Skip to content

Commit

Permalink
Support CBL signing (#3719)
Browse files Browse the repository at this point in the history
  • Loading branch information
@csujedihy
csujedihy committed Jun 22, 2023
1 parent e855aa0 commit b484c06
Show file tree
Hide file tree
Showing 2 changed files with 54 additions and 9 deletions.
47 changes: 40 additions & 7 deletions .azure/OneBranch.Publish.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,12 @@ variables:
DisableDockerDetector: true

parameters:
- name: opensslrpmcblrepos
type: object
default:
- cbl-mariner-1.0-prod-Microsoft-x86_64-rpms-yum
- cbl-mariner-2.0-prod-Microsoft-x86_64-yum
- cbl-mariner-2.0-prod-Microsoft-aarch64-yum
- name: opensslrpmrepos
type: object
default:
Expand All @@ -29,9 +35,6 @@ parameters:
- microsoft-rhel7.3-prod-yum
- microsoft-rhel8.0-prod-yum
- microsoft-rhel8.1-prod-yum
- cbl-mariner-1.0-prod-Microsoft-x86_64-rpms-yum
- cbl-mariner-2.0-prod-Microsoft-x86_64-yum
- cbl-mariner-2.0-prod-Microsoft-aarch64-yum
- name: openssldebrepos
type: object
default:
Expand Down Expand Up @@ -90,7 +93,7 @@ stages:
inputs:
secureFile: 'auth.pem'
- ${{ each repo in parameters.openssldebrepos }}:
- script: bash scripts/upload-linux-packages.sh -i $(PMCv4ClientId) -c $(pmcv4cert.secureFilePath) -f $(Build.SourcesDirectory)/artifacts/signed/openssl -r ${{ repo }} -n "*.deb"
- script: bash scripts/upload-linux-packages.sh -i $(PMCv4ClientId) -c $(pmcv4cert.secureFilePath) -f $(Build.SourcesDirectory)/artifacts/signed/openssl/gen -r ${{ repo }} -n "*.deb"
condition: eq(${{ parameters.debug }}, false)
displayName: ${{ repo }}
continueOnError: true
Expand Down Expand Up @@ -120,7 +123,37 @@ stages:
inputs:
secureFile: 'auth.pem'
- ${{ each repo in parameters.opensslrpmrepos }}:
- script: bash scripts/upload-linux-packages.sh -i $(PMCv4ClientId) -c $(pmcv4cert.secureFilePath) -f $(Build.SourcesDirectory)/artifacts/signed/openssl -r ${{ repo }} -n "*.rpm"
- script: bash scripts/upload-linux-packages.sh -i $(PMCv4ClientId) -c $(pmcv4cert.secureFilePath) -f $(Build.SourcesDirectory)/artifacts/signed/openssl/gen -r ${{ repo }} -n "*.rpm"
condition: eq(${{ parameters.debug }}, false)
displayName: ${{ repo }}
continueOnError: true
- job: UploadPackage_openssl_rpms_cbl
displayName: Upload openSSL based RPM packages to CBL repos
timeoutInMinutes: 120
workspace:
clean: all
pool:
vmImage: 'ubuntu-latest'
variables:
- group: MsQuicAADApp
steps:
- task: DownloadPipelineArtifact@2
inputs:
source: specific
project: $(resources.pipeline.onebranch.projectID)
pipeline: $(resources.pipeline.onebranch.pipelineID)
preferTriggeringPipeline: true
runVersion: specific
runId: $(resources.pipeline.onebranch.runID)
artifact: drop_package_linux_distribution_openssl
path: $(Build.SourcesDirectory)/artifacts/signed/openssl
- task: DownloadSecureFile@1
name: pmcv4cert
displayName: 'Download cert for PMC v4'
inputs:
secureFile: 'auth.pem'
- ${{ each repo in parameters.opensslrpmcblrepos }}:
- script: bash scripts/upload-linux-packages.sh -i $(PMCv4ClientId) -c $(pmcv4cert.secureFilePath) -f $(Build.SourcesDirectory)/artifacts/signed/openssl/cbl -r ${{ repo }} -n "*.rpm"
condition: eq(${{ parameters.debug }}, false)
displayName: ${{ repo }}
continueOnError: true
Expand Down Expand Up @@ -150,7 +183,7 @@ stages:
inputs:
secureFile: 'auth.pem'
- ${{ each repo in parameters.openssl3debrepos }}:
- script: bash scripts/upload-linux-packages.sh -i $(PMCv4ClientId) -c $(pmcv4cert.secureFilePath) -f $(Build.SourcesDirectory)/artifacts/signed/openssl3 -r ${{ repo }} -n "*.deb"
- script: bash scripts/upload-linux-packages.sh -i $(PMCv4ClientId) -c $(pmcv4cert.secureFilePath) -f $(Build.SourcesDirectory)/artifacts/signed/openssl3/gen -r ${{ repo }} -n "*.deb"
condition: eq(${{ parameters.debug }}, false)
displayName: ${{ repo }}
continueOnError: true
Expand Down Expand Up @@ -180,7 +213,7 @@ stages:
inputs:
secureFile: 'auth.pem'
- ${{ each repo in parameters.openssl3rpmrepos }}:
- script: bash scripts/upload-linux-packages.sh -i $(PMCv4ClientId) -c $(pmcv4cert.secureFilePath) -f $(Build.SourcesDirectory)/artifacts/signed/openssl3 -r ${{ repo }} -n "*.rpm"
- script: bash scripts/upload-linux-packages.sh -i $(PMCv4ClientId) -c $(pmcv4cert.secureFilePath) -f $(Build.SourcesDirectory)/artifacts/signed/openssl3/gen -r ${{ repo }} -n "*.rpm"
condition: eq(${{ parameters.debug }}, false)
displayName: ${{ repo }}
continueOnError: true
16 changes: 14 additions & 2 deletions .azure/obtemplates/build-linux-packages.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,11 +43,23 @@ jobs:
inputs:
pwsh: false
filePath: scripts/package-distribution.ps1
- script: | # prepare 2 sets of packages for signing with different keys (gen = general purpose, cbl = cbl-mariner)
mkdir $(Build.SourcesDirectory)/artifacts/dist/gen
find $(Build.SourcesDirectory)/artifacts/dist -type f -exec mv -t $(Build.SourcesDirectory)/artifacts/dist/gen/ {} +
cp -r $(Build.SourcesDirectory)/artifacts/dist/gen/ $(Build.SourcesDirectory)/artifacts/dist/cbl/
- ${{ if not(eq(parameters.sign, false)) }}:
- task: onebranch.pipeline.signing@1
displayName: Sign
displayName: Sign General Purpose Packages
inputs:
command: 'sign'
signing_profile: 'CP-450779-pgpdetached'
files_to_sign: '**/*.rpm;**/*.deb'
search_root: '$(ob_outputDirectory)'
search_root: $(Build.SourcesDirectory)/artifacts/dist/gen
- ${{ if not(eq(parameters.sign, false)) }}:
- task: onebranch.pipeline.signing@1
displayName: Sign CBL Packages
inputs:
command: 'sign'
signing_profile: 'CP-459159-pgpdetached'
files_to_sign: '**/*.rpm;**/*.deb'
search_root: $(Build.SourcesDirectory)/artifacts/dist/cbl

0 comments on commit b484c06

Please sign in to comment.