[buildbot] Implement GPG signing support
LEDE Commits
lede-commits at lists.infradead.org
Tue Jul 26 09:08:28 PDT 2016
jow pushed a commit to buildbot.git, branch master:
https://git.lede-project.org/?p=buildbot.git;a=commitdiff;h=a16febf43237f22881a9fcb2545dfb783a67e9bb
commit a16febf43237f22881a9fcb2545dfb783a67e9bb
Author: Jo-Philipp Wich <jo at mein.io>
AuthorDate: Tue Jul 26 18:07:25 2016 +0200
Implement GPG signing support
Signed-off-by: Jo-Philipp Wich <jo at mein.io>
---
phase1/config.ini.example | 5 ++++
phase1/master.cfg | 70 +++++++++++++++++++++++++++++++++++++++++++----
phase1/signall.sh | 25 +++++++++++++++++
phase2/config.ini.example | 5 ++++
phase2/master.cfg | 59 +++++++++++++++++++++++++++++++++++++++
5 files changed, 158 insertions(+), 6 deletions(-)
diff --git a/phase1/config.ini.example b/phase1/config.ini.example
index fdde485..5c109fb 100644
--- a/phase1/config.ini.example
+++ b/phase1/config.ini.example
@@ -25,6 +25,11 @@ binary_password = example
source_url = user at example.org::upload-sources
source_password = example2
+[gpg]
+keyid = 626471F1
+passfile = ./gpg-passphrase.txt
+comment = Unattended build signature
+
[slave 1]
name = example-slave-1
password = example
diff --git a/phase1/master.cfg b/phase1/master.cfg
index 6ae57d9..ea6d471 100644
--- a/phase1/master.cfg
+++ b/phase1/master.cfg
@@ -61,6 +61,20 @@ if ini.has_option("rsync", "source_url"):
rsync_src_url = ini.get("rsync", "source_url")
rsync_src_key = ini.get("rsync", "source_password")
+gpg_keyid = None
+gpg_comment = "Unattended build signature"
+gpg_passfile = "/dev/null"
+
+if ini.has_option("gpg", "keyid"):
+ gpg_keyid = ini.get("gpg", "keyid")
+
+if ini.has_option("gpg", "comment"):
+ gpg_comment = ini.get("gpg", "comment")
+
+if ini.has_option("gpg", "passfile"):
+ gpg_passfile = ini.get("gpg", "passfile")
+
+
# find targets
targets = [ ]
@@ -114,7 +128,9 @@ from buildbot.process.factory import BuildFactory
from buildbot.steps.source import Git
from buildbot.steps.shell import ShellCommand
from buildbot.steps.shell import SetProperty
+from buildbot.steps.transfer import FileUpload
from buildbot.steps.transfer import FileDownload
+from buildbot.steps.master import MasterShellCommand
from buildbot.process.properties import WithProperties
@@ -422,6 +438,48 @@ EOT''' %(ts[0], ts[0], ts[1]) ))
haltOnFailure = True
))
+ # sign
+ if gpg_keyid is not None:
+ factory.addStep(MasterShellCommand(
+ name = "signprepare",
+ description = "Preparing temporary signing directory",
+ command = ["mkdir", "-p", "%s/signing" %(home_dir)],
+ haltOnFailure = True
+ ))
+
+ factory.addStep(ShellCommand(
+ name = "signpack",
+ description = "Packing files to sign",
+ command = ["sh", "-c", WithProperties("find bin/targets/%s/%s%%(libc)s/ -mindepth 1 -maxdepth 2 -type f -name sha256sums -or -name Packages -print0 | xargs -0 tar -czf sign.tar.gz" %(ts[0], ts[1]))],
+ haltOnFailure = True
+ ))
+
+ factory.addStep(FileUpload(
+ slavesrc = "sign.tar.gz",
+ masterdest = "%s/signing/%s.%s.tar.gz" %(home_dir, ts[0], ts[1]),
+ haltOnFailure = True
+ ))
+
+ factory.addStep(MasterShellCommand(
+ name = "signfiles",
+ description = "Signing files",
+ command = ["%s/signall.sh" %(home_dir), "%s/signing/%s.%s.tar.gz" %(home_dir, ts[0], ts[1]), gpg_keyid, gpg_passfile, gpg_comment],
+ haltOnFailure = True
+ ))
+
+ factory.addStep(FileDownload(
+ mastersrc = "%s/signing/%s.%s.tar.gz" %(home_dir, ts[0], ts[1]),
+ slavedest = "sign.tar.gz",
+ haltOnFailure = True
+ ))
+
+ factory.addStep(ShellCommand(
+ name = "signunpack",
+ description = "Unpacking signed files",
+ command = ["tar", "-xzf", "sign.tar.gz"],
+ haltOnFailure = True
+ ))
+
# upload
factory.addStep(ShellCommand(
name = "uploadprepare",
@@ -524,12 +582,12 @@ if ini.has_option("irc", "host") and ini.has_option("irc", "nickname") and ini.h
irc_pass = ini.get("irc", "password")
irc = words.IRC(irc_host, irc_nick, port = irc_port, password = irc_pass,
- channels = [{ "channel": irc_chan }],
- notify_events = {
- 'exception': 1,
- 'successToFailure': 1,
- 'failureToSuccess': 1
- }
+ channels = [{ "channel": irc_chan }],
+ notify_events = {
+ 'exception': 1,
+ 'successToFailure': 1,
+ 'failureToSuccess': 1
+ }
)
c['status'].append(irc)
diff --git a/phase1/signall.sh b/phase1/signall.sh
new file mode 100755
index 0000000..f0d80fe
--- /dev/null
+++ b/phase1/signall.sh
@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+tarball="$1"
+keyid="$2"
+passfile="$3"
+comment="$4"
+
+tmpdir="signall.$$"
+tarball="$(readlink -f "$tarball")"
+
+finish() { rm -rf "$tmpdir"; exit $1; }
+
+trap "finish 255" HUP INT TERM
+
+if [ ! -f "$tarball" ]; then
+ echo "Usage: $0 <tarball> [<keyid> [<passfile> [<comment>]]]"
+ finish 1
+fi
+
+mkdir "$tmpdir" || finish 2
+tar -C "$tmpdir/" -xzf "$tarball" || finish 3
+find "$tmpdir/" -type f -not -name "*.gpg" -exec gpg --no-version --batch --yes -a -b ${keyid:+-u "$keyid"} ${comment:+--comment="$comment"} ${passfile:+--passphrase-file "$passfile"} -o "{}.gpg" "{}" \; || finish 4
+tar -C "$tmpdir/" -czf "$tarball" . || finish 5
+
+finish 0
diff --git a/phase2/config.ini.example b/phase2/config.ini.example
index f21f0d3..edffc99 100644
--- a/phase2/config.ini.example
+++ b/phase2/config.ini.example
@@ -18,6 +18,11 @@ binary_password = example
source_url = user at example.org::upload-sources
source_password = example2
+[gpg]
+keyid = 626471F1
+passfile = ./gpg-passphrase.txt
+comment = Unattended build signature
+
[slave 1]
name = slave-example-1
password = example
diff --git a/phase2/master.cfg b/phase2/master.cfg
index 4154c1d..260186e 100644
--- a/phase2/master.cfg
+++ b/phase2/master.cfg
@@ -61,6 +61,20 @@ if ini.has_option("rsync", "source_url"):
rsync_src_url = ini.get("rsync", "source_url")
rsync_src_key = ini.get("rsync", "source_password")
+gpg_keyid = None
+gpg_comment = "Unattended build signature"
+gpg_passfile = "/dev/null"
+
+if ini.has_option("gpg", "keyid"):
+ gpg_keyid = ini.get("gpg", "keyid")
+
+if ini.has_option("gpg", "comment"):
+ gpg_comment = ini.get("gpg", "comment")
+
+if ini.has_option("gpg", "passfile"):
+ gpg_passfile = ini.get("gpg", "passfile")
+
+
# find arches
arches = [ ]
archnames = [ ]
@@ -120,7 +134,9 @@ from buildbot.process.factory import BuildFactory
from buildbot.steps.source import Git
from buildbot.steps.shell import ShellCommand
from buildbot.steps.shell import SetProperty
+from buildbot.steps.transfer import FileUpload
from buildbot.steps.transfer import FileDownload
+from buildbot.steps.master import MasterShellCommand
from buildbot.process.properties import WithProperties
c['builders'] = []
@@ -211,6 +227,49 @@ for arch in arches:
workdir = "build/sdk",
command = ["make", WithProperties("-j%(nproc:~4)s"), "V=s", "IGNORE_ERRORS=n m y", "BUILD_LOG=1", "CONFIG_SIGNED_PACKAGES=y"]))
+ if gpg_keyid is not None:
+ factory.addStep(MasterShellCommand(
+ name = "signprepare",
+ description = "Preparing temporary signing directory",
+ command = ["mkdir", "-p", "%s/signing" %(home_dir)],
+ haltOnFailure = True
+ ))
+
+ factory.addStep(ShellCommand(
+ name = "signpack",
+ description = "Packing files to sign",
+ workdir = "build/sdk",
+ command = ["sh", "-c", "find bin/packages/%s/ -mindepth 2 -maxdepth 2 -type f -name Packages -print0 | xargs -0 tar -czf sign.tar.gz" %(arch[0])],
+ haltOnFailure = True
+ ))
+
+ factory.addStep(FileUpload(
+ slavesrc = "sdk/sign.tar.gz",
+ masterdest = "%s/signing/%s.tar.gz" %(home_dir, arch[0]),
+ haltOnFailure = True
+ ))
+
+ factory.addStep(MasterShellCommand(
+ name = "signfiles",
+ description = "Signing files",
+ command = ["%s/signall.sh" %(home_dir), "%s/signing/%s.tar.gz" %(home_dir, arch[0]), gpg_keyid, gpg_passfile, gpg_comment],
+ haltOnFailure = True
+ ))
+
+ factory.addStep(FileDownload(
+ mastersrc = "%s/signing/%s.tar.gz" %(home_dir, arch[0]),
+ slavedest = "sdk/sign.tar.gz",
+ haltOnFailure = True
+ ))
+
+ factory.addStep(ShellCommand(
+ name = "signunpack",
+ description = "Unpacking signed files",
+ workdir = "build/sdk",
+ command = ["tar", "-xzf", "sign.tar.gz"],
+ haltOnFailure = True
+ ))
+
factory.addStep(ShellCommand(
name = "uploadprepare",
description = "Preparing package directory",
More information about the lede-commits
mailing list