Skip to content

ci: sign RPM packages before pushing to GCP Artifact Registry#4392

Open
PrzemekZglinicki wants to merge 1 commit intomainfrom
devprod-4134-sign-rpm-packages-connect
Open

ci: sign RPM packages before pushing to GCP Artifact Registry#4392
PrzemekZglinicki wants to merge 1 commit intomainfrom
devprod-4134-sign-rpm-packages-connect

Conversation

@PrzemekZglinicki
Copy link
Copy Markdown
Contributor

@PrzemekZglinicki PrzemekZglinicki commented May 4, 2026
edited
Loading

Summary

  • Add sign_rpm() to push_pkg_to_gcp_ar.sh: fetches the Redpanda GPG private key from AWS Secrets Manager (sdlc/prod/github/rpm_signing_key_private), signs each RPM with rpmsign --resign, verifies the signature using a temp RPM database, then uploads to GCP AR
  • DEBs are unchanged — GCP AR provides repository-level signing for APT
  • Fix signature verification to use rpm --dbpath <tmpdb> so the GPG check actually validates the signature (plain rpm --checksig ignores GNUPGHOME and checks the system keyring, returning exit 0 even for NOKEY)
  • Add test-push-to-gcp-ar CI job: generates a throwaway GPG key, builds a minimal RPM, mocks aws and gcloud, and asserts signing + routing for GA (redpanda-yum), RC (redpanda-unstable-yum), DEB (redpanda-apt), and missing-region error cases

🤖 Generated with Claude Code

@CLAassistant
Copy link
Copy Markdown

CLAassistant commented May 4, 2026

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

Przemek Zglinicki seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
You have signed the CLA already but the status is still pending? Let us recheck it.

1 similar comment
@CLAassistant
Copy link
Copy Markdown

CLAassistant commented May 4, 2026

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

Przemek Zglinicki seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
You have signed the CLA already but the status is still pending? Let us recheck it.

@PrzemekZglinicki PrzemekZglinicki force-pushed the devprod-4134-sign-rpm-packages-connect branch 4 times, most recently from e9d288b to 59ae745 Compare May 4, 2026 20:09
@PrzemekZglinicki
Copy link
Copy Markdown
Contributor Author

PrzemekZglinicki commented May 4, 2026

@claude review once

claude[bot]
claude Bot reviewed May 4, 2026
View reviewed changes
Comment thread .github/workflows/test.yml Outdated
@claude
Copy link
Copy Markdown

claude Bot commented May 4, 2026

Commits

  1. The single commit ci: sign RPM packages before pushing to GCP Artifact Registry bundles two unrelated changes: the RPM signing work (the focus of the PR) and a new label-gated integration-test job in .github/workflows/test.yml#L65-L114. The integration-test job is not mentioned in the commit body or PR description and has no functional relationship to RPM signing. Per the commit policy, each commit should be one self-contained logical change — please split this into two commits/PRs.

Review
The RPM signing logic and test-push-to-gcp-ar job look reasonable: AWS region is validated, GPG state is isolated to a temp GNUPGHOME, and verification correctly uses a temp RPM database (the comment in resources/scripts/push_pkg_to_gcp_ar.sh#L68-L76 accurately explains why the previous rpm --checksig was insufficient). Test coverage exercises GA, RC, DEB skip, and missing-region paths.

  1. See inline comment on the unrelated integration-test job in .github/workflows/test.yml.

@PrzemekZglinicki PrzemekZglinicki force-pushed the devprod-4134-sign-rpm-packages-connect branch from 59ae745 to 6b00c86 Compare May 4, 2026 20:24
@claude
Copy link
Copy Markdown

claude Bot commented May 4, 2026

Commits
LGTM

Review
CI changes to sign RPM packages with a key fetched from AWS Secrets Manager before pushing to GCP Artifact Registry, with a new test-push-to-gcp-ar job exercising RPM/DEB routing and the missing-region error path.

LGTM

@PrzemekZglinicki PrzemekZglinicki force-pushed the devprod-4134-sign-rpm-packages-connect branch from 6b00c86 to 75ddf01 Compare May 4, 2026 20:32
@claude
Copy link
Copy Markdown

claude Bot commented May 4, 2026

Commits
LGTM

Review
Single commit ci: sign RPM packages before pushing to GCP Artifact Registry adds RPM signing in push_pkg_to_gcp_ar.sh plus a CI test job that mocks aws/gcloud and exercises GA, RC, DEB, and missing-region paths. Script correctly uses set -euo pipefail, scopes temp dirs/keyring inside a subshell with an EXIT trap so cleanup fires even on early exit, verifies signatures via a temp RPM database (rpm --dbpath) instead of the system keyring, and short-circuits with a clear error when no AWS region is set.

LGTM

@claude
ci: sign RPM packages before pushing to GCP Artifact Registry
05fc4b6 
- Add sign_rpm() to push_pkg_to_gcp_ar.sh: fetches the Redpanda GPG
  private key from AWS Secrets Manager (sdlc/prod/github/rpm_signing_key_private),
  signs each RPM with rpmsign --resign, verifies the signature using a
  temp RPM database, then uploads to GCP AR
- Fix signature verification to use rpm --dbpath <tmpdb> so the GPG
  check actually validates the signature (plain rpm --checksig ignores
  GNUPGHOME and checks the system keyring, returning exit 0 even for NOKEY)
- Add test-push-to-gcp-ar CI job: generates a throwaway GPG key, builds
  a minimal RPM, mocks aws and gcloud, and asserts signing + routing for
  GA (redpanda-yum), RC (redpanda-unstable-yum), DEB (redpanda-apt), and
  missing-region error cases

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@PrzemekZglinicki PrzemekZglinicki force-pushed the devprod-4134-sign-rpm-packages-connect branch from 75ddf01 to 05fc4b6 Compare May 4, 2026 20:45
@claude
Copy link
Copy Markdown

claude Bot commented May 4, 2026

Commits
LGTM

Review
RPM signing flow uses a subshell with an EXIT trap so cleanup runs even under set -e, and set -euo pipefail plus the pre-flight region check give clear failure modes. The new CI job exercises GA / RC / DEB / missing-region paths against mocked aws and gcloud, and the verification step correctly uses rpm --dbpath to ensure the GPG check actually validates against the imported key.

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@claude claude[bot] claude[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@PrzemekZglinicki @CLAassistant