Sign deb and rpm packages

parent 1fef2c2f
Pipeline #24693116 passed with stages
in 24 minutes and 7 seconds
......@@ -263,6 +263,13 @@ binaries windows/386 windows/amd64: *binaries
<<: *except_docs
stage: package
script:
- |
# checking GPG signing support
if [ ! -z "$GPG_PASSPHRASE" ] && [ ! -z "$GPG_KEY_LOCATION" ]; then
AWS_ACCESS_KEY_ID="$GPG_AWS_ACCESS_KEY_ID" AWS_SECRET_ACCESS_KEY="$GPG_AWS_SECRET_ACCESS_KEY" ./scripts/s3get "$GPG_KEY_LOCATION" | gpg --batch --no-tty --allow-secret-key-import --import -
else
echo -e "\033[0;31m****** GPG signing disabled ******\033[0m"
fi
- source ci/touch_make_dependencies
- make ${CI_JOB_NAME}
artifacts:
......
......@@ -215,6 +215,10 @@ package-deb-fpm:
packaging/root/=/ \
out/binaries/$(NAME)-linux-$(ARCH)=/usr/lib/gitlab-runner/gitlab-runner \
out/helper-images/=/usr/lib/gitlab-runner/helper-images/
@if [ ! -z "$(GPG_PASSPHRASE)" ]; then \
dpkg-sig -g "--no-tty --digest-algo 'sha512' --passphrase '$(GPG_PASSPHRASE)'" \
-k $(GPG_KEYID) --sign builder "out/deb/$(PACKAGE_NAME)_$(PACKAGE_ARCH).deb" ;\
fi
package-rpm-fpm:
@mkdir -p out/rpm/
......@@ -241,6 +245,14 @@ package-rpm-fpm:
packaging/root/=/ \
out/binaries/$(NAME)-linux-$(ARCH)=/usr/lib/gitlab-runner/gitlab-runner \
out/helper-images/=/usr/lib/gitlab-runner/helper-images/
@if [ ! -z "$(GPG_PASSPHRASE)" ] ; then \
echo "yes" | setsid rpm \
--define "_gpg_name $(GPG_KEYID)" \
--define "_signature gpg" \
--define "__gpg_check_password_cmd /bin/true" \
--define "__gpg_sign_cmd %{__gpg} gpg --batch --no-armor --digest-algo 'sha512' --passphrase '$(GPG_PASSPHRASE)' --no-secmem-warning -u '%{_gpg_name}' --sign --detach-sign --output %{__signature_filename} %{__plaintext_filename}" \
--addsign out/rpm/$(PACKAGE_NAME)_$(PACKAGE_ARCH).rpm ;\
fi
packagecloud: packagecloud-deps packagecloud-deb packagecloud-rpm
......
#!/bin/bash
# based on https://gist.github.com/mporcheron/8d312853099331a3853ef1f672c8c50d
main() {
# help
if [ "${1}" = "-h" ]; then
printf "s3get: usage: bucket/path"
exit -1
fi
# helper functions
fail() {
echo "$1" > /dev/stderr; exit 1;
}
hex256() {
printf "$1" | od -A n -t x1 | sed ':a;N;$!ba;s/[\n ]//g'
}
sha256Hash() {
local output=$(printf "$1" | sha256sum)
echo "${output%% *}"
}
hmac_sha256() {
printf "$2" | openssl dgst -binary -hex -sha256 -mac HMAC -macopt hexkey:$1 | sed 's/^.* //'
}
sign() {
local kSigning=$(hmac_sha256 $(hmac_sha256 $(hmac_sha256 \
$(hmac_sha256 $(hex256 "AWS4$1") $2) $3) $4) "aws4_request")
hmac_sha256 "${kSigning}" "$5"
}
# dependency check
programs=("openssl" "curl" "printf" "sed" "awk" "od" "date" "sha256sum" "pwd" "dirname")
for program in "${programs[@]}"; do
if [ ! -x "$(which "$program")" ]; then
fail "$program is required to run"
fi
done
# parameters
local region="${AWS_DEFAULT_REGION:-us-east-1}"
local host="${AWS_DEFAULT_HOST:-s3.amazonaws.com}"
local resource="/${1}"
local bucket
bucket=$(cut -d '/' -f 1 <<< "${1}")
local path
path=$(cut -d '/' -f 2- <<< "${1}")
local access_key="${AWS_ACCESS_KEY_ID}"
local secret_key="${AWS_SECRET_ACCESS_KEY}"
# validate parameters
if [[ "$bucket" = "" ]]; then fail "missing bucket (arg 1)"; fi;
if [[ "$path" = "" ]]; then fail "missing path (arg 1)"; fi;
if [[ "$access_key" = "" ]]; then fail "missing access key (env AWS_ACCESS_KEY_ID)"; fi;
if [[ "$secret_key" = "" ]]; then fail "missing secret key (env AWS_SECRET_ACCESS_KEY)"; fi;
# build the request
local protocol="https"
local method="GET"
local cmd=("curl")
local headers
local headerList
cmd+=("-X" "${method}")
cmd+=("-H" "Host: ${host}")
headers+="host:${host}\n"
headerList+="host;"
local payloadHash
payloadHash=$(sha256Hash "")
cmd+=("-H" "x-amz-content-sha256: ${payloadHash}")
headers+="x-amz-content-sha256:${payloadHash}\n"
headerList+="x-amz-content-sha256;"
local dateScope
local isoTimestamp
dateScope=$(date -u "+%Y%m%d")
isoTimestamp=$(date -u "+%Y%m%dT%H%M%SZ")
cmd+=("-H" "x-amz-date: ${isoTimestamp}")
headers+="x-amz-date:${isoTimestamp}"
headerList+="x-amz-date"
local canonicalRequest="${method}
${resource}
${headers}
${headerList}
${payloadHash}"
local hashedRequest
hashedRequest=$(sha256Hash "${canonicalRequest}")
local stringToSign="AWS4-HMAC-SHA256
${isoTimestamp}
${dateScope}/${region}/s3/aws4_request
${hashedRequest}"
local signature
signature=$(sign "${secret_key}" "${dateScope}" "${region}" "s3" "${stringToSign}")
local authorizationHeader="AWS4-HMAC-SHA256 Credential=${access_key}/${dateScope}/${region}/s3/aws4_request, SignedHeaders=${headerList}, Signature=${signature}"
cmd+=("-H" "Authorization: ${authorizationHeader}")
cmd+=("${protocol}://${host}${resource}")
# run the command
"${cmd[@]}"
}
main "$@"
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment