Add ephemeral signing key to CI setup
.gitlab/ci/build-inside-vm.sh: Create an ephemeral signing key for signing the rootfs image (e.g. squashfs or erofs) when building the profiles. Implements #125
This commit is contained in:
parent
e2cce07df7
commit
73e3ccdb59
@ -8,6 +8,8 @@ readonly orig_pwd="${PWD}"
|
|||||||
readonly output="${orig_pwd}/output"
|
readonly output="${orig_pwd}/output"
|
||||||
tmpdir=""
|
tmpdir=""
|
||||||
tmpdir="$(mktemp --dry-run --directory --tmpdir="${orig_pwd}/tmp")"
|
tmpdir="$(mktemp --dry-run --directory --tmpdir="${orig_pwd}/tmp")"
|
||||||
|
gnupg_homedir=""
|
||||||
|
pgp_key_id=""
|
||||||
|
|
||||||
cleanup() {
|
cleanup() {
|
||||||
# clean up temporary directories
|
# clean up temporary directories
|
||||||
@ -57,11 +59,56 @@ create_metrics() {
|
|||||||
} > "${output}/${1}/job-metrics"
|
} > "${output}/${1}/job-metrics"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
create_temp_pgp_key() {
|
||||||
|
# create an ephemeral PGP key for signing the rootfs image
|
||||||
|
gnupg_homedir="$tmpdir/.gnupg"
|
||||||
|
mkdir -p "${gnupg_homedir}"
|
||||||
|
chmod 700 "${gnupg_homedir}"
|
||||||
|
|
||||||
|
cat << __EOF__ > "${gnupg_homedir}"/gpg.conf
|
||||||
|
quiet
|
||||||
|
batch
|
||||||
|
no-tty
|
||||||
|
no-permission-warning
|
||||||
|
export-options no-export-attributes,export-clean
|
||||||
|
list-options no-show-keyring
|
||||||
|
armor
|
||||||
|
no-emit-version
|
||||||
|
__EOF__
|
||||||
|
|
||||||
|
gpg --homedir "${gnupg_homedir}" --gen-key <<EOF
|
||||||
|
%echo Generating ephemeral Arch Linux release engineering key pair...
|
||||||
|
Key-Type: default
|
||||||
|
Key-Length: 3072
|
||||||
|
Key-Usage: sign
|
||||||
|
Name-Real: Arch Linux Release Engineering
|
||||||
|
Name-Comment: Ephemeral Signing Key
|
||||||
|
Name-Email: arch-releng@lists.archlinux.org
|
||||||
|
Expire-Date: 0
|
||||||
|
%no-protection
|
||||||
|
%commit
|
||||||
|
%echo Done
|
||||||
|
EOF
|
||||||
|
|
||||||
|
pgp_key_id="$(
|
||||||
|
gpg --homedir "${gnupg_homedir}" \
|
||||||
|
--list-secret-keys \
|
||||||
|
--with-colons \
|
||||||
|
| awk -F':' '{if($1 ~ /sec/){ print $5 }}'
|
||||||
|
)"
|
||||||
|
}
|
||||||
|
|
||||||
run_mkarchiso() {
|
run_mkarchiso() {
|
||||||
# run mkarchiso
|
# run mkarchiso
|
||||||
# $1: template name
|
# $1: template name
|
||||||
|
|
||||||
|
create_temp_pgp_key
|
||||||
mkdir -p "${output}/${1}" "${tmpdir}/${1}"
|
mkdir -p "${output}/${1}" "${tmpdir}/${1}"
|
||||||
./archiso/mkarchiso -o "${output}/${1}" -w "${tmpdir}/${1}" -v "configs/${1}"
|
GNUPGHOME="${gnupg_homedir}" ./archiso/mkarchiso \
|
||||||
|
-g "${pgp_key_id}" \
|
||||||
|
-o "${output}/${1}" \
|
||||||
|
-w "${tmpdir}/${1}" \
|
||||||
|
-v "configs/${1}"
|
||||||
create_checksums "${output}/${1}/"*.iso
|
create_checksums "${output}/${1}/"*.iso
|
||||||
create_zsync_delta "${output}/${1}/"*.iso
|
create_zsync_delta "${output}/${1}/"*.iso
|
||||||
create_metrics "${1}"
|
create_metrics "${1}"
|
||||||
|
Loading…
Reference in New Issue
Block a user