Skip to content

Workflow for GPG keys Creation #2164

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
mbolla22 wants to merge 9 commits into
base: master
Choose a base branch
from
Draft

Workflow for GPG keys Creation #2164

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
fd20ffb
Workflow for GPG keys Creation
mbolla22 Dec 16, 2025
85927e4
Add push trigger to test workflow
mbolla22 Dec 16, 2025
00b854a
Addded script to generate GPG keys
mbolla22 Dec 16, 2025
ab29baf
Add GPG key generation workflow and script with SHA256
mbolla22 Dec 16, 2025
85034f3
Added logic to place private key in git hub secrets and public key in S3
mbolla22 Dec 17, 2025
1a82630
Added logic to place private key in git hub secrets and public key in S3
mbolla22 Dec 17, 2025
4b40073
Added logic to place private key in git hub secrets and public key in S3
mbolla22 Dec 17, 2025
a861ae6
Added logic to place private key in git hub secrets and public key in S3
mbolla22 Dec 17, 2025
e99a2e0
Added logic to place private key in git hub secrets and public key in S3
mbolla22 Dec 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
101 changes: 101 additions & 0 deletions .github/workflows/gpgkeys_generation.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,101 @@
name: GPG Key Generation (Test)

on:
workflow_dispatch:
inputs:
test_message:
description: 'Test message to display'
required: false
default: 'Hello from GPG workflow test!'
type: string
push:
branches:
- gpgWorkflow

jobs:
generate-gpg-keys:
runs-on: ubuntu-latest

steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Setup GPG
run: |
echo "GPG Version:"
gpg --version
echo "Creating GPG directory..."
mkdir -p ~/.gnupg
chmod 700 ~/.gnupg

- name: Generate GPG Keys
env:
OHAI_GPG_PASSPHRASE: ${{ secrets.OHAI_GPG_PASSPHRASE }}
GPG_KEY_NAME: "New Relic Infrastructure Agent"
GPG_KEY_EMAIL: "infrastructure-eng@newrelic.com"
run: |
chmod +x .github/workflows/scripts/gpgkeys_generation.sh
.github/workflows/scripts/gpgkeys_generation.sh

- name: Verify generated keys
run: |
echo "Verifying generated files..."
ls -lh gpg-*.asc
echo ""
echo "Public key preview:"
head -n 5 gpg-public-key.asc
echo ""
echo "Keys generated successfully!"

- name: Upload private key to GitHub Secrets
env:
GH_TOKEN: ${{ secrets.OHAI_PAT }}
run: |
echo "Installing GitHub CLI..."
type -p gh &> /dev/null || (curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | sudo dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg \
&& sudo chmod go+r /usr/share/keyrings/githubcli-archive-keyring.gpg \
&& echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null \
&& sudo apt update \
&& sudo apt install gh -y)

echo "Encoding private key to base64..."
ENCODED_KEY=$(cat gpg-private-key.asc | base64 -w 0)

echo "Uploading encoded private key to GitHub secret..."
gh secret set OHAI_GPG_PRIVATE_KEY_TEST --body "${ENCODED_KEY}" --repo ${{ github.repository }}

echo "✓ Private key (base64 encoded) uploaded to GitHub secret: OHAI_GPG_PRIVATE_KEY_TEST"

- name: Export GPG key in binary format
run: |
echo "Getting Key ID..."
KEY_ID=$(gpg --list-keys --with-colons "infrastructure-eng@newrelic.com" | awk -F: '/^pub:/ {print $5}' | head -n 1)
echo "Key ID: ${KEY_ID}"

echo "Exporting public key in .gpg binary format..."
gpg --export "${KEY_ID}" > public-key.gpg
ls -lh public-key.gpg
echo "✓ Binary GPG key exported"

- name: Upload public key to AWS S3 Staging
env:
AWS_ACCESS_KEY_ID: ${{ secrets.OHAI_AWS_ACCESS_KEY_ID_STAGING }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.OHAI_AWS_SECRET_ACCESS_KEY_STAGING }}
AWS_REGION: "us-east-1"
run: |
echo "Checking AWS CLI..."
if ! command -v aws &> /dev/null; then
echo "Installing AWS CLI v2..."
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip -q awscliv2.zip
sudo ./aws/install
else
echo "AWS CLI already installed"
fi
aws --version

echo "Uploading public key (.gpg format) to S3..."
aws s3 cp public-key.gpg s3://nr-downloads-ohai-staging/infrastructure_agent/keys/newrelic_rpm_key_sha256_test.gpg --acl public-read

echo "✓ Public key uploaded to S3: s3://nr-downloads-ohai-staging/infrastructure_agent/keys/newrelic_rpm_key_sha256_test.gpg"
echo "✓ Public URL: http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent/keys/newrelic_rpm_key_sha256_test.gpg"
46 changes: 46 additions & 0 deletions .github/workflows/scripts/gpgkeys_generation.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
#!/bin/bash
set -e

# Configuration
NAME_REAL="${GPG_KEY_NAME:-New Relic Infrastructure Agent}"
NAME_EMAIL="${GPG_KEY_EMAIL:-infrastructure-eng@newrelic.com}"
PASSPHRASE="${OHAI_GPG_PASSPHRASE}"

echo "Generating GPG key with SHA256..."

# Create GPG batch configuration
cat > gpg-batch-config.txt <<EOF
Key-Type: RSA
Key-Length: 4096
Key-Usage: sign
Subkey-Type: RSA
Subkey-Length: 4096
Subkey-Usage: encrypt
Name-Real: ${NAME_REAL}
Name-Email: ${NAME_EMAIL}
Expire-Date: 0
Passphrase: ${PASSPHRASE}
Preferences: SHA256 SHA384 SHA512 AES256 AES192 AES
%commit
EOF

# Generate the key
gpg --batch --generate-key gpg-batch-config.txt

# Get the key ID
KEY_ID=$(gpg --list-keys --with-colons "${NAME_EMAIL}" | awk -F: '/^pub:/ {print $5}' | head -n 1)

echo "Key ID: ${KEY_ID}"

# Export keys with passphrase
gpg --batch --pinentry-mode loopback --passphrase "${PASSPHRASE}" --armor --export-secret-keys "${KEY_ID}" > gpg-private-key.asc
gpg --armor --export "${KEY_ID}" > gpg-public-key.asc

# Clean up
rm -f gpg-batch-config.txt

echo "✓ GPG keys generated successfully with SHA256"
echo " Email: ${NAME_EMAIL}"
echo " Expiration: Never"
echo " Private key: gpg-private-key.asc"
echo " Public key: gpg-public-key.asc"
Loading