[buildbot] Allow signing of artifacts with key provided by GPG agent
LEDE Commits
lede-commits at lists.infradead.org
Mon Nov 4 21:33:03 PST 2024
ynezz pushed a commit to buildbot.git, branch main:
https://git.openwrt.org/d014e424f4b440eb4be641e5e408699a63331901
commit d014e424f4b440eb4be641e5e408699a63331901
Author: Petr Štetiar <ynezz at true.cz>
AuthorDate: Mon Nov 4 20:43:06 2024 +0000
Allow signing of artifacts with key provided by GPG agent
In our case the GPG agent serves 0x1D53D1877742E911 key stored on
Nitrokey3 USB dongle. GPG key is bind mounted from the host.
References: https://lists.openwrt.org/pipermail/openwrt-devel/2023-May/041044.html
Signed-off-by: Petr Štetiar <ynezz at true.cz>
---
docker/buildmaster/Dockerfile | 6 ++++++
docker/buildmaster/files/entry.sh | 7 ++++++-
scripts/signall.sh | 15 ++++++++++++++-
3 files changed, 26 insertions(+), 2 deletions(-)
diff --git a/docker/buildmaster/Dockerfile b/docker/buildmaster/Dockerfile
index b73335f..b384245 100644
--- a/docker/buildmaster/Dockerfile
+++ b/docker/buildmaster/Dockerfile
@@ -95,6 +95,12 @@ RUN \
chown buildbot:buildbot /master && \
chmod 0755 /entry.sh /start.sh
+RUN \
+ mkdir -p /home/buildbot && \
+ chmod u=rwx,go= /home/buildbot && \
+ chown --recursive buildbot:buildbot /home/buildbot && \
+ gosu buildbot sh -c "gpg --homedir /home/buildbot/.gnupg --recv-keys 0x1D53D1877742E911"
+
VOLUME [ "/master" ]
ENTRYPOINT [ "/entry.sh" ]
CMD [ "start" ]
diff --git a/docker/buildmaster/files/entry.sh b/docker/buildmaster/files/entry.sh
index 2fc914c..05ae25f 100644
--- a/docker/buildmaster/files/entry.sh
+++ b/docker/buildmaster/files/entry.sh
@@ -1,10 +1,15 @@
#!/usr/bin/env bash
-for dir in /master /config /certs; do
+for dir in /master /config /certs /home/buildbot; do
[ -d "$dir" ] || continue
chown --recursive buildbot:buildbot "$dir"
chmod 0700 "$dir"
done
+if [ -S "/home/buildbot/.gnupg/S.gpg-agent" ]; then
+ chown buildbot:buildbot /home/buildbot/.gnupg/S.gpg-agent
+ chmod 0600 /home/buildbot/.gnupg/S.gpg-agent
+fi
+
/usr/sbin/gosu buildbot /start.sh "$@"
diff --git a/scripts/signall.sh b/scripts/signall.sh
index 325872f..6be0ef1 100755
--- a/scripts/signall.sh
+++ b/scripts/signall.sh
@@ -53,6 +53,7 @@ esac
if [ -z "$branch" ]; then
GPGKEY="$(iniget "${CONFIG_INI:-config.ini}" gpg key)"
+GPGKEYID="$(iniget "${CONFIG_INI:-config.ini}" gpg keyid)"
GPGPASS="$(iniget "${CONFIG_INI:-config.ini}" gpg passphrase)"
GPGCOMMENT="$(iniget "${CONFIG_INI:-config.ini}" gpg comment)"
@@ -62,6 +63,7 @@ USIGNCOMMENT="$(iniget "${CONFIG_INI:-config.ini}" usign comment)"
APKSIGNKEY="$(iniget "${CONFIG_INI:-config.ini}" apk key)"
else
GPGKEY="$(iniget "${CONFIG_INI:-config.ini}" "branch $branch" "gpg_key")"
+GPGKEYID="$(iniget "${CONFIG_INI:-config.ini}" "branch $branch" "gpg_keyid")"
GPGPASS="$(iniget "${CONFIG_INI:-config.ini}" "branch $branch" "gpg_passphrase")"
GPGCOMMENT="$(iniget "${CONFIG_INI:-config.ini}" "branch $branch" "gpg_comment")"
@@ -99,7 +101,7 @@ if [ -n "$APKSIGNKEY" ]; then
done
fi
-if echo "$GPGKEY" | grep -q "BEGIN PGP PRIVATE KEY BLOCK"; then
+if echo "$GPGKEY" | grep -q "BEGIN PGP PRIVATE KEY BLOCK" && [ -z "$GPGKEYID" ]; then
umask 077
echo "$GPGPASS" > "$tmpdir/gpg.pass"
echo "$GPGKEY" | gpg --batch --homedir "$tmpdir/gpg" \
@@ -117,6 +119,17 @@ if echo "$GPGKEY" | grep -q "BEGIN PGP PRIVATE KEY BLOCK"; then
-o "{}.asc" "{}" \; || finish 4
fi
+if [ -n "$GPGKEYID" ]; then
+ find "$tmpdir/tar/" -type f -not -name "*.asc" -and -not -name "*.sig" -print0 | while IFS= read -r -d '' file; do
+ if ! gpg --no-version --batch --detach-sign --armor \
+ --local-user "${GPGKEYID}" \
+ ${GPGCOMMENT:+--comment="$GPGCOMMENT"} \
+ --homedir /home/buildbot/.gnupg "${file}.asc" "$file"; then
+ finish 4
+ fi
+ done
+fi
+
if [ -n "$USIGNKEY" ]; then
USIGNID="$(echo "$USIGNKEY" | base64 -d -i | dd bs=1 skip=32 count=8 2>/dev/null | od -v -t x1 | sed -rne 's/^0+ //p' | tr -d ' ')"
More information about the lede-commits
mailing list