From 17f5721674aa598cd003c82d17706361d5b45672 Mon Sep 17 00:00:00 2001
From: Abhishu Raina <araina@newrelic.com>
Date: Tue, 7 Jan 2025 10:36:55 +0530
Subject: [PATCH] ci: move signing packages to automation page

---
 build/sign.sh      | 84 ++++++++++++++++++++++++++++++++++++++++++++++
 build/sign_deb.exp | 20 +++++++++++
 build/sign_rpm.exp | 10 ++++++
 build/sign_tar.exp | 23 +++++++++++++
 4 files changed, 137 insertions(+)
 create mode 100755 build/sign.sh
 create mode 100755 build/sign_deb.exp
 create mode 100755 build/sign_rpm.exp
 create mode 100755 build/sign_tar.exp

diff --git a/build/sign.sh b/build/sign.sh
new file mode 100755
index 0000000..ff4b82a
--- /dev/null
+++ b/build/sign.sh
@@ -0,0 +1,84 @@
+#!/usr/bin/env sh
+set -e
+#
+#
+#
+# Sign RPM's & DEB's in /dist artifacts to GH Release Assets
+#
+#
+#
+# Function to start gpg-agent if not running
+start_gpg_agent() {
+    if ! pgrep -x "gpg-agent" > /dev/null
+    then
+        echo "Starting gpg-agent..."
+        eval $(gpg-agent --daemon)
+    else
+        echo "gpg-agent is already running."
+    fi
+}
+
+# Ensure gpg-agent is running
+start_gpg_agent
+
+
+# Sign RPM's
+echo "===> Create .rpmmacros to sign rpm's from Goreleaser"
+echo "%_gpg_name ${GPG_MAIL}" >> ~/.rpmmacros
+echo "%_signature gpg" >> ~/.rpmmacros
+echo "%_gpg_path /root/.gnupg" >> ~/.rpmmacros
+echo "%_gpgbin /usr/bin/gpg" >> ~/.rpmmacros
+echo "%__gpg_sign_cmd   %{__gpg} gpg --no-verbose --no-armor --passphrase ${GPG_PASSPHRASE} --no-secmem-warning --digest-algo sha256 -u "%{_gpg_name}" -sbo %{__signature_filename} %{__plaintext_filename}" >> ~/.rpmmacros
+
+echo "===> Importing GPG private key from GHA secrets..."
+printf %s ${GPG_PRIVATE_KEY_BASE64} | base64 -d | gpg --batch --import -
+
+echo "===> Importing GPG signature, needed from Goreleaser to verify signature"
+gpg --export -a ${GPG_MAIL} > /tmp/RPM-GPG-KEY-${GPG_MAIL}
+rpm --import /tmp/RPM-GPG-KEY-${GPG_MAIL}
+
+cd dist
+
+sles_regex="(.*sles12.*)"
+
+for rpm_file in $(find -regex ".*\.\(rpm\)");do
+  echo "===> Signing $rpm_file"
+
+  ../build/nix/sign_rpm.exp $rpm_file ${GPG_PASSPHRASE}
+
+  echo "===> Sign verification $rpm_file"
+  rpm -v --checksig $rpm_file
+done
+
+# Sign DEB's
+GNUPGHOME="/root/.gnupg"
+echo "${GPG_PASSPHRASE}" > "${GNUPGHOME}/gpg-passphrase"
+echo "passphrase-file ${GNUPGHOME}/gpg-passphrase" >> "$GNUPGHOME/gpg.conf"
+# echo 'allow-loopback-pinentry' >> "${GNUPGHOME}/gpg-agent.conf"
+# echo 'pinentry-mode loopback' >> "${GNUPGHOME}/gpg.conf"
+echo 'use-agent' >> "${GNUPGHOME}/gpg.conf"
+echo RELOADAGENT | gpg-connect-agent
+
+for deb_file in $(find -regex ".*\.\(deb\)"); do
+  echo "===> Signing $deb_file"
+
+  # Run the sign_deb.exp script to sign the .deb file
+../build/nix/sign_deb.exp $deb_file ${GPG_PASSPHRASE} ${GPG_MAIL}
+
+
+  echo "===> Sign verification $deb_file"
+  dpkg-sig --verify $deb_file
+done
+
+# Sign TARGZ files
+for targz_file in $(find . -type f -name "*.tar.gz"); do
+  echo "===> Signing $targz_file"
+  ../build/nix/sign_tar.exp $targz_file ${GPG_PASSPHRASE}
+  asc_file="${targz_file}.asc"
+  if [ -f "$asc_file" ]; then
+    echo "===> Sign verification $targz_file"
+    gpg --verify "$asc_file" "$targz_file"
+  else
+    echo "Error: Signature file $asc_file not found."
+  fi
+done
\ No newline at end of file
diff --git a/build/sign_deb.exp b/build/sign_deb.exp
new file mode 100755
index 0000000..7a150df
--- /dev/null
+++ b/build/sign_deb.exp
@@ -0,0 +1,20 @@
+#!/usr/bin/expect -f
+
+# Retrieve the arguments
+set deb_file [lindex $argv 0];
+set GPG_PASSPHRASE [lindex $argv 1];
+set GPG_MAIL [lindex $argv 2];  # Capture GPG_MAIL
+
+# Set an infinite timeout to allow for longer operations
+set timeout -1
+
+# Start the signing process using dpkg-sig
+spawn dpkg-sig --sign builder -k $GPG_MAIL $deb_file
+
+# Handle the passphrase prompt
+expect "Enter passphrase:"
+send -- "$GPG_PASSPHRASE\r"
+
+# Wait until the process completes
+expect eof
+
diff --git a/build/sign_rpm.exp b/build/sign_rpm.exp
new file mode 100755
index 0000000..b95828c
--- /dev/null
+++ b/build/sign_rpm.exp
@@ -0,0 +1,10 @@
+#!/usr/bin/expect -f
+
+set rpm_file [lindex $argv 0];
+set GPG_PASSPHRASE [lindex $argv 1];
+
+set timeout -1
+spawn rpmsign -v --addsign $rpm_file
+expect "Enter pass phrase:"
+send -- "${GPG_PASSPHRASE}\r"
+expect eof
\ No newline at end of file
diff --git a/build/sign_tar.exp b/build/sign_tar.exp
new file mode 100755
index 0000000..a843bb0
--- /dev/null
+++ b/build/sign_tar.exp
@@ -0,0 +1,23 @@
+#!/usr/bin/expect -f
+
+set timeout -1
+set targz_file [lindex $argv 0]
+set passphrase [lindex $argv 1]
+
+# Ensure the GPG_TTY is set correctly
+set env(GPG_TTY) [exec /bin/sh -c "tty"]
+
+# Debug output to verify the correct file is being processed
+puts "Expect script signing file: $targz_file"
+
+spawn gpg --sign --armor --detach-sig $targz_file
+expect {
+    "Enter passphrase:" {
+        send -- "$passphrase\r"
+        exp_continue
+    }
+    eof {
+        catch wait result
+        exit [lindex $result 3]
+    }
+}
\ No newline at end of file