From: Petr Štetiar Date: Mon, 4 Nov 2024 20:43:06 +0000 (+0000) Subject: Allow signing of artifacts with key provided by GPG agent X-Git-Tag: v21^0 X-Git-Url: http://git.openwrt.org/?a=commitdiff_plain;h=d014e424f4b440eb4be641e5e408699a63331901;p=buildbot.git Allow signing of artifacts with key provided by GPG agent In our case the GPG agent serves 0x1D53D1877742E911 key stored on Nitrokey3 USB dongle. GPG key is bind mounted from the host. References: https://lists.openwrt.org/pipermail/openwrt-devel/2023-May/041044.html Signed-off-by: Petr Štetiar --- diff --git a/docker/buildmaster/Dockerfile b/docker/buildmaster/Dockerfile index b73335f..b384245 100644 --- a/docker/buildmaster/Dockerfile +++ b/docker/buildmaster/Dockerfile @@ -95,6 +95,12 @@ RUN \ chown buildbot:buildbot /master && \ chmod 0755 /entry.sh /start.sh +RUN \ + mkdir -p /home/buildbot && \ + chmod u=rwx,go= /home/buildbot && \ + chown --recursive buildbot:buildbot /home/buildbot && \ + gosu buildbot sh -c "gpg --homedir /home/buildbot/.gnupg --recv-keys 0x1D53D1877742E911" + VOLUME [ "/master" ] ENTRYPOINT [ "/entry.sh" ] CMD [ "start" ] diff --git a/docker/buildmaster/files/entry.sh b/docker/buildmaster/files/entry.sh index 2fc914c..05ae25f 100644 --- a/docker/buildmaster/files/entry.sh +++ b/docker/buildmaster/files/entry.sh @@ -1,10 +1,15 @@ #!/usr/bin/env bash -for dir in /master /config /certs; do +for dir in /master /config /certs /home/buildbot; do [ -d "$dir" ] || continue chown --recursive buildbot:buildbot "$dir" chmod 0700 "$dir" done +if [ -S "/home/buildbot/.gnupg/S.gpg-agent" ]; then + chown buildbot:buildbot /home/buildbot/.gnupg/S.gpg-agent + chmod 0600 /home/buildbot/.gnupg/S.gpg-agent +fi + /usr/sbin/gosu buildbot /start.sh "$@" diff --git a/scripts/signall.sh b/scripts/signall.sh index 325872f..6be0ef1 100755 --- a/scripts/signall.sh +++ b/scripts/signall.sh @@ -53,6 +53,7 @@ esac if [ -z "$branch" ]; then GPGKEY="$(iniget "${CONFIG_INI:-config.ini}" gpg key)" +GPGKEYID="$(iniget "${CONFIG_INI:-config.ini}" gpg keyid)" GPGPASS="$(iniget "${CONFIG_INI:-config.ini}" gpg passphrase)" GPGCOMMENT="$(iniget "${CONFIG_INI:-config.ini}" gpg comment)" @@ -62,6 +63,7 @@ USIGNCOMMENT="$(iniget "${CONFIG_INI:-config.ini}" usign comment)" APKSIGNKEY="$(iniget "${CONFIG_INI:-config.ini}" apk key)" else GPGKEY="$(iniget "${CONFIG_INI:-config.ini}" "branch $branch" "gpg_key")" +GPGKEYID="$(iniget "${CONFIG_INI:-config.ini}" "branch $branch" "gpg_keyid")" GPGPASS="$(iniget "${CONFIG_INI:-config.ini}" "branch $branch" "gpg_passphrase")" GPGCOMMENT="$(iniget "${CONFIG_INI:-config.ini}" "branch $branch" "gpg_comment")" @@ -99,7 +101,7 @@ if [ -n "$APKSIGNKEY" ]; then done fi -if echo "$GPGKEY" | grep -q "BEGIN PGP PRIVATE KEY BLOCK"; then +if echo "$GPGKEY" | grep -q "BEGIN PGP PRIVATE KEY BLOCK" && [ -z "$GPGKEYID" ]; then umask 077 echo "$GPGPASS" > "$tmpdir/gpg.pass" echo "$GPGKEY" | gpg --batch --homedir "$tmpdir/gpg" \ @@ -117,6 +119,17 @@ if echo "$GPGKEY" | grep -q "BEGIN PGP PRIVATE KEY BLOCK"; then -o "{}.asc" "{}" \; || finish 4 fi +if [ -n "$GPGKEYID" ]; then + find "$tmpdir/tar/" -type f -not -name "*.asc" -and -not -name "*.sig" -print0 | while IFS= read -r -d '' file; do + if ! gpg --no-version --batch --detach-sign --armor \ + --local-user "${GPGKEYID}" \ + ${GPGCOMMENT:+--comment="$GPGCOMMENT"} \ + --homedir /home/buildbot/.gnupg "${file}.asc" "$file"; then + finish 4 + fi + done +fi + if [ -n "$USIGNKEY" ]; then USIGNID="$(echo "$USIGNKEY" | base64 -d -i | dd bs=1 skip=32 count=8 2>/dev/null | od -v -t x1 | sed -rne 's/^0+ //p' | tr -d ' ')"