Signing RPM packages (#507)

waybackarchiver · web-flow · commit 308aed93d9e3 · 2024-03-28T14:21:15.000Z
* Signing RPM packages

* Add license header

* Make shellcheck happy

* Allow build package only

* Pin image by hash

* Correct dockerfile syntax

* Exit without terminate
diff --git a/.github/workflows/builder.yml b/.github/workflows/builder.yml
@@ -137,6 +137,8 @@ jobs:
       egress-policy: audit
     secrets:
       wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }}
+      wayback-signing-key: ${{ secrets.GEMFURY_SIGNING_KEY }}
+      wayback-signing-passpharse: ${{ secrets.GEMFURY_SIGNING_PASSPHARSE }}
 
   aurpkg:
     name: Build AUR
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -119,6 +119,8 @@ jobs:
       artifact-path: build/package/wayback*.rpm
     secrets:
       wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }}
+      wayback-signing-key: ${{ secrets.GEMFURY_SIGNING_KEY }}
+      wayback-signing-passpharse: ${{ secrets.GEMFURY_SIGNING_PASSPHARSE }}
 
   aurpkg:
     name: Build AUR
diff --git a/Makefile b/Makefile
@@ -163,8 +163,11 @@ rpm: ## Build RPM package
 		-t wayback-rpm-builder \
 		-f build/redhat/Dockerfile .
 	@$(DOCKER) run --rm \
-		-v ${PWD}/build/package:/root/rpmbuild/RPMS/x86_64 wayback-rpm-builder \
-		rpmbuild -bb --define "_wayback_version $(VERSION)" /root/rpmbuild/SPECS/wayback.spec
+		-e WAYBACK_SIGNING_KEY="$${WAYBACK_SIGNING_KEY}" \
+		-e WAYBACK_SIGNING_PASSPHARSE="$${WAYBACK_SIGNING_PASSPHARSE}" \
+		-e VERSION="${VERSION}" \
+		-v ${PWD}/build/package:/rpmbuild/RPMS/x86_64:Z \
+		wayback-rpm-builder
 
 debian: ## Build Debian packages
 	@echo "-> Building deb package..."
diff --git a/build/redhat/Dockerfile b/build/redhat/Dockerfile
@@ -13,16 +13,25 @@ RUN apk update && apk add --no-cache build-base ca-certificates git
 ENV WAYBACK_IPFS_APIKEY ${WAYBACK_IPFS_APIKEY}
 
 WORKDIR /go/src/app
+
 COPY . .
+
 RUN make linux-amd64
 
-FROM fedora:37
-RUN dnf install -y rpm-build systemd
-RUN mkdir -p /root/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
-RUN echo "%_topdir /root/rpmbuild" >> .rpmmacros
-COPY --from=builder /go/src/app/build/binary/wayback-linux-amd64 /root/rpmbuild/SOURCES/wayback
-COPY --from=builder /go/src/app/LICENSE /root/rpmbuild/SOURCES/
-COPY --from=builder /go/src/app/CHANGELOG.md /root/rpmbuild/SOURCES/
-COPY --from=builder /go/src/app/wayback.1 /root/rpmbuild/SOURCES/
-COPY --from=builder /go/src/app/build/systemd/wayback.service /root/rpmbuild/SOURCES/
-COPY --from=builder /go/src/app/build/redhat/wayback.spec /root/rpmbuild/SPECS/wayback.spec
+# FROM fedora:39 AS runtime
+FROM docker.io/library/fedora@sha256:61864fd19bbd64d620f338eb11dae9e8759bf7fa97302ac6c43865c48dccd679 AS runtime
+
+WORKDIR /rpmbuild
+
+RUN dnf install -y rpm-build rpm-sign systemd
+
+COPY --from=builder /go/src/app/build/binary/wayback-linux-amd64 /rpmbuild/SOURCES/wayback
+COPY --from=builder /go/src/app/LICENSE /rpmbuild/SOURCES/
+COPY --from=builder /go/src/app/CHANGELOG.md /rpmbuild/SOURCES/
+COPY --from=builder /go/src/app/wayback.1 /rpmbuild/SOURCES/
+COPY --from=builder /go/src/app/build/systemd/wayback.service /rpmbuild/SOURCES/
+COPY --from=builder /go/src/app/build/redhat/wayback.spec /rpmbuild/SPECS/wayback.spec
+
+COPY build/redhat/entrypoint.sh /entrypoint.sh
+
+ENTRYPOINT "/entrypoint.sh"
diff --git a/build/redhat/entrypoint.sh b/build/redhat/entrypoint.sh
@@ -0,0 +1,38 @@
+#!/bin/bash
+#
+# Copyright 2024 Wayback Archiver. All rights reserved.
+# Use of this source code is governed by the GNU GPL v3
+# license that can be found in the LICENSE file.
+
+set -eu pipefail
+
+WAYBACK_SIGNING_KEY="${WAYBACK_SIGNING_KEY:-}"
+WAYBACK_SIGNING_PASSPHARSE="${WAYBACK_SIGNING_PASSPHARSE:-}"
+VERSION="${VERSION:-1.0}"
+WORKDIR="/rpmbuild"
+
+cat > ~/.rpmmacros<< EOF
+%_topdir /rpmbuild
+%_signature gpg
+%_gpg_name Wayback Archiver
+EOF
+
+mkdir -p "${WORKDIR}/{BUILD,RPMS,SOURCES,SPECS,SRPMS}"
+
+rpmbuild -bb --define "_wayback_version ${VERSION}" "${WORKDIR}/SPECS/wayback.spec"
+
+if [ -z "${WAYBACK_SIGNING_KEY}" ]; then
+    echo 'Build RPM package without signing.'
+    exit 0
+fi
+
+GPG_TTY="$(tty || true)"
+
+export GPG_TTY
+
+gpg --import --yes --pinentry-mode loopback --passphrase "${WAYBACK_SIGNING_PASSPHARSE}" <<< "${WAYBACK_SIGNING_KEY}"
+
+find "${WORKDIR}/RPMS/x86_64" -type f -name "*.rpm" -exec rpm --verbose --define "_gpg_sign_cmd_extra_args --pinentry-mode loopback --passphrase ${WAYBACK_SIGNING_PASSPHARSE}" --addsign {} \;
+
+find "${WORKDIR}/RPMS/x86_64" -type f -name "*.rpm" -exec rpm -qpi {} \;
+
diff --git a/docs/changelog.md b/docs/changelog.md
@@ -34,6 +34,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 - Load the config file always ([#498](https://github.com/wabarc/wayback/pull/498))
+- Signing RPM packages ([#507](https://github.com/wabarc/wayback/pull/507))
 
 ## [0.19.1] - 2023-03-21
 
