web_url}}/{{gpg_public_key_filename}}" style="color:white">{{web_url}}/{{gpg_public_key_filename}}</a></code>
   </pre>
 
   Then add a Jenkins apt repository entry: