Merge pull request sensu#747 from sensu/feature/pkg-sign

Sign RPM packages
jpoizat · Dec 19, 2017 · fb39f3b · fb39f3b
2 parents 33a6263 + 3f02ab0
commit fb39f3b
Show file tree

Hide file tree

Showing 5 changed files with 82 additions and 0 deletions.
diff --git a/.rpmmacros b/.rpmmacros
@@ -0,0 +1,3 @@
+%_signature gpg
+%_gpg_name Sensu, Inc. <[email protected]>
+%_gpg_path /home/travis/.gnupg
diff --git a/.travis.yml b/.travis.yml
@@ -6,13 +6,22 @@ env:
   matrix:
     - TRAVIS_GOOS=linux TRAVIS_GOARCH=386
     - TRAVIS_GOOS=linux TRAVIS_GOARCH=amd64
+  global:
+    - AWS_REGION=us-west-2
+    - secure: "AbBK9m/ERyL2RzTd2+IwYkPxW+gnQSXB83AlcvgRNfGF+Y+zaDDZ4PaKDdl0hfKmsIwzvxpTn/t3pwN/UXYCdcKVzQFHmqhpgL1Vb6D6GV0tzSE87L9jod+5H5zFo4MufxIV2WpiV2yErJh+pl24l3kBuoJc7Ot3D3gj3tjLSCU="
+    - secure: "dfwJP2lOpCJxQ23ZiLOlDvuCvpwQOATE+U3Xgwwor7gqyoCMxqEdtSlVyt3PLx+LV1kWasJWuJ6pmrPplhk6CYXk/bQP9DNIJgnKiJdorg1/sxz/w2/KtuzizT+Kru+ZJVVgBcD8T1dTNFnFsPYtTrS/UdFyJ1M7gD+U7+QpuhI="
+
 before_install:
   - gem install rake -v "10.5.0"
   - gem install fpm -v "1.8.1"
   - sudo apt-get install -y rpm
   # Workaround for https://github.com/travis-ci/travis-ci/issues/6126
   - export GOOS=$TRAVIS_GOOS
   - export GOARCH=$TRAVIS_GOARCH
+  # RPM signing
+  - pip install --user awscli
+  - export PATH=$PATH:$HOME/.local/bin
+  - ./build/setup-gpg
 script:
   - "./build/travis.sh"
 deploy:

diff --git a/build/Rakefile b/build/Rakefile
@@ -82,6 +82,9 @@ task :package do
     run_command(fpm_cmd)
   end
 
+  puts "Signing the RPM package ..."
+  run_command("build/sign-rpm rpm --addsign *.rpm")
+
   puts "Moving packages to the package directory ..."
   FileUtils.mv(Dir.glob("*.{deb,rpm}"), PKG_DIR)
   run_command("ls -la #{PKG_DIR}/")

diff --git a/build/setup-gpg b/build/setup-gpg
@@ -0,0 +1,10 @@
+#!/bin/sh
+set -e
+
+rm -rf /home/travis/.gnupg
+
+aws s3 cp s3://sensu-omnibus-cache/gpg/sensu-io-gpg.tar .
+tar -xvf sensu-io-gpg.tar
+
+cp .rpmmacros /home/travis/.rpmmacros
+cp -R .gnupg /home/travis/.gnupg
diff --git a/build/sign-rpm b/build/sign-rpm
@@ -0,0 +1,57 @@
+#!/usr/bin/env ruby
+require "open3"
+require "pty"
+require "shellwords"
+
+module Process
+  def exist?(pid)
+    Process.kill(0, pid)
+    true
+  rescue Errno::ESRCH
+    false
+  end
+
+  module_function :exist?
+end
+
+rpm_cmd, *rpm_args = ARGV
+
+unless (rpm_cmd)
+  STDERR.puts 'Usage: sign-rpm RPM_COMMAND'
+  exit 1
+end
+
+password = "passphrase_here"
+cmd = [rpm_cmd].concat(rpm_args)
+
+puts cmd.inspect
+puts Shellwords.join(cmd)
+
+PTY.spawn(Shellwords.join(cmd)) do |r, w, pid|
+  prompt = r.read(19)
+
+  # match the expected prompt exactly, since that's the only way we know if
+  # something went wrong.
+  unless prompt == 'Enter pass phrase: '
+    STDERR.puts "unexpected output from `#{rpm_cmd}`: '#{prompt}'"
+    Process.kill(:KILL, pid)
+    exit 1
+  end
+
+  #STDOUT.puts prompt
+  w.write("#{password}\n")
+
+  # Keep printing output until the command exits
+  loop do
+    begin
+      line = r.gets
+      puts line
+      if (line =~ /failed/) && !(line =~ /warning:/)
+        STDERR.puts 'RPM signing failure'
+        exit 1
+      end
+    rescue Errno::EIO
+      break
+    end
+  end
+end