Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(signing): add rpm signing COMPASS-7588 #208

Merged
merged 1 commit into from
Jan 25, 2024
Merged

feat(signing): add rpm signing COMPASS-7588 #208

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 26 additions & 2 deletions packages/signing-utils/src/garasign.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ if [ -z ${garasign_username+omitted} ]; then echo "garasign_username is unset" &
if [ -z ${garasign_password+omitted} ]; then echo "garasign_password is unset" && exit 1; fi
if [ -z ${artifactory_username+omitted} ]; then echo "artifactory_username is unset" && exit 1; fi
if [ -z ${artifactory_password+omitted} ]; then echo "artifactory_password is unset" && exit 1; fi
if [ -z ${method+omitted} ]; then echo "method must either be gpg or jsign" && exit 1; fi
if [ -z ${method+omitted} ]; then echo "method must either be gpg, rpm_gpg or jsign" && exit 1; fi

ARTIFACTORY_HOST="artifactory.corp.mongodb.com"

Expand Down Expand Up @@ -53,12 +53,36 @@ jsign_sign() {
--rm \
-v $directory:$directory \
-w $directory \
artifactory.corp.mongodb.com/release-tools-container-registry-local/garasign-jsign \
${ARTIFACTORY_HOST}/release-tools-container-registry-local/garasign-jsign \
/bin/bash -c "jsign -t 'http://timestamp.digicert.com' -a 'mongo-authenticode-2021' '$file'"
}

rpm_gpg_sign() {
# For signing an rpm using garasign-gpg image, we need to install rpm and then import the signing key (keyId)
# into rpm manually. This script assumes, by default there's only one key in the gpg keyring and it's the one
# to be used for signing. The rpm signing command is copied from:
# https://github.com/mongodb-devprod-infrastructure/barque/blob/3c03fe0b6a5a0d0221a78d688de6015f546fc495/sign/rpm.go#L21
docker run \
-e GRS_CONFIG_USER1_USERNAME="${garasign_username}" \
-e GRS_CONFIG_USER1_PASSWORD="${garasign_password}" \
--rm \
-v $directory:$directory \
-w $directory \
${ARTIFACTORY_HOST}/release-tools-container-registry-local/garasign-gpg \
/bin/bash -c "gpgloader \
&& apt update -y && apt install -y rpm \
&& keyId=\$(gpg --list-keys --keyid-format=long --with-colons | awk -F: 'NR==2 {print \$5}') \
&& tmpFile=\$(mktemp) && gpg --export -a \$keyId > \$tmpFile && rpm --import \$tmpFile && rm \$tmpFile \
&& rpm --addsign \
--define \"_gpg_name \$keyId\" \
--define \"__gpg_sign_cmd \$(which gpg) \$(which gpg) --local-user=\$keyId --verbose --verbose --no-armor --digest-algo=sha256 --output %{__signature_filename} --detach-sign %{__plaintext_filename}\" $file \
"
}

if [[ $method == "gpg" ]]; then
gpg_sign
elif [[ $method == "rpm_gpg" ]]; then
rpm_gpg_sign
elif [[ $method == "jsign" ]]; then
jsign_sign
else
Expand Down
21 changes: 13 additions & 8 deletions packages/signing-utils/src/signing-clients/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,16 +8,26 @@ import { RemoteSigningClient } from './remote-signing-client';
export { LocalSigningClient } from './local-signing-client';
export { RemoteSigningClient } from './remote-signing-client';

export type SigningMethod = 'gpg' | 'jsign';
export type SigningMethod = 'gpg' | 'jsign' | 'rpm_gpg';

export type SigningClientOptions = {
workingDirectory: string;
signingScript: string;
signingMethod: SigningMethod;
};

type SharedSigningOptions = {
/**
* The method to sign with.
* - `jsign` - for signing windows files (`exe`, `msi`, `dll`)
* - `rpm_gpg` - for signing rhel package (`rpm`)
* - `gpg` - for signing other files (`tar`, `zip`, `deb`)
*/
signingMethod: SigningMethod;
};

/** Options for signing a file remotely over an SSH connection. */
export type RemoteSigningOptions = {
export type RemoteSigningOptions = SharedSigningOptions & {
/** Hostname or IP address of the server to */
host?: string;
/** Username for authentication. */
Expand All @@ -28,8 +38,6 @@ export type RemoteSigningOptions = {
port?: number;
/** Buffer or string that contains a private key for either key-based or hostbased user authentication (OpenSSH format). */
privateKey?: Buffer | string;
/** The method to sign with. Use gpg on linux and jsign on windows. */
signingMethod: SigningMethod;

/**
* The path of the working directory in which to sign files **on the remote ssh server**. Defaults to `/home/ubuntu/garasign`.
Expand All @@ -39,10 +47,7 @@ export type RemoteSigningOptions = {
};

/** Options for signing a file locally. */
export type LocalSigningOptions = {
/** The method to sign with. Use gpg on linux and jsign on windows. */
signingMethod: SigningMethod;

export type LocalSigningOptions = SharedSigningOptions & {
client: 'local';
};

Expand Down
Loading