BCDA-350: Sign RPMs with GPG Keys (#97)

* Sign RPMs with GPG Key * Removed Debug Commands and clean up env vars * Removed Debug Commands and clean up env vars * Added Env Vars to Makefile * Remove verbose gpg command * Update vars * Update vars * Add exit * Corrected exit conditions * Added missing exit condition * Fixed exit condition
CMSgov · Dec 6, 2018 · 52a2c66 · 52a2c66
1 parent fe8577f
commit 52a2c66
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 2 deletions.
diff --git a/Dockerfiles/Dockerfile.package b/Dockerfiles/Dockerfile.package
@@ -1,5 +1,11 @@
 FROM golang:1.10
 
+ARG GPG_PUB_KEY_FILE
+ARG GPG_SEC_KEY_FILE
+ARG GPG_RPM_USER
+ARG GPG_RPM_EMAIL
+ARG BCDA_GPG_RPM_PASSPHRASE
+
 RUN apt-get update
 RUN apt-get install -y build-essential ruby ruby-dev rpm git
 RUN gem install --no-ri --no-rdoc fpm etc
@@ -14,4 +20,4 @@ WORKDIR /go/src/github.com/CMSgov/bcda-app/ops
 RUN chmod u+x build_and_package.sh
 
 ENTRYPOINT ["sh", "build_and_package.sh"]
-CMD []
+CMD []
diff --git a/Makefile b/Makefile
@@ -7,7 +7,13 @@ package:
 	# For example: make package version=r1
 	docker-compose up -d documentation
 	docker build -t packaging -f Dockerfiles/Dockerfile.package .
-	docker run --rm -v ${PWD}:/go/src/github.com/CMSgov/bcda-app packaging $(version)
+	docker run --rm \
+	-e BCDA_GPG_RPM_PASSPHRASE='${BCDA_GPG_RPM_PASSPHRASE}' \
+	-e GPG_RPM_USER='${GPG_RPM_USER}' \
+	-e GPG_RPM_EMAIL='${GPG_RPM_EMAIL}' \
+	-e GPG_PUB_KEY_FILE='${GPG_PUB_KEY_FILE}' \
+	-e GPG_SEC_KEY_FILE='${GPG_SEC_KEY_FILE}' \
+	-v ${PWD}:/go/src/github.com/CMSgov/bcda-app packaging $(version)
 
 integration-test:
 	docker-compose up -d 

diff --git a/ops/build_and_package.sh b/ops/build_and_package.sh
@@ -7,13 +7,22 @@ set -e
 
 VERSION=$1
 
+#Prevent ioctl errors - gpg: signing failed: Inappropriate ioctl for device
+export GPG_TTY=$(tty)
+
 if [ -z "$VERSION" ]
 then
   echo "Please supply version."
   echo "Usage: ./build_and_package.sh <version>"
   exit 1
 fi
 
+[  -z "$GPG_RPM_USER" ] && echo "Please enter a Key ID or Username for the GPG Key Signature" && exit 1 || echo "GPG Key user provided"
+[  -z "$GPG_PUB_KEY_FILE" ] && echo "Please select a GPG Public Key File" && exit 1 || echo "GPG Public Key File provided"
+[  -z "$GPG_SEC_KEY_FILE" ] && echo "Please select a GPG Secret Key File" && exit 1 || echo "GPG Secret Key File provided"
+[  -z "$BCDA_GPG_RPM_PASSPHRASE" ] && echo "Please select the Passphrase to sign the RPMs" && exit 1 || echo "GPG Passphrase provided"
+[  -z "$GPG_RPM_EMAIL" ] && echo "Please enter the email for the GPG Key Signature" && exit 1 || echo "GPG Key Email provided"
+
 if [ ! -f ../bcda/swaggerui/swagger.json ]
 then
   echo "Swagger doc generation must be completed prior to creating package."
@@ -33,3 +42,25 @@ go build
 echo "Packaging bcdaworker binary into RPM..."
 fpm -v $VERSION -s dir -t rpm -n bcdaworker bcdaworker=/usr/local/bin/bcdaworker
 
+#Sign RPMs
+WORKER_RPM="bcdaworker-*.rpm"
+echo "Importing GPG Key files"
+/usr/bin/gpg --batch --import $GPG_PUB_KEY_FILE
+/usr/bin/gpg --batch --import $GPG_SEC_KEY_FILE
+/usr/bin/rpm --import $GPG_PUB_KEY_FILE
+
+echo "%_signature gpg %_gpg_path $PWD %_gpg_name $GPG_RPM_USER %_gpgbin /usr/bin/gpg" > $PWD/.rpmmacros
+echo "allow-loopback-pinentry" > ~/.gnupg/gpg-agent.conf
+
+echo "Signing bcdaworker RPM"
+echo $WORKER_RPM
+echo $BCDA_GPG_RPM_PASSPHRASE | gpg --batch --yes --passphrase-fd 0 --pinentry-mode loopback --sign $WORKER_RPM
+
+cd ../bcda
+BCDA_RPM="bcda-*.rpm"
+echo "%_signature gpg %_gpg_path $PWD %_gpg_name $GPG_RPM_USER %_gpgbin /usr/bin/gpg" > $PWD/.rpmmacros
+echo "allow-loopback-pinentry" > ~/.gnupg/gpg-agent.conf
+
+echo "Signing bcda RPM"
+echo $BCDA_RPM
+echo $BCDA_GPG_RPM_PASSPHRASE | gpg --batch --yes --passphrase-fd 0 --pinentry-mode loopback --sign $BCDA_RPM