ci: followups from review

* specify key by fingerprint instead of uid * remove `| true` since gpg --import does return 0 if the key is already imported * add note where this FEDORA_PKGR_VER came from
freedomofpress · Jan 23, 2020 · fb18e58 · fb18e58
1 parent b0222aa
commit fb18e58
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 6 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -189,7 +189,7 @@ common-steps:
         git push origin master
 
   - &sign_rpm
-    run: 
+    run:
       name: Sign rpms with test GPG key
       command: |
         ./devops/ci-sign-rpm

diff --git a/devops/ci-sign-rpm b/devops/ci-sign-rpm
@@ -1,6 +1,7 @@
 set -u
 set -e
 
+# Same version as: https://github.com/freedomofpress/securedrop-workstation/blob/master/scripts/build-dom0-rpm#L10
 export FEDORA_PKGR_VER=0.6.0.1-1.fc25
 export USER_RPMDIR="/home/circleci/packaging/securedrop-workstation/rpm-build"
 export CI_DEVOPS_FOLDER="/home/circleci/project/devops"
@@ -22,13 +23,10 @@ function docker_cmd_wrapper() {
 
 build_docker_container
 
-# If a gpg key has already been imported, gpg --import will return 2, hence the | true
-# to ensure a 0 exit code in the import.
-# Importing test key...
 RPM_PATH=/home/circleci/rpm-build/RPMS/noarch/*.rpm
-docker_cmd_wrapper "echo $SD_TEST_GPG_PRIVKEY | base64 -di | gpg2 --import | true && \
+docker_cmd_wrapper "echo $SD_TEST_GPG_PRIVKEY | base64 -di | gpg2 --import && \
                     gpg2 --export --armor 4A3BE4A92211B03C > pubkey.asc && \
                     sudo rpm --import pubkey.asc && \
                     sudo chown -R circleci ~/rpm-build && \
-                    rpmsign --define \"_gpg_name SecureDrop TESTING key <[email protected]>\" --resign $RPM_PATH && \
+                    rpmsign --define \"_gpg_name 4ED79CC3362D7D12837046024A3BE4A92211B03C\" --resign $RPM_PATH && \
                     rpm --checksig -v $RPM_PATH"