mirror of
https://github.com/gravitational/teleport
synced 2024-10-19 16:53:57 +00:00
Add support for RPM signing via Drone (#4634)
This commit is contained in:
parent
3905726d8f
commit
abe2b607d5
50
.drone.yml
50
.drone.yml
|
@ -1147,14 +1147,23 @@ steps:
|
|||
TMPDIR: /go
|
||||
OSS_TARBALL_PATH: /go/artifacts
|
||||
ENT_TARBALL_PATH: /go/artifacts
|
||||
GNUPG_DIR: /tmpfs/gnupg
|
||||
GPG_RPM_SIGNING_ARCHIVE:
|
||||
from_secret: GPG_RPM_SIGNING_ARCHIVE
|
||||
volumes:
|
||||
- name: dockersock
|
||||
path: /var/run
|
||||
- name: tmpfs
|
||||
path: /tmpfs
|
||||
commands:
|
||||
- apk add --no-cache bash curl go make tar
|
||||
- apk add --no-cache bash curl gzip make tar
|
||||
- cd /go/src/github.com/gravitational/teleport
|
||||
- export VERSION=$(cat /go/.version.txt)
|
||||
- mkdir -m0700 $GNUPG_DIR
|
||||
- echo "$GPG_RPM_SIGNING_ARCHIVE" | base64 -d | tar -xzf - -C $GNUPG_DIR
|
||||
- chown -R root:root $GNUPG_DIR
|
||||
- make rpm
|
||||
- rm -rf $GNUPG_DIR
|
||||
|
||||
- name: Copy RPM artifacts
|
||||
image: docker
|
||||
|
@ -1184,10 +1193,15 @@ services:
|
|||
volumes:
|
||||
- name: dockersock
|
||||
path: /var/run
|
||||
- name: tmpfs
|
||||
path: /tmpfs
|
||||
|
||||
volumes:
|
||||
- name: dockersock
|
||||
temp: {}
|
||||
- name: tmpfs
|
||||
temp:
|
||||
medium: memory
|
||||
|
||||
---
|
||||
kind: pipeline
|
||||
|
@ -1260,15 +1274,24 @@ steps:
|
|||
RUNTIME: fips
|
||||
TMPDIR: /go
|
||||
ENT_TARBALL_PATH: /go/artifacts
|
||||
GNUPG_DIR: /tmpfs/gnupg
|
||||
GPG_RPM_SIGNING_ARCHIVE:
|
||||
from_secret: GPG_RPM_SIGNING_ARCHIVE
|
||||
volumes:
|
||||
- name: dockersock
|
||||
path: /var/run
|
||||
- name: tmpfs
|
||||
path: /tmpfs
|
||||
commands:
|
||||
- apk add --no-cache bash curl make tar
|
||||
- apk add --no-cache bash curl gzip make tar
|
||||
- cd /go/src/github.com/gravitational/teleport
|
||||
- export VERSION=$(cat /go/.version.txt)
|
||||
- mkdir -m0700 $GNUPG_DIR
|
||||
- echo "$GPG_RPM_SIGNING_ARCHIVE" | base64 -d | tar -xzf - -C $GNUPG_DIR
|
||||
- chown -R root:root $GNUPG_DIR
|
||||
# build enterprise only
|
||||
- make -C e rpm
|
||||
- rm -rf $GNUPG_DIR
|
||||
|
||||
- name: Copy FIPS RPM artifacts
|
||||
image: docker
|
||||
|
@ -1297,10 +1320,15 @@ services:
|
|||
volumes:
|
||||
- name: dockersock
|
||||
path: /var/run
|
||||
- name: tmpfs
|
||||
path: /tmpfs
|
||||
|
||||
volumes:
|
||||
- name: dockersock
|
||||
temp: {}
|
||||
- name: tmpfs
|
||||
temp:
|
||||
medium: memory
|
||||
|
||||
---
|
||||
kind: pipeline
|
||||
|
@ -1701,14 +1729,23 @@ steps:
|
|||
TMPDIR: /go
|
||||
OSS_TARBALL_PATH: /go/artifacts
|
||||
ENT_TARBALL_PATH: /go/artifacts
|
||||
GNUPG_DIR: /tmpfs/gnupg
|
||||
GPG_RPM_SIGNING_ARCHIVE:
|
||||
from_secret: GPG_RPM_SIGNING_ARCHIVE
|
||||
volumes:
|
||||
- name: dockersock
|
||||
path: /var/run
|
||||
- name: tmpfs
|
||||
path: /tmpfs
|
||||
commands:
|
||||
- apk add --no-cache bash curl make tar
|
||||
- apk add --no-cache bash curl gzip make tar
|
||||
- cd /go/src/github.com/gravitational/teleport
|
||||
- export VERSION=$(cat /go/.version.txt)
|
||||
- mkdir -m0700 $GNUPG_DIR
|
||||
- echo "$GPG_RPM_SIGNING_ARCHIVE" | base64 -d | tar -xzf - -C $GNUPG_DIR
|
||||
- chown -R root:root $GNUPG_DIR
|
||||
- make rpm
|
||||
- rm -rf $GNUPG_DIR
|
||||
|
||||
- name: Copy i386 RPM artifacts
|
||||
image: docker
|
||||
|
@ -1738,10 +1775,15 @@ services:
|
|||
volumes:
|
||||
- name: dockersock
|
||||
path: /var/run
|
||||
- name: tmpfs
|
||||
path: /tmpfs
|
||||
|
||||
volumes:
|
||||
- name: dockersock
|
||||
temp: {}
|
||||
- name: tmpfs
|
||||
temp:
|
||||
medium: memory
|
||||
|
||||
---
|
||||
kind: pipeline
|
||||
|
@ -3046,6 +3088,6 @@ volumes:
|
|||
|
||||
---
|
||||
kind: signature
|
||||
hmac: 289a3b88913526ba2228afd60cc4fa60539f9f76ef89453164a8e5abc4c16255
|
||||
hmac: 921eeb9b7f68a01bf4a3c690248bc74285345b23e9362ee2593610e2a8355363
|
||||
|
||||
...
|
||||
|
|
6
Makefile
6
Makefile
|
@ -511,9 +511,15 @@ rpm:
|
|||
mkdir -p $(BUILDDIR)/
|
||||
cp ./build.assets/build-package.sh $(BUILDDIR)/
|
||||
chmod +x $(BUILDDIR)/build-package.sh
|
||||
cp -a ./build.assets/rpm-sign $(BUILDDIR)/
|
||||
cd $(BUILDDIR) && ./build-package.sh -t oss -v $(VERSION) -p rpm -a $(ARCH) $(RUNTIME_SECTION) $(TARBALL_PATH_SECTION)
|
||||
if [ -f e/Makefile ]; then $(MAKE) -C e rpm; fi
|
||||
|
||||
# build unsigned .rpm (for testing)
|
||||
.PHONY: rpm-unsigned
|
||||
rpm-unsigned:
|
||||
$(MAKE) UNSIGNED_RPM=true rpm
|
||||
|
||||
# build .deb
|
||||
.PHONY: deb
|
||||
deb:
|
||||
|
|
|
@ -49,6 +49,7 @@ RUNTIME=${r}
|
|||
BUILD_MODE=${m}
|
||||
TARBALL_DIRECTORY=/tmp/teleport-tarballs
|
||||
DOWNLOAD_IF_NEEDED=true
|
||||
GNUPG_DIR=${GNUPG_DIR:-/tmp/gnupg}
|
||||
if [[ "${s}" != "" ]]; then
|
||||
DOWNLOAD_IF_NEEDED=false
|
||||
TARBALL_DIRECTORY=${s}
|
||||
|
@ -154,9 +155,9 @@ else
|
|||
|
||||
# set docker image appropriately
|
||||
if [[ "${PACKAGE_TYPE}" == "deb" ]]; then
|
||||
DOCKER_IMAGE="cdrx/fpm-debian:8"
|
||||
DOCKER_IMAGE="quay.io/gravitational/fpm-debian:8"
|
||||
elif [[ "${PACKAGE_TYPE}" == "rpm" ]]; then
|
||||
DOCKER_IMAGE="cdrx/fpm-centos:7"
|
||||
DOCKER_IMAGE="quay.io/gravitational/fpm-centos:8"
|
||||
fi
|
||||
|
||||
# if client-only build is requested for a non-Mac platform, unset it
|
||||
|
@ -245,9 +246,22 @@ else
|
|||
FILE_LIST="${TAR_PATH}/tsh ${TAR_PATH}/tctl ${TAR_PATH}/teleport ${TAR_PATH}/examples/systemd/teleport.service"
|
||||
LINUX_BINARY_FILE_LIST="${TAR_PATH}/tsh ${TAR_PATH}/tctl ${TAR_PATH}/teleport"
|
||||
LINUX_SYSTEMD_FILE_LIST="${TAR_PATH}/examples/systemd/teleport.service"
|
||||
EXTRA_DOCKER_OPTIONS=""
|
||||
RPM_SIGN_STANZA=""
|
||||
if [[ "${PACKAGE_TYPE}" == "rpm" ]]; then
|
||||
OUTPUT_FILENAME="${TAR_PATH}-${TELEPORT_VERSION}-1${OPTIONAL_RUNTIME_SECTION}.${ARCH}.rpm"
|
||||
FILE_PERMISSIONS_STANZA="--rpm-user root --rpm-group root --rpm-use-file-permissions "
|
||||
# if we set this environment variable, don't sign RPMs (can be useful for building test RPMs
|
||||
# without having the signing keys)
|
||||
if [ "${UNSIGNED_RPM}" == "true" ]; then
|
||||
echo "RPMs will not be signed as requested"
|
||||
else
|
||||
# the GNUPG_DIR location here is assumed to contain a complete ~/.gnupg directory structure
|
||||
# with pubring.kbx and trustdb.gpg files, plus a private-keys-v1.d directory with signing keys
|
||||
# it needs to contain the "Gravitational, Inc" private key and signing key.
|
||||
EXTRA_DOCKER_OPTIONS="-v $(pwd)/rpm-sign/rpmmacros:/root/.rpmmacros -v $(pwd)/rpm-sign/popt-override:/etc/popt.d/rpmsign-override -v ${GNUPG_DIR}:/root/.gnupg"
|
||||
RPM_SIGN_STANZA="--rpm-sign"
|
||||
fi
|
||||
elif [[ "${PACKAGE_TYPE}" == "deb" ]]; then
|
||||
OUTPUT_FILENAME="${TAR_PATH}_${TELEPORT_VERSION}${OPTIONAL_RUNTIME_SECTION}_${ARCH}.deb"
|
||||
FILE_PERMISSIONS_STANZA="--deb-user root --deb-group root "
|
||||
|
@ -366,7 +380,7 @@ else
|
|||
rm -vf ${OUTPUT_FILENAME}
|
||||
|
||||
# build for other platforms
|
||||
docker run -v ${PACKAGE_TEMPDIR}:/src --rm ${DOCKER_IMAGE} \
|
||||
docker run -v ${PACKAGE_TEMPDIR}:/src --rm ${EXTRA_DOCKER_OPTIONS} ${DOCKER_IMAGE} \
|
||||
fpm \
|
||||
--input-type dir \
|
||||
--output-type ${PACKAGE_TYPE} \
|
||||
|
@ -385,7 +399,8 @@ else
|
|||
--prefix / \
|
||||
--verbose \
|
||||
${CONFIG_FILE_STANZA} \
|
||||
${FILE_PERMISSIONS_STANZA} .
|
||||
${FILE_PERMISSIONS_STANZA} \
|
||||
${RPM_SIGN_STANZA} .
|
||||
|
||||
# copy created package back to current directory
|
||||
cp ${PACKAGE_TEMPDIR}/*."${PACKAGE_TYPE}" .
|
||||
|
|
52
build.assets/rpm-sign/RPM-GPG-KEY-gravitational
Normal file
52
build.assets/rpm-sign/RPM-GPG-KEY-gravitational
Normal file
|
@ -0,0 +1,52 @@
|
|||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
|
||||
mQINBF+R3LYBEADOEO9i3Dm5rEAiXONchX3M54QzZX0yHArSpYQ5aJDdJRQbqzqT
|
||||
+e2os8NpSjVDZFNz5ul8xkZsnCLX7pgrAYqq+vsXL4bMWDP96S6PjfVIAyV4ylv0
|
||||
DBReMdkaAZb/IoPhkSTT+ayw4eGEtUz/k7mxMpQ9ob7qFtGs8aNVT/An5LfFR1Lx
|
||||
9WOlFPPIAJKcHVIyRD+4EoCSn1R1c61UHFIRatbAnwOLs3iz4/GU+w9wdbuWbDuk
|
||||
nGdG0Lmlzp42HHxeJJFQlOTed97+trktvAiuzA/0lbQHEcWvxfWAy5//cjORp+H3
|
||||
RGLp8fJ+fFRAyA4WP6O3wIC4gAAgsEn8WpVT8wZYlLMRf694SeawBtyUSlcsn9i1
|
||||
LuOh5akOY3iQtH01+rMBjOaMkCmpT2nQaUH+HS2iZBddBHdAMMQtj2UolMRbUSxH
|
||||
+GJczes1t9/WH3vbvh5ESMOy0fH14Tjo+9yQYa4EhFNNloAG10DYFLlCj47fWDdS
|
||||
o/++vhZsKaS7yLHDGOLPT+x15ComG2gupmRkbATvUddztlsfF+tD97laT9eaLB1W
|
||||
zxszqr8+LxP961wmbS2j+ZBbXyrPr1Fln/TdyFAhkIMJ+J5hZB+NcjRUwUoB7nOd
|
||||
+FbTxtnyJb2iaJNCJHJQVA85IYzUpXA3CDdgUHF810kVBcBPBtLhZC5ybQARAQAB
|
||||
tCtHcmF2aXRhdGlvbmFsLCBJbmMgPGluZm9AZ3Jhdml0YXRpb25hbC5jb20+iQJU
|
||||
BBMBCAA+FiEEDF6LpWWOMg0bAxF5yH7VOmKCxBEFAl+R3LYCGwMFCRLMAwAFCwkI
|
||||
BwIGFQoJCAsCBBYCAwECHgECF4AACgkQyH7VOmKCxBFfxxAAiXWJm86oZtVdAlp1
|
||||
pzpKeV0pwgrnt7Uk8fu5tYpdE/oVMnwcdsDDQucItGtHGfjmzs3Cr8/praekenf1
|
||||
9iHSz422OpIGzCI4VfXaFPVfzbV1w7cSOnceY6lPnKUMrRBKKJX5Nw/6LZS40gsQ
|
||||
BoeZxe0MXB4tBc4dY30f1MQ44amRYmtTA7wep+ymVRfkPnHNnIrsdYGldbfPsbPO
|
||||
PUX8ZnWZiuI0+NgX3oBOl6YY4JehBJj61Ukx1DPHHLhhundHumChYFn+LBIZxD3O
|
||||
B9uoRzUzwUIM0N9IUjpGvtkqtm7Vbs6/bDxI4Owgsa7vXpEXZ2qD0AIle7sD0Fjl
|
||||
F19o2mXmEeQp9Fl4OrkZCURCQvPq9UCh6Nu0a1+SnbG+qXyyvqszy2tkV4xmcF4w
|
||||
Gib0SVT8RR08NeJXkHtBscnecgUA1BTH8J8RnUeQXZhUn51bVJk4JaDnEXp8VEP2
|
||||
gNce+oUY2XQtLDVzHysGhexDrWk8ycl/zvwyxKv+kj5QhjXugHkOMnW53mdMe3N/
|
||||
gwsV+kJUm6NdtLtTAOkky/GfkIGTWNQPD2/42T+0cA9lTVxihh+wz9tgA1ZbtVOK
|
||||
P2DNA10rsCuzGPFn8d6Khymt0o66dgfEloy9Y14leoqUCMPU3ibLP6bYuow2AJUz
|
||||
KcvTgmfjP1/ghNXI7E2vgNi8wta5Ag0EX5HctgEQALx4btbP47LwrIqB4loog2sT
|
||||
pac7fdbA+YVeqP/9KoLw1ZB+5DeqNKmtUHSau9mRVh8a8g7slpGhH6hxlEHr7ek/
|
||||
mA/o91jB4RGo5mfyuWcJQKRyHS4pWciEM/gK+o6lEceTdUwvKI6OrJ4koPd3HZth
|
||||
mw+xPyAdGKY3oBmrXeZ6XkuDfME8doRmuwlw/tbmje63/2j97ebiFfQcyWLH32d8
|
||||
T+yEpAj+55Qxp6aJZaDOeAuzBtyAopxGRjGsxBUF/VSUwxYb0bmwWgPIhPC77oEk
|
||||
AEMPsIsI9LJ8fQY/sOzwhyNNt+b7rgto6AFskz7urezzCuuIwMeupmC78QWGw9jM
|
||||
zHFf3R6O1KQ0v8PBYYb6BHkjzho6hTcOZO9Zh+XO4k6uEwlu+Zc0AmyHmQeQ3I8Z
|
||||
tAb//LJk9X62yNPE/8wjtEUzXqyzlLpGjRFr6kQv+6nqs8JxyCnS34Q+au2IqOnn
|
||||
iFkHj/w79mtmzR4G43wo3x1nGjyz+vTpsurmJ+qFMO0bLcE/HV8aGxs0YeQsByOc
|
||||
SU8TK6v+Wkn58LT4cvjIO5G/2UM7kucXl56hqvguvnFTLNqewWtqgS7IRuykcYgK
|
||||
HrBYb/iVH+Fb+9Th9VX7bl0ZeoH7O8RbvxKGkd90+DPsurBeIQ7S4zM9w7WnAsAC
|
||||
Sgs8owYZpHpyrK8QFD4zABEBAAGJAjwEGAEIACYWIQQMXoulZY4yDRsDEXnIftU6
|
||||
YoLEEQUCX5HctgIbDAUJEswDAAAKCRDIftU6YoLEEURID/4oQhZZPindZJHiwQqm
|
||||
0a8H1ssgZAz6E8PejoN0gbsblbOrtkGDLU8gvzksvd/9luSLRgPw++m6ut87PeMv
|
||||
MKc4UIyRb5oSgh5WE0bW9191Gkfge9DRrIdtUDG8N+oTlIWYHTXC5zlwmfMobtQE
|
||||
kFUdPbedhytYx1wgbh8KP8sLXGPXut5VqDy/EgNzqERnI5kLeiDvMsLz0xjdHpGW
|
||||
ASfJMNX120GU8Mwqa6gWvP52BB20pU9bC1VQX1qiqD6V1GpxQJ2jACKke6boiqbL
|
||||
Bdb0UgmW4XYIp4ZjLC842e0qSyfd8rt3PzYrbK/NPuXAV7f+wAhPSC18v+1Ap5Kh
|
||||
KKHRLvyUVGxwaBVedOuuC/OqJwSSLa0cQKytFK+3OJAdTYoHtsh++ScgEL/wOCXs
|
||||
gM5xmlI6Pk/6Ev0Hz/kDY5F0w4/VvSEaS/7TSkmf5JvxdueVObf5ry5O+L4J7t7y
|
||||
JwdtPhXgHR0PHidnh/02SVn8XIzHdB9OZ2i6Wr12loFZGltWdmJVkQC/cj/HBr5I
|
||||
ZizQril+7cXDI/8Hyk04d19rmjSIU49FderpNYYOv38dqaAsosYge6JzYdIzJrJH
|
||||
/DIKnSAU/a14sFUrNm+TYJmZto35hSltUxLEzLIWeR9TjpOh6VS1UzdGQh32NP+h
|
||||
oq8y1SJMCrfC9Ub5q2/ijiJWUw==
|
||||
=+Ne5
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
5
build.assets/rpm-sign/popt-override
Normal file
5
build.assets/rpm-sign/popt-override
Normal file
|
@ -0,0 +1,5 @@
|
|||
# Minimally preserve rpmbuild's --sign functionality
|
||||
rpmbuild alias --sign \
|
||||
--pipe 'rpm --addsign `grep ".*: .*\.rpm$"|cut -d: -f2`' \
|
||||
--POPTdesc=$"generate GPG signature (deprecated, use command rpmsign instead)"
|
||||
|
7
build.assets/rpm-sign/rpmmacros
Normal file
7
build.assets/rpm-sign/rpmmacros
Normal file
|
@ -0,0 +1,7 @@
|
|||
%_signature gpg
|
||||
%_gpg_path /root/.gnupg
|
||||
%_gpg_name Gravitational, Inc
|
||||
%_gpgbin /usr/bin/gpg
|
||||
%_gpg_pass -
|
||||
# Use SHA512 to sign RPMs
|
||||
%__gpg_sign_cmd %{__gpg} gpg --no-verbose --no-armor --batch --pinentry-mode loopback --passphrase '' --no-secmem-warning -u "%{_gpg_name}" --digest-algo sha512 -sbo %{__signature_filename} %{__plaintext_filename}
|
2
e
2
e
|
@ -1 +1 @@
|
|||
Subproject commit 5c76e9b257c50889d301419be2d77e3936d272bd
|
||||
Subproject commit 7f58962a97efd995917dfa618fa4c01e45763a02
|
Loading…
Reference in a new issue