From d688859a6e5abfacb5069272994bdce2ad0e9f66 Mon Sep 17 00:00:00 2001 From: Aric Gardner Date: Mon, 4 Jul 2016 15:20:39 -0400 Subject: This will enable artifact signing for apex uploads sources gpg_import_key.sh which: -installs gpg2 -imports key -grabs proper key based on $NODE_NAME only tries to sign if the key is correctly imported otherwise it will skip signing and just do the upload Keys have only been created for lf intel and ericsson labs Keys are only unique per company Master pubkey has not been sent to the key server Or brought into the web of trust. Lets see that this works as I expected rather than having to go through the pain of revoking these keys. Change-Id: Ifa4bc4e11407c53f8174f6c64945949bf66d6535 Signed-off-by: Aric Gardner --- jjb/apex/apex-upload-artifact.sh | 41 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) (limited to 'jjb/apex') diff --git a/jjb/apex/apex-upload-artifact.sh b/jjb/apex/apex-upload-artifact.sh index 0598f5615..ba69f3eb6 100755 --- a/jjb/apex/apex-upload-artifact.sh +++ b/jjb/apex/apex-upload-artifact.sh @@ -11,6 +11,32 @@ echo # source the opnfv.properties to get ARTIFACT_VERSION source $WORKSPACE/opnfv.properties +#this is where we import the siging key +source $WORKSPACE/releng/utils/gpg_import_key.sh + +signrpm () { +for artifact in $RPM_LIST $SRPM_LIST; do + echo "Signing artifact: ${artifact}" + gpg2 -vvv --batch \ + --default-key opnfv-helpdesk@rt.linuxfoundation.org \ + --passphrase besteffort \ + --detach-sig $artifact + gsutil cp "$artifact".sig gs://$GS_URL/$(basename "$artifact".sig) + echo "Upload complete for ${artifact} signature" +done +} + +signiso () { +time gpg2 -vvv --batch \ + --default-key opnfv-helpdesk@rt.linuxfoundation.org \ + --passphrase notreallysecure \ + --detach-sig $BUILD_DIRECTORY/release/OPNFV-CentOS-7-x86_64-$OPNFV_ARTIFACT_VERSION.iso + +gsutil cp $BUILD_DIRECTORY/release/OPNFV-CentOS-7-x86_64-$OPNFV_ARTIFACT_VERSION.iso.sig gs://$GS_URL/opnfv-$OPNFV_ARTIFACT_VERSION.iso.sig +echo "ISO signature Upload Complete!" +} + +uploadiso () { # upload artifact and additional files to google storage gsutil cp $BUILD_DIRECTORY/release/OPNFV-CentOS-7-x86_64-$OPNFV_ARTIFACT_VERSION.iso gs://$GS_URL/opnfv-$OPNFV_ARTIFACT_VERSION.iso > gsutil.iso.log echo "ISO Upload Complete!" @@ -26,7 +52,10 @@ VERSION_EXTENSION=$(echo $(basename $OPNFV_SRPM_URL) | sed 's/opnfv-apex-//') for pkg in common undercloud opendaylight-sfc onos; do SRPM_LIST+=" ${SRPM_INSTALL_PATH}/opnfv-apex-${pkg}-${VERSION_EXTENSION}" done +} +uploadrpm () { +#This is where we upload the rpms for artifact in $RPM_LIST $SRPM_LIST; do echo "Uploading artifact: ${artifact}" gsutil cp $artifact gs://$GS_URL/$(basename $artifact) > gsutil.iso.log @@ -34,6 +63,18 @@ for artifact in $RPM_LIST $SRPM_LIST; do done gsutil cp $WORKSPACE/opnfv.properties gs://$GS_URL/opnfv-$OPNFV_ARTIFACT_VERSION.properties > gsutil.properties.log gsutil cp $WORKSPACE/opnfv.properties gs://$GS_URL/latest.properties > gsutil.latest.log +} + +if gpg2 --list-keys | grep "opnfv-helpdesk@rt.linuxfoundation.org"; then + echo "Signing Key avaliable" + signiso + uploadiso + signrpm + uploadrpm +else + uploadiso + uploadrpm +fi echo echo "--------------------------------------------------------" -- cgit 1.2.3-korg