From d014e424f4b440eb4be641e5e408699a63331901 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Petr=20=C5=A0tetiar?= Date: Mon, 4 Nov 2024 20:43:06 +0000 Subject: [PATCH] Allow signing of artifacts with key provided by GPG agent MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit In our case the GPG agent serves 0x1D53D1877742E911 key stored on Nitrokey3 USB dongle. GPG key is bind mounted from the host. References: https://lists.openwrt.org/pipermail/openwrt-devel/2023-May/041044.html Signed-off-by: Petr Å tetiar --- docker/buildmaster/Dockerfile | 6 ++++++ docker/buildmaster/files/entry.sh | 7 ++++++- scripts/signall.sh | 15 ++++++++++++++- 3 files changed, 26 insertions(+), 2 deletions(-) diff --git a/docker/buildmaster/Dockerfile b/docker/buildmaster/Dockerfile index b73335f..b384245 100644 --- a/docker/buildmaster/Dockerfile +++ b/docker/buildmaster/Dockerfile @@ -95,6 +95,12 @@ RUN \ chown buildbot:buildbot /master && \ chmod 0755 /entry.sh /start.sh +RUN \ + mkdir -p /home/buildbot && \ + chmod u=rwx,go= /home/buildbot && \ + chown --recursive buildbot:buildbot /home/buildbot && \ + gosu buildbot sh -c "gpg --homedir /home/buildbot/.gnupg --recv-keys 0x1D53D1877742E911" + VOLUME [ "/master" ] ENTRYPOINT [ "/entry.sh" ] CMD [ "start" ] diff --git a/docker/buildmaster/files/entry.sh b/docker/buildmaster/files/entry.sh index 2fc914c..05ae25f 100644 --- a/docker/buildmaster/files/entry.sh +++ b/docker/buildmaster/files/entry.sh @@ -1,10 +1,15 @@ #!/usr/bin/env bash -for dir in /master /config /certs; do +for dir in /master /config /certs /home/buildbot; do [ -d "$dir" ] || continue chown --recursive buildbot:buildbot "$dir" chmod 0700 "$dir" done +if [ -S "/home/buildbot/.gnupg/S.gpg-agent" ]; then + chown buildbot:buildbot /home/buildbot/.gnupg/S.gpg-agent + chmod 0600 /home/buildbot/.gnupg/S.gpg-agent +fi + /usr/sbin/gosu buildbot /start.sh "$@" diff --git a/scripts/signall.sh b/scripts/signall.sh index 325872f..6be0ef1 100755 --- a/scripts/signall.sh +++ b/scripts/signall.sh @@ -53,6 +53,7 @@ esac if [ -z "$branch" ]; then GPGKEY="$(iniget "${CONFIG_INI:-config.ini}" gpg key)" +GPGKEYID="$(iniget "${CONFIG_INI:-config.ini}" gpg keyid)" GPGPASS="$(iniget "${CONFIG_INI:-config.ini}" gpg passphrase)" GPGCOMMENT="$(iniget "${CONFIG_INI:-config.ini}" gpg comment)" @@ -62,6 +63,7 @@ USIGNCOMMENT="$(iniget "${CONFIG_INI:-config.ini}" usign comment)" APKSIGNKEY="$(iniget "${CONFIG_INI:-config.ini}" apk key)" else GPGKEY="$(iniget "${CONFIG_INI:-config.ini}" "branch $branch" "gpg_key")" +GPGKEYID="$(iniget "${CONFIG_INI:-config.ini}" "branch $branch" "gpg_keyid")" GPGPASS="$(iniget "${CONFIG_INI:-config.ini}" "branch $branch" "gpg_passphrase")" GPGCOMMENT="$(iniget "${CONFIG_INI:-config.ini}" "branch $branch" "gpg_comment")" @@ -99,7 +101,7 @@ if [ -n "$APKSIGNKEY" ]; then done fi -if echo "$GPGKEY" | grep -q "BEGIN PGP PRIVATE KEY BLOCK"; then +if echo "$GPGKEY" | grep -q "BEGIN PGP PRIVATE KEY BLOCK" && [ -z "$GPGKEYID" ]; then umask 077 echo "$GPGPASS" > "$tmpdir/gpg.pass" echo "$GPGKEY" | gpg --batch --homedir "$tmpdir/gpg" \ @@ -117,6 +119,17 @@ if echo "$GPGKEY" | grep -q "BEGIN PGP PRIVATE KEY BLOCK"; then -o "{}.asc" "{}" \; || finish 4 fi +if [ -n "$GPGKEYID" ]; then + find "$tmpdir/tar/" -type f -not -name "*.asc" -and -not -name "*.sig" -print0 | while IFS= read -r -d '' file; do + if ! gpg --no-version --batch --detach-sign --armor \ + --local-user "${GPGKEYID}" \ + ${GPGCOMMENT:+--comment="$GPGCOMMENT"} \ + --homedir /home/buildbot/.gnupg "${file}.asc" "$file"; then + finish 4 + fi + done +fi + if [ -n "$USIGNKEY" ]; then USIGNID="$(echo "$USIGNKEY" | base64 -d -i | dd bs=1 skip=32 count=8 2>/dev/null | od -v -t x1 | sed -rne 's/^0+ //p' | tr -d ' ')" -- 2.30.2