Allow signing of artifacts with key provided by GPG agent

In our case the GPG agent serves 0x1D53D1877742E911 key stored on
Nitrokey3 USB dongle. GPG key is bind mounted from the host.

References: https://lists.openwrt.org/pipermail/openwrt-devel/2023-May/041044.html
Signed-off-by: Petr Štetiar <ynezz@true.cz>

diff --git a/docker/buildmaster/Dockerfile b/docker/buildmaster/Dockerfile
index b73335ff9c4733d4a176ba080dcccf7bcf16bdb6..b3842452960b6eaada296c097b26a0915c636878 100644 (file)
--- a/docker/buildmaster/Dockerfile
+++ b/docker/buildmaster/Dockerfile
@@ -95,6 +95,12 @@ RUN \
     chown buildbot:buildbot /master && \
     chmod 0755 /entry.sh /start.sh
 
+RUN \
+       mkdir -p /home/buildbot && \
+       chmod u=rwx,go= /home/buildbot && \
+       chown --recursive buildbot:buildbot /home/buildbot && \
+       gosu buildbot sh -c "gpg --homedir /home/buildbot/.gnupg --recv-keys 0x1D53D1877742E911"
+
 VOLUME [ "/master" ]
 ENTRYPOINT [ "/entry.sh" ]
 CMD [ "start" ]

diff --git a/docker/buildmaster/files/entry.sh b/docker/buildmaster/files/entry.sh
index 2fc914c74b84ae4713752a4867877c990f9fcc6d..05ae25f2f106e530d34cc2adbeefdccb4aedee4c 100644 (file)
--- a/docker/buildmaster/files/entry.sh
+++ b/docker/buildmaster/files/entry.sh
@@ -1,10 +1,15 @@
 #!/usr/bin/env bash
 
-for dir in /master /config /certs; do
+for dir in /master /config /certs /home/buildbot; do
   [ -d "$dir" ] || continue 
 
   chown --recursive buildbot:buildbot "$dir"
   chmod 0700 "$dir"
 done
 
+if [ -S "/home/buildbot/.gnupg/S.gpg-agent" ]; then
+       chown buildbot:buildbot /home/buildbot/.gnupg/S.gpg-agent
+       chmod 0600 /home/buildbot/.gnupg/S.gpg-agent
+fi
+
 /usr/sbin/gosu buildbot /start.sh "$@"

diff --git a/scripts/signall.sh b/scripts/signall.sh
index 325872f56cb754d233d87e91aefa8838fdb00906..6be0ef187325f70edb32cba81771f1af523a4b81 100755 (executable)
--- a/scripts/signall.sh
+++ b/scripts/signall.sh
@@ -53,6 +53,7 @@ esac
 
 if [ -z "$branch" ]; then
 GPGKEY="$(iniget "${CONFIG_INI:-config.ini}" gpg key)"
+GPGKEYID="$(iniget "${CONFIG_INI:-config.ini}" gpg keyid)"
 GPGPASS="$(iniget "${CONFIG_INI:-config.ini}" gpg passphrase)"
 GPGCOMMENT="$(iniget "${CONFIG_INI:-config.ini}" gpg comment)"
 
@@ -62,6 +63,7 @@ USIGNCOMMENT="$(iniget "${CONFIG_INI:-config.ini}" usign comment)"
 APKSIGNKEY="$(iniget "${CONFIG_INI:-config.ini}" apk key)"
 else
 GPGKEY="$(iniget "${CONFIG_INI:-config.ini}" "branch $branch" "gpg_key")"
+GPGKEYID="$(iniget "${CONFIG_INI:-config.ini}" "branch $branch" "gpg_keyid")"
 GPGPASS="$(iniget "${CONFIG_INI:-config.ini}" "branch $branch" "gpg_passphrase")"
 GPGCOMMENT="$(iniget "${CONFIG_INI:-config.ini}" "branch $branch" "gpg_comment")"
 
@@ -99,7 +101,7 @@ if [ -n "$APKSIGNKEY" ]; then
        done
 fi
 
-if echo "$GPGKEY" | grep -q "BEGIN PGP PRIVATE KEY BLOCK"; then
+if echo "$GPGKEY" | grep -q "BEGIN PGP PRIVATE KEY BLOCK" && [ -z "$GPGKEYID" ]; then
        umask 077
        echo "$GPGPASS" > "$tmpdir/gpg.pass"
        echo "$GPGKEY" | gpg --batch --homedir "$tmpdir/gpg" \
@@ -117,6 +119,17 @@ if echo "$GPGKEY" | grep -q "BEGIN PGP PRIVATE KEY BLOCK"; then
                        -o "{}.asc" "{}" \; || finish 4
 fi
 
+if [ -n "$GPGKEYID" ]; then
+       find "$tmpdir/tar/" -type f -not -name "*.asc" -and -not -name "*.sig" -print0 | while IFS= read -r -d '' file; do
+               if ! gpg --no-version --batch --detach-sign --armor \
+                       --local-user "${GPGKEYID}" \
+                       ${GPGCOMMENT:+--comment="$GPGCOMMENT"} \
+                       --homedir /home/buildbot/.gnupg "${file}.asc" "$file"; then
+                       finish 4
+               fi
+       done
+fi
+
 if [ -n "$USIGNKEY" ]; then
        USIGNID="$(echo "$USIGNKEY" | base64 -d -i | dd bs=1 skip=32 count=8 2>/dev/null | od -v -t x1 | sed -rne 's/^0+ //p' | tr -d ' ')"