diff --git a/build/sign.sh b/build/sign.sh new file mode 100755 index 0000000..ff4b82a --- /dev/null +++ b/build/sign.sh @@ -0,0 +1,84 @@ +#!/usr/bin/env sh +set -e +# +# +# +# Sign RPM's & DEB's in /dist artifacts to GH Release Assets +# +# +# +# Function to start gpg-agent if not running +start_gpg_agent() { + if ! pgrep -x "gpg-agent" > /dev/null + then + echo "Starting gpg-agent..." + eval $(gpg-agent --daemon) + else + echo "gpg-agent is already running." + fi +} + +# Ensure gpg-agent is running +start_gpg_agent + + +# Sign RPM's +echo "===> Create .rpmmacros to sign rpm's from Goreleaser" +echo "%_gpg_name ${GPG_MAIL}" >> ~/.rpmmacros +echo "%_signature gpg" >> ~/.rpmmacros +echo "%_gpg_path /root/.gnupg" >> ~/.rpmmacros +echo "%_gpgbin /usr/bin/gpg" >> ~/.rpmmacros +echo "%__gpg_sign_cmd %{__gpg} gpg --no-verbose --no-armor --passphrase ${GPG_PASSPHRASE} --no-secmem-warning --digest-algo sha256 -u "%{_gpg_name}" -sbo %{__signature_filename} %{__plaintext_filename}" >> ~/.rpmmacros + +echo "===> Importing GPG private key from GHA secrets..." +printf %s ${GPG_PRIVATE_KEY_BASE64} | base64 -d | gpg --batch --import - + +echo "===> Importing GPG signature, needed from Goreleaser to verify signature" +gpg --export -a ${GPG_MAIL} > /tmp/RPM-GPG-KEY-${GPG_MAIL} +rpm --import /tmp/RPM-GPG-KEY-${GPG_MAIL} + +cd dist + +sles_regex="(.*sles12.*)" + +for rpm_file in $(find -regex ".*\.\(rpm\)");do + echo "===> Signing $rpm_file" + + ../build/nix/sign_rpm.exp $rpm_file ${GPG_PASSPHRASE} + + echo "===> Sign verification $rpm_file" + rpm -v --checksig $rpm_file +done + +# Sign DEB's +GNUPGHOME="/root/.gnupg" +echo "${GPG_PASSPHRASE}" > "${GNUPGHOME}/gpg-passphrase" +echo "passphrase-file ${GNUPGHOME}/gpg-passphrase" >> "$GNUPGHOME/gpg.conf" +# echo 'allow-loopback-pinentry' >> "${GNUPGHOME}/gpg-agent.conf" +# echo 'pinentry-mode loopback' >> "${GNUPGHOME}/gpg.conf" +echo 'use-agent' >> "${GNUPGHOME}/gpg.conf" +echo RELOADAGENT | gpg-connect-agent + +for deb_file in $(find -regex ".*\.\(deb\)"); do + echo "===> Signing $deb_file" + + # Run the sign_deb.exp script to sign the .deb file +../build/nix/sign_deb.exp $deb_file ${GPG_PASSPHRASE} ${GPG_MAIL} + + + echo "===> Sign verification $deb_file" + dpkg-sig --verify $deb_file +done + +# Sign TARGZ files +for targz_file in $(find . -type f -name "*.tar.gz"); do + echo "===> Signing $targz_file" + ../build/nix/sign_tar.exp $targz_file ${GPG_PASSPHRASE} + asc_file="${targz_file}.asc" + if [ -f "$asc_file" ]; then + echo "===> Sign verification $targz_file" + gpg --verify "$asc_file" "$targz_file" + else + echo "Error: Signature file $asc_file not found." + fi +done \ No newline at end of file diff --git a/build/sign_deb.exp b/build/sign_deb.exp new file mode 100755 index 0000000..7a150df --- /dev/null +++ b/build/sign_deb.exp @@ -0,0 +1,20 @@ +#!/usr/bin/expect -f + +# Retrieve the arguments +set deb_file [lindex $argv 0]; +set GPG_PASSPHRASE [lindex $argv 1]; +set GPG_MAIL [lindex $argv 2]; # Capture GPG_MAIL + +# Set an infinite timeout to allow for longer operations +set timeout -1 + +# Start the signing process using dpkg-sig +spawn dpkg-sig --sign builder -k $GPG_MAIL $deb_file + +# Handle the passphrase prompt +expect "Enter passphrase:" +send -- "$GPG_PASSPHRASE\r" + +# Wait until the process completes +expect eof + diff --git a/build/sign_rpm.exp b/build/sign_rpm.exp new file mode 100755 index 0000000..b95828c --- /dev/null +++ b/build/sign_rpm.exp @@ -0,0 +1,10 @@ +#!/usr/bin/expect -f + +set rpm_file [lindex $argv 0]; +set GPG_PASSPHRASE [lindex $argv 1]; + +set timeout -1 +spawn rpmsign -v --addsign $rpm_file +expect "Enter pass phrase:" +send -- "${GPG_PASSPHRASE}\r" +expect eof \ No newline at end of file diff --git a/build/sign_tar.exp b/build/sign_tar.exp new file mode 100755 index 0000000..a843bb0 --- /dev/null +++ b/build/sign_tar.exp @@ -0,0 +1,23 @@ +#!/usr/bin/expect -f + +set timeout -1 +set targz_file [lindex $argv 0] +set passphrase [lindex $argv 1] + +# Ensure the GPG_TTY is set correctly +set env(GPG_TTY) [exec /bin/sh -c "tty"] + +# Debug output to verify the correct file is being processed +puts "Expect script signing file: $targz_file" + +spawn gpg --sign --armor --detach-sig $targz_file +expect { + "Enter passphrase:" { + send -- "$passphrase\r" + exp_continue + } + eof { + catch wait result + exit [lindex $result 3] + } +} \ No newline at end of file