Script update.

edespino · edespino · commit 44123c9a7a13 · 2024-08-22T02:15:00.000-07:00
diff --git a/scripts/s3-repo-sync-and-sign.sh b/scripts/s3-repo-sync-and-sign.sh
@@ -2,27 +2,69 @@
 
 set -euo pipefail
 
-# Script Name: s3-repo-sync-and-sign.sh
-#
 # Description:
-# This script automates AWS credentials configuration, secure GPG key handling,
-# RPM repository synchronization from an S3 bucket, RPM signing, and repository metadata signing.
-# It also exports and places the GPG public key in the repository for client use.
-# Additionally, it supports a `s3-sync-only` mode to sync the S3 bucket to the local directory
-# and exit after the operation completes.
-#
-# Usage:
-# ./s3-repo-sync-and-sign.sh [-c] [-s <s3-bucket>] [-d <local-dir>] [-k <encrypted-key-file>] [-g <gpg-key-id>] [--upload-with-delete] [--s3-sync-only]
-#
-# Options:
-#   -c                   : Configure AWS credentials using 'aws configure'.
-#   -s <s3-bucket>       : Specify the S3 bucket and path to sync (required).
-#   -d <local-dir>       : Specify the local directory to sync to (default: ~/repo).
-#   -k <encrypted-key-file> : Specify the encrypted GPG private key file to import (optional).
-#   -g <gpg-key-id>      : Specify the GPG key ID or email to use for signing (required for signing operations).
-#   --upload-with-delete : Sync local changes to S3, deleting files in S3 that don't exist locally.
-#   --s3-sync-only       : Perform only the S3 sync to the local directory, inform the user, and exit.
-#   -h, --help           : Display this help and exit.
+# This script automates several tasks related to managing RPM repositories in AWS S3.
+# It handles the following operations:
+#   1. Syncing an RPM repository from an S3 bucket to a local directory.
+#   2. Signing all RPMs in the local repository with a specified GPG key.
+#   3. Updating and signing the repository metadata.
+#   4. Exporting the GPG public key and placing it in the repository for client use.
+#   5. Optionally, uploading changes back to the S3 bucket and deleting files in S3 that no longer exist locally.
+#   6. Decrypting and importing a GPG private key used for signing.
+#   7. A mode to only decrypt and import the GPG private key.
+#   8. Identifying and copying a newly built RPM to the appropriate repository.
+
+# Function to display detailed usage information
+usage() {
+  cat << EOF
+Usage: $0 [OPTIONS]
+
+This script automates several tasks related to managing RPM repositories in AWS S3.
+It can be used to sync repositories from S3, sign RPMs with a GPG key, update and sign repository metadata,
+and optionally upload changes back to S3.
+
+Options:
+  -c                            Configure AWS credentials using 'aws configure'.
+  -s <s3-bucket>                Specify the S3 bucket and path to sync (required for S3 operations).
+  -d <local-dir>                Specify the local directory to sync to (default: ~/repo).
+  -k <encrypted-key-file>       Specify the encrypted GPG private key file to import (optional).
+  -g <gpg-key-id>               Specify the GPG key ID or email to use for signing (required for signing operations).
+  --upload-with-delete          Sync local changes to S3, deleting files in S3 that no longer exist locally.
+  --s3-sync-only                Perform only the S3 sync to the local directory, inform the user, and exit.
+  --import-gpg-key-only         Decrypt and import the GPG private key, then exit. No other operations will be performed.
+  --copy-new-rpm                Copy the newly built RPM(s) to the appropriate repository directory based on architecture and version.
+  -h, --help                    Display this help message and exit.
+
+Examples:
+  # Sync an S3 repository to a local directory and sign RPMs with a GPG key
+  $0 -s s3://mybucket/repo -g mygpgkey@example.com
+
+  # Sync an S3 repository only, without signing RPMs or performing other operations
+  $0 -s s3://mybucket/repo --s3-sync-only
+
+  # Decrypt and import a GPG private key, then exit
+  $0 -k ~/path/to/encrypted-gpg-key.asc --import-gpg-key-only
+
+  # Copy newly built RPMs to the appropriate repository and sign them
+  $0 --copy-new-rpm -g mygpgkey@example.com
+
+Notes:
+  - The -s option is required for any operation that interacts with S3, such as syncing or uploading with delete.
+  - The -g option is required for any operation that involves signing RPMs or repository metadata.
+  - When using --upload-with-delete, ensure that you have the necessary permissions to delete objects in the specified S3 bucket.
+  - If you only want to perform local operations (e.g., copying RPMs, signing), you do not need to specify the -s option.
+
+EOF
+}
+
+# Parse options and arguments
+GPG_KEY_ID=""
+UPLOAD_WITH_DELETE=false
+S3_SYNC_ONLY=false
+IMPORT_GPG_KEY_ONLY=false
+COPY_NEW_RPM=false
+CONFIGURE_AWS=false
+LOCAL_DIR=~/repo
 
 # Function to check if required commands are available
 check_commands() {
@@ -35,16 +77,7 @@ check_commands() {
   done
 }
 
-# Function to display usage information
-usage() {
-  echo "Usage: $0 [-c] [-s <s3-bucket>] [-d <local-dir>] [-k <encrypted-key-file>] [-g <gpg-key-id>] [--upload-with-delete] [--s3-sync-only]"
-  exit 1
-}
-
 # Parse options
-GPG_KEY_ID=""
-UPLOAD_WITH_DELETE=false
-S3_SYNC_ONLY=false
 while [[ "$#" -gt 0 ]]; do
   case $1 in
     -c) CONFIGURE_AWS=true; shift ;;
@@ -54,45 +87,22 @@ while [[ "$#" -gt 0 ]]; do
     -g) GPG_KEY_ID="$2"; shift 2 ;;
     --upload-with-delete) UPLOAD_WITH_DELETE=true; shift ;;
     --s3-sync-only) S3_SYNC_ONLY=true; shift ;;
-    -h|--help) usage ;;
-    *) echo "Unknown option: $1"; usage ;;
+    --import-gpg-key-only) IMPORT_GPG_KEY_ONLY=true; shift ;;
+    --copy-new-rpm) COPY_NEW_RPM=true; shift ;;
+    -h|--help) usage; exit 0 ;;
+    *) echo "Unknown option: $1"; usage; exit 1 ;;
   esac
 done
 
-# Check if required commands are available
 check_commands
 
-# Ensure S3 bucket is provided
-if [ -z "${S3_BUCKET:-}" ]; then
-  echo "Error: S3 bucket (-s) is required."
-  usage
-fi
-
 # AWS credentials configuration (optional)
-if [ "${CONFIGURE_AWS:-false}" = true ]; then
+if [ "$CONFIGURE_AWS" = true ]; then
   echo "Configuring AWS credentials..."
   aws configure
 fi
 
-# Check access to the S3 bucket
-echo "Checking access to S3 bucket $S3_BUCKET..."
-if ! aws s3 ls "$S3_BUCKET" &> /dev/null; then
-  echo "Error: Unable to access S3 bucket $S3_BUCKET. Please check your AWS credentials and permissions."
-  exit 1
-fi
-
-# Sync the S3 repository to the local directory
-mkdir -p "$LOCAL_DIR"
-echo "Syncing S3 repository from $S3_BUCKET to $LOCAL_DIR..."
-aws s3 sync "$S3_BUCKET" "$LOCAL_DIR"
-
-# Check if the operation is `s3-sync-only`
-if [ "$S3_SYNC_ONLY" = true ]; then
-  echo "S3 sync operation completed successfully."
-  exit 0
-fi
-
-# Decrypt and import GPG private key if not in sync-only mode
+# Decrypt and import GPG private key if in import-only mode or not in sync-only mode
 if [ -n "${ENCRYPTED_KEY_FILE:-}" ]; then
   DECRYPTED_KEY_FILE="${ENCRYPTED_KEY_FILE%.*}"
   echo "Decrypting GPG private key..."
@@ -107,50 +117,130 @@ if [ -n "${ENCRYPTED_KEY_FILE:-}" ]; then
 
   # Securely delete the decrypted key file
   shred -u "$DECRYPTED_KEY_FILE"
+
+  # Exit if only importing GPG key
+  if [ "$IMPORT_GPG_KEY_ONLY" = true ]; then
+    echo "GPG key has been decrypted and imported successfully. Exiting."
+    exit 0
+  fi
+fi
+
+# Check access to the S3 bucket and perform sync only if needed
+if [ "$IMPORT_GPG_KEY_ONLY" = false ] && [ "$S3_SYNC_ONLY" = false ] && [ "$COPY_NEW_RPM" = false ] && [ "$UPLOAD_WITH_DELETE" = false ]; then
+  if [ -z "${S3_BUCKET:-}" ]; then
+    echo "Error: S3 bucket (-s) is required."
+    exit 1
+  fi
+
+  echo "Checking access to S3 bucket $S3_BUCKET..."
+  if ! aws s3 ls "$S3_BUCKET" &> /dev/null; then
+    echo "Error: Unable to access S3 bucket $S3_BUCKET. Please check your AWS credentials and permissions."
+    exit 1
+  fi
+
+  # Sync the S3 repository to the local directory
+  mkdir -p "$LOCAL_DIR"
+  echo "Syncing S3 repository from $S3_BUCKET to $LOCAL_DIR..."
+  aws s3 sync "$S3_BUCKET" "$LOCAL_DIR"
+
+  # Check if the operation is `s3-sync-only`
+  if [ "$S3_SYNC_ONLY" = true ]; then
+    echo "S3 sync operation completed successfully."
+    exit 0
+  fi
+fi
+
+# Copy the newly built RPM to the appropriate repository
+if [ "$COPY_NEW_RPM" = true ]; then
+  echo "Identifying the newly built RPMs..."
+
+  for ARCH in x86_64 noarch; do
+    RPM_DIR=~/rpmbuild/RPMS/$ARCH
+
+    # Check if the RPM directory exists
+    if [ ! -d "$RPM_DIR" ]; then
+      echo "Warning: Directory $RPM_DIR does not exist. Skipping $ARCH."
+      continue
+    fi
+
+    # Find all matching RPMs and copy them to the appropriate repository directory
+    NEW_RPMS=$(find "$RPM_DIR" -name "cloudberry-*.rpm" ! -name "*debuginfo*.rpm")
+    if [ -n "$NEW_RPMS" ]; then
+      for NEW_RPM in $NEW_RPMS; do
+        # Determine the repository (el8 or el9) based on the RPM filename
+        if echo "$NEW_RPM" | grep -q "\.el8\."; then
+          TARGET_REPO="$LOCAL_DIR/el8/$ARCH"
+        elif echo "$NEW_RPM" | grep -q "\.el9\."; then
+          TARGET_REPO="$LOCAL_DIR/el9/$ARCH"
+        else
+          echo "Error: Unable to determine the correct repository for $NEW_RPM. Exiting."
+          exit 1
+        fi
+
+        # Ensure the target repository directory exists
+        mkdir -p "$TARGET_REPO"
+
+        # Copy the RPM to the target repository
+        echo "Copying $NEW_RPM to $TARGET_REPO..."
+        cp "$NEW_RPM" "$TARGET_REPO/"
+        echo "Copy operation completed."
+      done
+    else
+      echo "No matching RPMs found in $RPM_DIR."
+    fi
+  done
 fi
 
 # Define the directories for `el8` and `el9` repositories
-REPO_DIRS=("$LOCAL_DIR/el8/x86_64" "$LOCAL_DIR/el9/x86_64")
+REPO_DIRS=("$LOCAL_DIR/el8/x86_64" "$LOCAL_DIR/el8/noarch" "$LOCAL_DIR/el9/x86_64" "$LOCAL_DIR/el9/noarch")
 
 # Traverse each repository directory (el8 and el9) and sign RPMs
 for REPO_DIR in "${REPO_DIRS[@]}"; do
   if [ -d "$REPO_DIR" ]; then
     echo "Processing repository at $REPO_DIR..."
 
+    # Export GPG public key for clients and place it in the root of the repository
+    TEMP_GPG_KEY=$(mktemp)
+    echo "Exporting GPG public key to temporary location..."
+    gpg --armor --export "$GPG_KEY_ID" > "$TEMP_GPG_KEY"
+
+    # Import the GPG public key to RPM database
+    echo "Importing GPG public key into RPM database..."
+    sudo rpm --import "$TEMP_GPG_KEY"
+
     # Sign each RPM in the directory
     echo "Signing RPM packages in $REPO_DIR..."
-    find "$REPO_DIR" -name "*.rpm" -exec rpm --addsign {} \;
+    find "$REPO_DIR" -name "*.rpm" -exec rpm --addsign --define "_gpg_name $GPG_KEY_ID" {} \;
 
     # Verify that RPMs were signed successfully
     echo "Verifying RPM signatures in $REPO_DIR..."
-    find "$REPO_DIR" -name "*.rpm" -exec rpm -K {} \;
+    find "$REPO_DIR" -name "*.rpm" -exec rpm -Kv {} \;
 
     # Recreate the repository metadata
     echo "Updating repository metadata in $REPO_DIR..."
     createrepo --update "$REPO_DIR"
 
-    # Sign the repository metadata
+    # Sign the repository metadata, automatically overwriting if the file already exists
     echo "Signing repository metadata in $REPO_DIR..."
-    gpg --detach-sign --armor --local-user "$GPG_KEY_ID" "$REPO_DIR/repodata/repomd.xml"
-  else
-    echo "Warning: Repository directory $REPO_DIR does not exist. Skipping..."
-  fi
-done
+    gpg --batch --yes --detach-sign --armor --local-user "$GPG_KEY_ID" "$REPO_DIR/repodata/repomd.xml"
 
-# Export GPG public key for clients and place it in the root of the repository
-echo "Exporting GPG public key..."
-gpg --armor --export "$GPG_KEY_ID" > "$LOCAL_DIR/RPM-GPG-KEY-cloudberry"
+    # Copy the public key to each repo
+    cp "$TEMP_GPG_KEY" "$REPO_DIR/RPM-GPG-KEY-cloudberry"
 
-# Optionally, place the public key in a specific directory (keys) within each repo
-for REPO_DIR in "${REPO_DIRS[@]}"; do
-  if [ -d "$REPO_DIR" ]; then
-    mkdir -p "$REPO_DIR/keys"
-    cp "$LOCAL_DIR/RPM-GPG-KEY-cloudberry" "$REPO_DIR/keys/RPM-GPG-KEY-cloudberry"
+    # Clean up temporary GPG key
+    rm -f "$TEMP_GPG_KEY"
+  else
+    echo "Warning: Repository directory $REPO_DIR does not exist. Skipping..."
   fi
 done
 
 # Upload changes to S3 with --delete option if requested
 if [ "$UPLOAD_WITH_DELETE" = true ]; then
+  if [ -z "${S3_BUCKET:-}" ]; then
+    echo "Error: S3 bucket (-s) is required for upload with delete."
+    exit 1
+  fi
+
   echo "Uploading local changes to S3 with --delete option..."
   aws s3 sync "$LOCAL_DIR" "$S3_BUCKET" --delete
   echo "S3 sync with --delete completed."
