Skip to content

Commit

Permalink
Signing RPM packages (#507)
Browse files Browse the repository at this point in the history 
* Signing RPM packages

* Add license header

* Make shellcheck happy

* Allow build package only

* Pin image by hash

* Correct dockerfile syntax

* Exit without terminate
  • Loading branch information
@waybackarchiver
waybackarchiver authored Mar 28, 2024
1 parent 11baccb commit 308aed9
Show file tree
Hide file tree
Showing 6 changed files with 67 additions and 12 deletions.
2 changes: 2 additions & 0 deletions .github/workflows/builder.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -137,6 +137,8 @@ jobs:
egress-policy: audit
secrets:
wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }}
wayback-signing-key: ${{ secrets.GEMFURY_SIGNING_KEY }}
wayback-signing-passpharse: ${{ secrets.GEMFURY_SIGNING_PASSPHARSE }}

aurpkg:
name: Build AUR
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,8 @@ jobs:
artifact-path: build/package/wayback*.rpm
secrets:
wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }}
wayback-signing-key: ${{ secrets.GEMFURY_SIGNING_KEY }}
wayback-signing-passpharse: ${{ secrets.GEMFURY_SIGNING_PASSPHARSE }}

aurpkg:
name: Build AUR
Expand Down
7 changes: 5 additions & 2 deletions Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -163,8 +163,11 @@ rpm: ## Build RPM package
-t wayback-rpm-builder \
-f build/redhat/Dockerfile .
@$(DOCKER) run --rm \
-v ${PWD}/build/package:/root/rpmbuild/RPMS/x86_64 wayback-rpm-builder \
rpmbuild -bb --define "_wayback_version $(VERSION)" /root/rpmbuild/SPECS/wayback.spec
-e WAYBACK_SIGNING_KEY="$${WAYBACK_SIGNING_KEY}" \
-e WAYBACK_SIGNING_PASSPHARSE="$${WAYBACK_SIGNING_PASSPHARSE}" \
-e VERSION="${VERSION}" \
-v ${PWD}/build/package:/rpmbuild/RPMS/x86_64:Z \
wayback-rpm-builder

debian: ## Build Debian packages
@echo "-> Building deb package..."
Expand Down
29 changes: 19 additions & 10 deletions build/redhat/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,16 +13,25 @@ RUN apk update && apk add --no-cache build-base ca-certificates git
ENV WAYBACK_IPFS_APIKEY ${WAYBACK_IPFS_APIKEY}

WORKDIR /go/src/app

COPY . .

RUN make linux-amd64

FROM fedora:37
RUN dnf install -y rpm-build systemd
RUN mkdir -p /root/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
RUN echo "%_topdir /root/rpmbuild" >> .rpmmacros
COPY --from=builder /go/src/app/build/binary/wayback-linux-amd64 /root/rpmbuild/SOURCES/wayback
COPY --from=builder /go/src/app/LICENSE /root/rpmbuild/SOURCES/
COPY --from=builder /go/src/app/CHANGELOG.md /root/rpmbuild/SOURCES/
COPY --from=builder /go/src/app/wayback.1 /root/rpmbuild/SOURCES/
COPY --from=builder /go/src/app/build/systemd/wayback.service /root/rpmbuild/SOURCES/
COPY --from=builder /go/src/app/build/redhat/wayback.spec /root/rpmbuild/SPECS/wayback.spec
# FROM fedora:39 AS runtime
FROM docker.io/library/fedora@sha256:61864fd19bbd64d620f338eb11dae9e8759bf7fa97302ac6c43865c48dccd679 AS runtime

WORKDIR /rpmbuild

RUN dnf install -y rpm-build rpm-sign systemd

COPY --from=builder /go/src/app/build/binary/wayback-linux-amd64 /rpmbuild/SOURCES/wayback
COPY --from=builder /go/src/app/LICENSE /rpmbuild/SOURCES/
COPY --from=builder /go/src/app/CHANGELOG.md /rpmbuild/SOURCES/
COPY --from=builder /go/src/app/wayback.1 /rpmbuild/SOURCES/
COPY --from=builder /go/src/app/build/systemd/wayback.service /rpmbuild/SOURCES/
COPY --from=builder /go/src/app/build/redhat/wayback.spec /rpmbuild/SPECS/wayback.spec

COPY build/redhat/entrypoint.sh /entrypoint.sh

ENTRYPOINT "/entrypoint.sh"
38 changes: 38 additions & 0 deletions build/redhat/entrypoint.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
#!/bin/bash
#
# Copyright 2024 Wayback Archiver. All rights reserved.
# Use of this source code is governed by the GNU GPL v3
# license that can be found in the LICENSE file.

set -eu pipefail

WAYBACK_SIGNING_KEY="${WAYBACK_SIGNING_KEY:-}"
WAYBACK_SIGNING_PASSPHARSE="${WAYBACK_SIGNING_PASSPHARSE:-}"
VERSION="${VERSION:-1.0}"
WORKDIR="/rpmbuild"

cat > ~/.rpmmacros<< EOF
%_topdir /rpmbuild
%_signature gpg
%_gpg_name Wayback Archiver
EOF

mkdir -p "${WORKDIR}/{BUILD,RPMS,SOURCES,SPECS,SRPMS}"

rpmbuild -bb --define "_wayback_version ${VERSION}" "${WORKDIR}/SPECS/wayback.spec"

if [ -z "${WAYBACK_SIGNING_KEY}" ]; then
echo 'Build RPM package without signing.'
exit 0
fi

GPG_TTY="$(tty || true)"

export GPG_TTY

gpg --import --yes --pinentry-mode loopback --passphrase "${WAYBACK_SIGNING_PASSPHARSE}" <<< "${WAYBACK_SIGNING_KEY}"

find "${WORKDIR}/RPMS/x86_64" -type f -name "*.rpm" -exec rpm --verbose --define "_gpg_sign_cmd_extra_args --pinentry-mode loopback --passphrase ${WAYBACK_SIGNING_PASSPHARSE}" --addsign {} \;

find "${WORKDIR}/RPMS/x86_64" -type f -name "*.rpm" -exec rpm -qpi {} \;

1 change: 1 addition & 0 deletions docs/changelog.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

### Fixed
- Load the config file always ([#498](https://github.com/wabarc/wayback/pull/498))
- Signing RPM packages ([#507](https://github.com/wabarc/wayback/pull/507))

## [0.19.1] - 2023-03-21

Expand Down

0 comments on commit 308aed9

Please sign in to comment.