Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enhance rpm validation workflow with distribution signature check #2222

Merged
merged 3 commits into from
Jun 23, 2022
Merged

Enhance rpm validation workflow with distribution signature check #2222

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
edf7dcb
Add rpm signature validation
zelinh Jun 16, 2022
3928ed7
Update jenkins tests
zelinh Jun 21, 2022
1ae17cf
Change to use assert
zelinh Jun 22, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions tests/jenkins/TestRpmDashboardsDistValidation.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,12 @@ class TestRpmDashboardsDistValidation extends BuildPipelineTest {
helper.addShMock("rpm -qip $workspace/opensearch-dashboards-1.3.0-linux-x64.rpm") { script ->
return [stdout: out, exitValue: 0]
}
def sigOut = "/tmp/workspace/opensearch-dashboards-1.3.0-linux-x64.rpm:\n" + "Header V4 RSA/SHA512 Signature, key ID 9310d3fc: OK\n" +
"Header SHA256 digest: OK\n" + "Header SHA1 digest: OK\n" + "Payload SHA256 digest: OK\n" +
"V4 RSA/SHA512 Signature, key ID 9310d3fc: OK\n" + "MD5 digest: OK"
helper.addShMock("rpm -K -v $rpmDistribution") { script ->
return [stdout: sigOut, exitValue: 0]
}
def status_message = "opensearch-dashboards.service - \"OpenSearch Dashboards\"\n" +
" Loaded: loaded (/usr/lib/systemd/system/opensearch-dashboards.service; disabled; vendor preset: disabled)\n" +
" Active: active (running) since Mon 2022-04-04 21:38:58 UTC; 3 days ago\n" +
Expand Down
6 changes: 6 additions & 0 deletions tests/jenkins/TestRpmMetaValidation.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,12 @@ class TestRpmMetaValidation extends BuildPipelineTest {
helper.addShMock("rpm -qip $workspace/opensearch-1.3.1-linux-x64.rpm") { script ->
return [stdout: out, exitValue: 0]
}
def sigOut = "/tmp/workspace/opensearch-1.3.1-linux-x64.rpm:\n" + "Header V4 RSA/SHA512 Signature, key ID 9310d3fc: OK\n" +
"Header SHA256 digest: OK\n" + "Header SHA1 digest: OK\n" + "Payload SHA256 digest: OK\n" +
"V4 RSA/SHA512 Signature, key ID 9310d3fc: OK\n" + "MD5 digest: OK"
helper.addShMock("rpm -K -v $rpmDistribution") { script ->
return [stdout: sigOut, exitValue: 0]
}
}

@Test
Expand Down
6 changes: 6 additions & 0 deletions tests/jenkins/TestRpmOpenSearchDistValidation.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,12 @@ class TestRpmOpenSearchDistValidation extends BuildPipelineTest {
helper.addShMock("rpm -qip $workspace/opensearch-1.3.1-linux-x64.rpm") { script ->
return [stdout: out, exitValue: 0]
}
def sigOut = "/tmp/workspace/opensearch-1.3.1-linux-x64.rpm:\n" + "Header V4 RSA/SHA512 Signature, key ID 9310d3fc: OK\n" +
"Header SHA256 digest: OK\n" + "Header SHA1 digest: OK\n" + "Payload SHA256 digest: OK\n" +
"V4 RSA/SHA512 Signature, key ID 9310d3fc: OK\n" + "MD5 digest: OK"
helper.addShMock("rpm -K -v $rpmDistribution") { script ->
return [stdout: sigOut, exitValue: 0]
}
helper.addShMock("ls /etc/opensearch") { script ->
return [stdout: "esnode-key.pem jvm.options.d kirk.pem opensearch-reports-scheduler" +
" performance_analyzer_enabled.conf esnode.pem jvm.options.rpmsave log4j2.properties" +
Expand Down
1 change: 1 addition & 0 deletions tests/jenkins/jobs/RpmDashboardsDistValidation_Jenkinsfile.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ For more information, see: https://opensearch.org/}})
rpmMetaValidation.println(Meta data for URL is validated)
rpmMetaValidation.println(Meta data for Summary is validated)
rpmMetaValidation.println(Meta data for Description is validated)
rpmMetaValidation.sh({script=rpm -K -v /tmp/workspace/opensearch-dashboards-1.3.0-linux-x64.rpm, returnStdout=true})
rpmDashboardsDistValidation.rpmCommands({command=install, product=opensearch-1.3.0})
rpmCommands.sh(yum install -y opensearch-1.3.0)
rpmDashboardsDistValidation.rpmCommands({command=install, product=opensearch-dashboards-1.3.0})
Expand Down
1 change: 1 addition & 0 deletions tests/jenkins/jobs/RpmMetaValidation_Jenkinsfile.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,3 +15,4 @@ For more information, see: https://opensearch.org/}, rpmDistribution=/tmp/worksp
rpmMetaValidation.println(Meta data for URL is validated)
rpmMetaValidation.println(Meta data for Summary is validated)
rpmMetaValidation.println(Meta data for Description is validated)
rpmMetaValidation.sh({script=rpm -K -v /tmp/workspace/opensearch-1.3.1-linux-x64.rpm, returnStdout=true})
1 change: 1 addition & 0 deletions tests/jenkins/jobs/RpmOpenSearchDistValidation_Jenkinsfile.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ For more information, see: https://opensearch.org/}})
rpmMetaValidation.println(Meta data for URL is validated)
rpmMetaValidation.println(Meta data for Summary is validated)
rpmMetaValidation.println(Meta data for Description is validated)
rpmMetaValidation.sh({script=rpm -K -v /tmp/workspace/opensearch-1.3.1-linux-x64.rpm, returnStdout=true})
rpmOpenSearchDistValidation.rpmCommands({command=install, product=opensearch-1.3.1})
rpmCommands.sh(yum install -y opensearch-1.3.1)
rpmOpenSearchDistValidation.sh([[ -d /etc/opensearch ]] && echo "/etc/opensearch directory exists"|| (echo "/etc/opensearch does not exist" && exit 1))
Expand Down
27 changes: 27 additions & 0 deletions vars/rpmMetaValidation.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,4 +41,31 @@ def call(Map args = [:]) {
println("Meta data for $key is validated")
}
println("Validation for meta data of RPM distribution completed.")

// Validate the distribution signature
def checksig = sh (
script: "rpm -K -v $distFile",
returnStdout: true
).trim()
println("Signature check of the rpm distribution file is: \n" + checksig)
def keyList = ["Header V4 RSA/SHA512 Signature, key ID 9310d3fc", "Header SHA256 digest",
"Header SHA1 digest", "Payload SHA256 digest",
"V4 RSA/SHA512 Signature, key ID 9310d3fc", "MD5 digest"]
def presentKey = []
for (line in checksig.split('\n')) {
def key = line.split(':')[0].trim()
if (key == distFile) {
continue
} else {
assert line.split(':', 2)[1].trim().contains("OK")
println(key + " is validated as: " + line)
presentKey.add(key)
}
}
println("Validation all key digests starts: ")
for (digest in keyList) {
assert presentKey.contains(digest)
println("Key digest \"$digest\" is validated to be present.")
}
println("Validation for signature of RPM distribution completed.")
}