Module: check_mk
Branch: master
Commit: 05b7c7a397a045346bf37e371c2b9f92623f1393
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=05b7c7a397a045…
Author: Alex Zurhake <az(a)mathias-kettner.de>
Date: Mon Mar 18 12:39:11 2019 +0100
Sign all packages
Change-Id: Iea4ffb2546507f8480c63b95e6cbfb2debe33d98
---
buildscripts/scripts/nightly-build.jenkins | 8 +++--
buildscripts/scripts/sign-packages.sh | 57 ++++++++++++++++++++++++++++++
2 files changed, 63 insertions(+), 2 deletions(-)
diff --git a/buildscripts/scripts/nightly-build.jenkins
b/buildscripts/scripts/nightly-build.jenkins
index 36507be..7be0b11 100644
--- a/buildscripts/scripts/nightly-build.jenkins
+++ b/buildscripts/scripts/nightly-build.jenkins
@@ -186,10 +186,14 @@ node {
docker.withRegistry(DOCKER_REGISTRY, 'nexus') {
IMAGE = 'ubuntu-18.04-common'
docker.image(IMAGE).pull()
- docker.image(IMAGE).inside("-u 0:0 -v ${DAILY_DATA}:${DAILY_DATA} --network
ci_local-infra") {
+ docker.image(IMAGE).inside("-u 0:0 -v ${DAILY_DATA}:${DAILY_DATA} -v
/bauwelt/etc/.gnupg:/bauwelt/etc/.gnupg --network ci_local-infra") {
stage('Archive artifacts') {
dir("${DAILY_DATA}/downloads") {
- sh "cp ${DAILY_DATA}/*-dest/check-mk-enterprise-*.{deb,rpm}
."
+ sh "cp ${DAILY_DATA}/*-dest/check-mk-enterprise-*_amd64.deb . ||
true"
+ sh "cp ${DAILY_DATA}/*-dest/check-mk-enterprise-*.x86_64.rpm .
|| true"
+ withCredentials([usernamePassword(credentialsId:
'9d7aca31-0043-4cd0-abeb-26a249d68261', passwordVariable:
'GPG_PASSPHRASE', usernameVariable: 'GPG_USERNAME')]) {
+ sh
"${DAILY_DATA}/git/buildscripts/scripts/sign-packages.sh"
+ }
archiveArtifacts "*"
}
}
diff --git a/buildscripts/scripts/sign-packages.sh
b/buildscripts/scripts/sign-packages.sh
new file mode 100755
index 0000000..f804896
--- /dev/null
+++ b/buildscripts/scripts/sign-packages.sh
@@ -0,0 +1,57 @@
+#!/bin/bash
+set -e
+
+TARGET=.
+VERSION=$CMK_VERS
+KEY_ID=434DAC48C4503261
+KEY_DESC="Check_MK Software Release Signing Key (2018)
<feedback(a)check-mk.org>"
+
+if [ -z "$VERSION" ]; then
+ echo "set CMK_VERS VERSION"
+ echo "Beispiel: CMK_VERS=2018.01.19 $0"
+ exit 1
+fi
+
+if [ -z "$GPG_PASSPHRASE" ]; then
+ echo "ERROR: \$GPG_PASSPHRASE must be given via environment"
+ exit 1
+fi
+
+export GNUPGHOME=/bauwelt/etc/.gnupg
+
+echo "Sign RPM packages..."
+echo "$GPG_PASSPHRASE" | \
+ rpm \
+ -D "%_signature gpg" \
+ -D "%_gpg_path $GNUPGHOME" \
+ -D "%_gpg_name Check_MK Software Release Signing Key (2018)
<feedback(a)check-mk.org>" \
+ -D "%__gpg /usr/bin/gpg " -D "%_gpg_sign_cmd_extra_args --batch
--passphrase-fd=0 --passphrase-repeat=0 --pinentry-mode loopback" \
+ --resign \
+ $TARGET/*.rpm
+
+echo "Verify signed RPM packages..."
+for RPM in $TARGET/$VERSION/*.rpm; do
+ rpm -qp $RPM --qf='%-{NAME} %{SIGPGP:pgpsig}\n'
+ if ! rpm -qp $RPM --qf='%-{NAME} %{SIGPGP:pgpsig}\n' | grep -i "Key ID
$KEY_ID"; then
+ echo "ERROR: RPM not signed: $RPM"
+ fi
+done
+
+echo "Sign DEB packages..."
+(
+ echo set timeout -1;\
+ echo spawn dpkg-sig -p --sign builder -k $KEY_ID $TARGET/$VERSION/*.deb; \
+ echo expect -exact \"The passphrase for ${KEY_ID}:\";\
+ echo send -- \"$GPG_PASSPHRASE\\r\";\
+ echo expect eof;\
+) | expect
+
+echo "Verify singed DEB packages..."
+for DEB in $TARGET/*.deb; do
+ dpkg-sig --verify $DEB
+done
+
+# Hashes der kopierten Dateien ablegen
+# (werden später auf der Webseite angezeigt)
+echo "Create HASHES file..."
+sha256sum *.{cma,tar.gz,rpm,deb,cmk} > HASHES