From 73e3ccdb5900ca3b7259a79cbfff8b5dc61b63e2 Mon Sep 17 00:00:00 2001 From: David Runge Date: Sat, 1 May 2021 15:41:35 +0200 Subject: Add ephemeral signing key to CI setup .gitlab/ci/build-inside-vm.sh: Create an ephemeral signing key for signing the rootfs image (e.g. squashfs or erofs) when building the profiles. Implements #125 --- .gitlab/ci/build-inside-vm.sh | 49 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 48 insertions(+), 1 deletion(-) diff --git a/.gitlab/ci/build-inside-vm.sh b/.gitlab/ci/build-inside-vm.sh index ca404bb..a6ce79e 100755 --- a/.gitlab/ci/build-inside-vm.sh +++ b/.gitlab/ci/build-inside-vm.sh @@ -8,6 +8,8 @@ readonly orig_pwd="${PWD}" readonly output="${orig_pwd}/output" tmpdir="" tmpdir="$(mktemp --dry-run --directory --tmpdir="${orig_pwd}/tmp")" +gnupg_homedir="" +pgp_key_id="" cleanup() { # clean up temporary directories @@ -57,11 +59,56 @@ create_metrics() { } > "${output}/${1}/job-metrics" } +create_temp_pgp_key() { + # create an ephemeral PGP key for signing the rootfs image + gnupg_homedir="$tmpdir/.gnupg" + mkdir -p "${gnupg_homedir}" + chmod 700 "${gnupg_homedir}" + + cat << __EOF__ > "${gnupg_homedir}"/gpg.conf +quiet +batch +no-tty +no-permission-warning +export-options no-export-attributes,export-clean +list-options no-show-keyring +armor +no-emit-version +__EOF__ + + gpg --homedir "${gnupg_homedir}" --gen-key <