fix(IMEX-1): bump artifactlift to support content-type, add file sign…

…ing.
ProtonMail · Jun 27, 2024 · ea4eaa5 · ea4eaa5
1 parent 07498c8
commit ea4eaa5
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 2 deletions.
diff --git a/ci/artifactlift.yml b/ci/artifactlift.yml
@@ -3,10 +3,10 @@
 .component:
     rel_cand: &include_release_candidate "gitlab.protontech.ch/proton/devops/\
                         cicd-components/tools/artifactlift/\
-                        release-candidate@0.1.13"
+                        release-candidate@0.1.15"
     rel: &include_release "gitlab.protontech.ch/proton/devops/\
               cicd-components/tools/artifactlift/\
-              release@0.1.13"
+              release@0.1.15"
 
 .check_deployer:
     script:
@@ -63,13 +63,15 @@ include:
           artifact_list: "*"
           job_prefix: 'macos:'
           artifact_metadata_path: "macos"
+    - local: /ci/setup.yml
 
 .generate:
     tags:
         - shared-small
     image: gitlab.protontech.ch:4567/go/bridge-internal:release
     stage: generate
     script:
+        - !reference [.linux-keys, before_script]
         - !reference [.check_deployer, script]
         - ./scripts/deploy.sh "${ET_TAG}" "${CI_JOB_NAME}"
     allow_failure: false

diff --git a/ci/setup.yml b/ci/setup.yml
@@ -156,3 +156,32 @@ variables:
   script:
     - !reference [.script-build, script]
     - ctest --build-config $CMAKE_BUILD_CONFIG --test-dir $CMAKE_BUILD_DIR -V
+
+.linux-keys:
+  before_script:
+    - mkdir -p ~/.gnupg
+    - chmod 700 ~/.gnupg
+    - export GPG_TTY=$(tty)
+    - echo "TTY $GPG_TTY"
+    - echo "default-key E2C75D68E6234B07"
+      >> ~/.gnupg/gpg.conf
+    - echo "weak-digest SHA1"
+      >> ~/.gnupg/gpg.conf
+    - echo "digest-algo SHA256"
+      >> ~/.gnupg/gpg.conf
+    - chmod 600 ~/.gnupg/*
+    - if [ -z $GPG_PASSPHRASE_BRIDGE ];
+      then echo -ne '*\n*\n*\nSIGNING KEY NOT AVAILABLE\n*\n*\n*\n';
+      fi;
+    - gpg-agent --daemon --allow-preset-passphrase --max-cache-ttl 3153600000
+    - echo "$GPG_PASSPHRASE_BRIDGE" | base64 -d |
+      /usr/lib/gnupg/gpg-preset-passphrase
+      --preset E2C75D68E6234B07
+    - echo "$GPG_PASSPHRASE_BRIDGE" | base64 -d |
+      /usr/lib/gnupg/gpg-preset-passphrase
+      --preset 9AFA004CD15D32A920353A116FD6B29133593AA3
+    - echo "$GPG_PRIVATE_KEY_BRIDGE" | base64 -d | gpg -v --batch --import
+    - echo "$GPG_PASSPHRASE_BRIDGE" | base64 -d |
+      gpg -v --batch --always-trust --yes
+      --passphrase-fd 0 --pinentry-mode=loopback -s $(mktemp)
+    - gpg -v --detach-sign $(mktemp)
diff --git a/scripts/deploy.sh b/scripts/deploy.sh
@@ -91,6 +91,9 @@ prepare_metadata() {
     version_json=imex_version.json
     cp ./version.json  "${DEPLOY_DIR}/${version_json}"
     printf "%s " "$version_json" >>tmp.metadata
+
+    sign_file "${DEPLOY_DIR}/${version_json}"
+    printf "%s.sig " "$version_json" >>tmp.metadata
 }
 
 prepare_installer_files() {
@@ -111,6 +114,10 @@ download_installer_file() {
     $nexus_client cp "${BUILD_NEXUS_PATH}/${1}" "${DEPLOY_DIR}/${1}"
     printf "%s " "${1// /\\ }" >>tmp.files
     printf "%s " "${1// /\\ }" >>tmp.metadata
+
+    sign_file "${DEPLOY_DIR}/${1}"
+    printf "%s.sig " "${1// /\\ }" >>tmp.files
+    printf "%s.sig " "${1// /\\ }" >>tmp.metadata
 }
 
 
@@ -123,4 +130,10 @@ release_env() {
     } >${RELEASE_ENV}
 }
 
+sign_file() {
+    gpg --local-user E2C75D68E6234B07 --detach-sign "$1"
+}
+
+
+
 main "$@"