feat: implement remote package signing (#24194)

2023-04-12 11:41:41 -04:00 · 2023-04-12 11:41:41 -04:00 · 49c7a7407a
parent e237d01fc8
commit 49c7a7407a
2 changed files with 42 additions and 28 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@ -164,6 +164,13 @@ workflows:
            - build-package-linux-amd64
      - changelog:
          <<: *any_filter
+      - sign-packages:
+          <<: *release_filter
+          requires:
+            - build-package-linux-amd64
+            - build-package-linux-arm64
+            - build-package-darwin-amd64
+            - build-package-windows-amd64
      - s3-publish-packages:
          <<: *release_filter
          requires:
@ -172,6 +179,7 @@ workflows:
            - build-package-linux-amd64
            - build-package-linux-arm64
            - build-package-windows-amd64
+            - sign-packages
      - s3-publish-changelog:
          <<: *release_filter
          publish-type: release
@ -517,8 +525,42 @@ jobs:
            - artifacts
      - store_artifacts:
          path: /artifacts
+
          destination: artifacts

+  sign-packages:
+    circleci_ip_ranges: true
+    docker:
+      - image: quay.io/influxdb/rsign:latest
+        auth:
+          username: $QUAY_RSIGN_USERNAME
+          password: $QUAY_RSIGN_PASSWORD
+    steps:
+      - add_ssh_keys:
+          fingerprints:
+            - fc:7b:6e:a6:38:7c:63:5a:13:be:cb:bb:fa:33:b3:3c
+      - attach_workspace:
+          at: /tmp/workspace
+      - run: |
+          for target in /tmp/workspace/artifacts/*
+          do
+            case "${target}"
+            in
+              # rsign is shipped on Alpine Linux which uses "busybox ash" instead
+              # of bash. ash is somewhat more posix compliant and is missing some
+              # extensions and niceties from bash.
+              *.deb|*.rpm|*.tar.gz|*.zip)
+                rsign "${target}"
+              ;;
+            esac
+          done
+      - persist_to_workspace:
+          root: /tmp/workspace
+          paths:
+            - artifacts
+      - store_artifacts:
+          path: /tmp/workspace/artifacts
+
  s3-publish-packages:
    docker:
      - image: ubuntu:latest
--- a/.circleci/scripts/build-package
+++ b/.circleci/scripts/build-package
@ -135,33 +135,5 @@ build_package_linux()
  run_fpm rpm
 }

-sign_artifacts()
-{
-  # If this is not a release version, don't sign the artifacts. This
-  # prevents unathorized PRs and branches from being signed with our
-  # signing key.
-  if [[ ! ${RELEASE:-} ]]
-  then
-    return 0
-  fi
-
-  # CircleCI mangles environment variables with newlines. This key contians
-  # escaped newlines. For `gpg` to import the key, it requires `echo -e` to
-  # expand the escape sequences.
-  gpg --batch --import <<<"$(echo -e "${GPG_PRIVATE_KEY}")"
-
-  # TODO(bnpfeife): replace with code signing server
-  for target in /artifacts/*
-  do
-    gpg                            \
-      --batch                      \
-      --pinentry-mode=loopback     \
-      --passphrase "${PASSPHRASE}" \
-      --detach-sign                \
-      --armor "${target}"
-  done
-}
-
 build_archive
 build_package_linux
-sign_artifacts