From 3567ed53833d76b17ece531f43fc46f6f1181cd9 Mon Sep 17 00:00:00 2001
From: Sean Porter <portertech@gmail.com>
Date: Mon, 18 Dec 2017 14:57:09 -0800
Subject: [PATCH 1/2] [pkg-sign] attempt to sign rpm packages

---
 .travis.yml     |  9 ++++++++
 build/Rakefile  |  3 +++
 build/setup-gpg | 10 +++++++++
 build/sign-rpm  | 57 +++++++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 79 insertions(+)
 create mode 100755 build/setup-gpg
 create mode 100755 build/sign-rpm

diff --git a/.travis.yml b/.travis.yml
index d3077bd..89e155a 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -6,6 +6,11 @@ env:
   matrix:
     - TRAVIS_GOOS=linux TRAVIS_GOARCH=386
     - TRAVIS_GOOS=linux TRAVIS_GOARCH=amd64
+  global:
+    - AWS_REGION=us-west-2
+    - secure: "AbBK9m/ERyL2RzTd2+IwYkPxW+gnQSXB83AlcvgRNfGF+Y+zaDDZ4PaKDdl0hfKmsIwzvxpTn/t3pwN/UXYCdcKVzQFHmqhpgL1Vb6D6GV0tzSE87L9jod+5H5zFo4MufxIV2WpiV2yErJh+pl24l3kBuoJc7Ot3D3gj3tjLSCU="
+    - secure: "dfwJP2lOpCJxQ23ZiLOlDvuCvpwQOATE+U3Xgwwor7gqyoCMxqEdtSlVyt3PLx+LV1kWasJWuJ6pmrPplhk6CYXk/bQP9DNIJgnKiJdorg1/sxz/w2/KtuzizT+Kru+ZJVVgBcD8T1dTNFnFsPYtTrS/UdFyJ1M7gD+U7+QpuhI="
+
 before_install:
   - gem install rake -v "10.5.0"
   - gem install fpm -v "1.8.1"
@@ -13,6 +18,10 @@ before_install:
   # Workaround for https://github.com/travis-ci/travis-ci/issues/6126
   - export GOOS=$TRAVIS_GOOS
   - export GOARCH=$TRAVIS_GOARCH
+  # RPM signing
+  - pip install --user awscli
+  - export PATH=$PATH:$HOME/.local/bin
+  - ./build/setup-gpg
 script:
   - "./build/travis.sh"
 deploy:
diff --git a/build/Rakefile b/build/Rakefile
index aed6977..5e6e395 100644
--- a/build/Rakefile
+++ b/build/Rakefile
@@ -82,6 +82,9 @@ task :package do
     run_command(fpm_cmd)
   end
 
+  puts "Signing the RPM package ..."
+  run_command("build/sign-rpm rpm --addsign *.rpm")
+
   puts "Moving packages to the package directory ..."
   FileUtils.mv(Dir.glob("*.{deb,rpm}"), PKG_DIR)
   run_command("ls -la #{PKG_DIR}/")
diff --git a/build/setup-gpg b/build/setup-gpg
new file mode 100755
index 0000000..aa3fad5
--- /dev/null
+++ b/build/setup-gpg
@@ -0,0 +1,10 @@
+#!/bin/sh
+set -e
+
+rm -rf /home/travis/.gnupg
+
+aws s3 cp s3://sensu-omnibus-cache/gpg/sensu-io-gpg.tar .
+tar -xvf sensu-io-gpg.tar
+
+cp .rpmmacros /home/travis/.rpmmacros
+cp -R .gnupg /home/travis/.gnupg
diff --git a/build/sign-rpm b/build/sign-rpm
new file mode 100755
index 0000000..3d396da
--- /dev/null
+++ b/build/sign-rpm
@@ -0,0 +1,57 @@
+#!/usr/bin/env ruby
+require "open3"
+require "pty"
+require "shellwords"
+
+module Process
+  def exist?(pid)
+    Process.kill(0, pid)
+    true
+  rescue Errno::ESRCH
+    false
+  end
+
+  module_function :exist?
+end
+
+rpm_cmd, *rpm_args = ARGV
+
+unless (rpm_cmd)
+  STDERR.puts 'Usage: sign-rpm RPM_COMMAND'
+  exit 1
+end
+
+password = "passphrase_here"
+cmd = [rpm_cmd].concat(rpm_args)
+
+puts cmd.inspect
+puts Shellwords.join(cmd)
+
+PTY.spawn(Shellwords.join(cmd)) do |r, w, pid|
+  prompt = r.read(19)
+
+  # match the expected prompt exactly, since that's the only way we know if
+  # something went wrong.
+  unless prompt == 'Enter pass phrase: '
+    STDERR.puts "unexpected output from `#{rpm_cmd}`: '#{prompt}'"
+    Process.kill(:KILL, pid)
+    exit 1
+  end
+
+  #STDOUT.puts prompt
+  w.write("#{password}\n")
+
+  # Keep printing output until the command exits
+  loop do
+    begin
+      line = r.gets
+      puts line
+      if (line =~ /failed/) && !(line =~ /warning:/)
+        STDERR.puts 'RPM signing failure'
+        exit 1
+      end
+    rescue Errno::EIO
+      break
+    end
+  end
+end

From 3f02ab0a85838af9f0ec45d46c263fe82c4b9396 Mon Sep 17 00:00:00 2001
From: Sean Porter <portertech@gmail.com>
Date: Mon, 18 Dec 2017 15:10:44 -0800
Subject: [PATCH 2/2] [pkg-sign] added rpmmacros file

---
 .rpmmacros | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 .rpmmacros

diff --git a/.rpmmacros b/.rpmmacros
new file mode 100644
index 0000000..f664e3f
--- /dev/null
+++ b/.rpmmacros
@@ -0,0 +1,3 @@
+%_signature gpg
+%_gpg_name Sensu, Inc. <support@sensu.io>
+%_gpg_path /home/travis/.gnupg