Send patches - preferably formatted by git format-patch - to patches at archlinux32 dot org.
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDavid Runge <dvzrv@archlinux.org>2021-05-01 15:41:35 +0200
committerDavid Runge <dvzrv@archlinux.org>2021-05-01 16:22:02 +0200
commit73e3ccdb5900ca3b7259a79cbfff8b5dc61b63e2 (patch)
treef9d2b7377a19021b0876948b601e8adb2548e4d2
parente2cce07df7119274e17c6fb7039a4448265364d7 (diff)
Add ephemeral signing key to CI setup
.gitlab/ci/build-inside-vm.sh: Create an ephemeral signing key for signing the rootfs image (e.g. squashfs or erofs) when building the profiles. Implements #125
-rwxr-xr-x.gitlab/ci/build-inside-vm.sh49
1 files changed, 48 insertions, 1 deletions
diff --git a/.gitlab/ci/build-inside-vm.sh b/.gitlab/ci/build-inside-vm.sh
index ca404bb..a6ce79e 100755
--- a/.gitlab/ci/build-inside-vm.sh
+++ b/.gitlab/ci/build-inside-vm.sh
@@ -8,6 +8,8 @@ readonly orig_pwd="${PWD}"
readonly output="${orig_pwd}/output"
tmpdir=""
tmpdir="$(mktemp --dry-run --directory --tmpdir="${orig_pwd}/tmp")"
+gnupg_homedir=""
+pgp_key_id=""
cleanup() {
# clean up temporary directories
@@ -57,11 +59,56 @@ create_metrics() {
} > "${output}/${1}/job-metrics"
}
+create_temp_pgp_key() {
+ # create an ephemeral PGP key for signing the rootfs image
+ gnupg_homedir="$tmpdir/.gnupg"
+ mkdir -p "${gnupg_homedir}"
+ chmod 700 "${gnupg_homedir}"
+
+ cat << __EOF__ > "${gnupg_homedir}"/gpg.conf
+quiet
+batch
+no-tty
+no-permission-warning
+export-options no-export-attributes,export-clean
+list-options no-show-keyring
+armor
+no-emit-version
+__EOF__
+
+ gpg --homedir "${gnupg_homedir}" --gen-key <<EOF
+%echo Generating ephemeral Arch Linux release engineering key pair...
+Key-Type: default
+Key-Length: 3072
+Key-Usage: sign
+Name-Real: Arch Linux Release Engineering
+Name-Comment: Ephemeral Signing Key
+Name-Email: arch-releng@lists.archlinux.org
+Expire-Date: 0
+%no-protection
+%commit
+%echo Done
+EOF
+
+ pgp_key_id="$(
+ gpg --homedir "${gnupg_homedir}" \
+ --list-secret-keys \
+ --with-colons \
+ | awk -F':' '{if($1 ~ /sec/){ print $5 }}'
+ )"
+}
+
run_mkarchiso() {
# run mkarchiso
# $1: template name
+
+ create_temp_pgp_key
mkdir -p "${output}/${1}" "${tmpdir}/${1}"
- ./archiso/mkarchiso -o "${output}/${1}" -w "${tmpdir}/${1}" -v "configs/${1}"
+ GNUPGHOME="${gnupg_homedir}" ./archiso/mkarchiso \
+ -g "${pgp_key_id}" \
+ -o "${output}/${1}" \
+ -w "${tmpdir}/${1}" \
+ -v "configs/${1}"
create_checksums "${output}/${1}/"*.iso
create_zsync_delta "${output}/${1}/"*.iso
create_metrics "${1}"