ci: auto sign of rpm package and rpm repo metadata in CI (#140)

tzssangglass · web-flow · commit c0f129934c2f · 2021-11-21T19:26:34.000+08:00
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -10,7 +10,7 @@ concurrency:
 jobs:
   publish_apisix:
     name: Build and Publish RPM Package
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-18.04
     timeout-minutes: 60
 
     steps:
@@ -35,32 +35,35 @@ jobs:
 
       - name: Build apisix RPM Package
         if: ${{ startsWith(steps.tag_type.outputs.version, 'apisix/') }}
-        env: 
+        env:
           APISIX_TAG_VERSION: ${{ steps.tag_env.outputs.version}}
         run: |
           # build apisix
           make package type=rpm app=apisix openresty=apisix-base checkout=${APISIX_TAG_VERSION} version=${APISIX_TAG_VERSION} image_base=centos image_tag=7
           mv ./output/apisix-${APISIX_TAG_VERSION}-0.el7.x86_64.rpm ./
+          echo "TARGET_APP=apisix" >> "$GITHUB_ENV"
 
       - name: Build apisix-base RPM Package
         if: ${{ startsWith(steps.tag_type.outputs.version, 'apisix-base/') }}
-        env: 
+        env:
           APISIX_BASE_TAG_VERSION: ${{ steps.tag_env.outputs.version}}
         run: |
           # build apisix-base
           echo ${{ steps.tag_env.outputs.version}}
           echo ${{ steps.tag_type.outputs.version}}
           make package type=rpm app=apisix-base checkout=${APISIX_BASE_TAG_VERSION} version=${APISIX_BASE_TAG_VERSION} image_base=centos image_tag=7
           mv ./output/apisix-base-${APISIX_BASE_TAG_VERSION}-0.el7.x86_64.rpm ./
+          echo "TARGET_APP=apisix-base" >> "$GITHUB_ENV"
 
       - name: Build apisix-dashboard RPM Package
         if: ${{ startsWith(steps.tag_type.outputs.version, 'dashboard/') }}
-        env: 
+        env:
           APISIX_DASHBOARD_TAG_VERSION: ${{ steps.tag_env.outputs.version}}
         run: |
           # build apisix dashboard
           make package type=rpm app=dashboard checkout=${APISIX_DASHBOARD_TAG_VERSION} version=${APISIX_DASHBOARD_TAG_VERSION} image_base=centos image_tag=7
           mv ./output/apisix-dashboard-${APISIX_DASHBOARD_TAG_VERSION}-0.el7.x86_64.rpm ./
+          echo "TARGET_APP=apisix-dashboard" >> "$GITHUB_ENV"
 
       - name: Upload apisix Artifact
         if: ${{ startsWith(steps.tag_type.outputs.version, 'apisix/') }}
@@ -83,38 +86,48 @@ jobs:
           name: "apisix-dashboard-${{ steps.tag_env.outputs.version}}-0.el7.x86_64.rpm"
           path: "./apisix-dashboard-${{ steps.tag_env.outputs.version}}-0.el7.x86_64.rpm"
 
-      - name: Push apisix RPM Package to Aliyun OSS
-        if: ${{ startsWith(steps.tag_type.outputs.version, 'apisix/') }}
+      - name: Sign RPM Package
+        env:
+          GPG_NAME: "APISIX Publisher"
+          GPG_MAIL: "<dev@apisix.apache.org>"
+          TAG_VERSION: ${{ steps.tag_env.outputs.version }}
+          TARGET_APP: ${{ env.TARGET_APP }}
         run: |
-          echo "[Credentials]" >> /tmp/ossutilconfig
-          echo "language=EN" >> /tmp/ossutilconfig
-          echo "endpoint=oss-cn-shenzhen.aliyuncs.com" >> /tmp/ossutilconfig
-          echo "accessKeyID=${{ secrets.ACCESS_KEY_ID }}" >> /tmp/ossutilconfig
-          echo "accessKeySecret=${{ secrets.ACCESS_KEY_SECRET }}" >> /tmp/ossutilconfig
-          wget http://gosspublic.alicdn.com/ossutil/1.7.3/ossutil64
-          chmod 755 ossutil64
-          ./ossutil64 cp -f ./apisix-${{ steps.tag_env.outputs.version}}-0.el7.x86_64.rpm oss://apisix-repo/packages/centos/7/x86_64/ --config-file=/tmp/ossutilconfig
-
-      - name: Push apisix-base RPM Package to Aliyun OSS
-        if: ${{ startsWith(steps.tag_type.outputs.version, 'apisix-base/') }}
+          echo "${{ secrets.RPM_GPG_PRIV_KEY }}" >> /tmp/rpm-gpg-publish.private
+          echo "${{ secrets.RPM_GPG_PASSPHRASE }}" >> /tmp/rpm-gpg-publish.passphrase
+          ./utils/publish-rpm.sh sign_target_app_rpm
+          date_tag=$(date +%Y%m%d)
+          echo "DATE_TAG=${date_tag}" >> "$GITHUB_ENV"
+
+      - name: Backup and rebuild RPM Repository
+        env:
+          ACCESS_KEY_ID: ${{ secrets.ACCESS_KEY_ID }}
+          ACCESS_KEY_SECRET: ${{ secrets.ACCESS_KEY_SECRET }}
+          TAG_VERSION: ${{ steps.tag_env.outputs.version }}
+          TARGET_APP: ${{ env.TARGET_APP }}
+          DATE_TAG: ${{ env.DATE_TAG }}
         run: |
-          echo "[Credentials]" >> /tmp/ossutilconfig
-          echo "language=EN" >> /tmp/ossutilconfig
-          echo "endpoint=oss-cn-shenzhen.aliyuncs.com" >> /tmp/ossutilconfig
-          echo "accessKeyID=${{ secrets.ACCESS_KEY_ID }}" >> /tmp/ossutilconfig
-          echo "accessKeySecret=${{ secrets.ACCESS_KEY_SECRET }}" >> /tmp/ossutilconfig
-          wget http://gosspublic.alicdn.com/ossutil/1.7.3/ossutil64
-          chmod 755 ossutil64
-          ./ossutil64 cp -f ./apisix-base-${{ steps.tag_env.outputs.version}}-0.el7.x86_64.rpm oss://apisix-repo/packages/centos/7/x86_64/ --config-file=/tmp/ossutilconfig
-
-      - name: Push apisix-dashboard RPM Package to Aliyun OSS
-        if: ${{ startsWith(steps.tag_type.outputs.version, 'dashboard/') }}
+          ./utils/publish-rpm.sh backup_and_rebuild_repo
+
+      - name: Sign RPM Repository Metadata
+        env:
+          TAG_VERSION: ${{ steps.tag_env.outputs.version }}
+        run: |
+          ./utils/publish-rpm.sh sign_repo_metadata
+
+      - name: Upload new RPM Repository
+        run: |
+          ./utils/publish-rpm.sh upload_new_repo
+
+      - name: Check download new RPM Package
+        env:
+          TAG_VERSION: ${{ steps.tag_env.outputs.version }}
+          TARGET_APP: ${{ env.TARGET_APP }}
+        run: |
+          ./utils/publish-rpm.sh check_down_load_rpm
+
+      - name: Remove backup RPM Repository
+        env:
+          DATE_TAG: ${{ env.DATE_TAG }}
         run: |
-          echo "[Credentials]" >> /tmp/ossutilconfig
-          echo "language=EN" >> /tmp/ossutilconfig
-          echo "endpoint=oss-cn-shenzhen.aliyuncs.com" >> /tmp/ossutilconfig
-          echo "accessKeyID=${{ secrets.ACCESS_KEY_ID }}" >> /tmp/ossutilconfig
-          echo "accessKeySecret=${{ secrets.ACCESS_KEY_SECRET }}" >> /tmp/ossutilconfig
-          wget http://gosspublic.alicdn.com/ossutil/1.7.3/ossutil64
-          chmod 755 ossutil64
-          ./ossutil64 cp -f ./apisix-dashboard-${{ steps.tag_env.outputs.version}}-0.el7.x86_64.rpm oss://apisix-repo/packages/centos/7/x86_64/ --config-file=/tmp/ossutilconfig
+          ./utils/publish-rpm.sh rm_backup_repo
diff --git a/utils/publish-rpm.sh b/utils/publish-rpm.sh
@@ -0,0 +1,138 @@
+#!/usr/bin/env bash
+set -euo pipefail
+set -x
+
+
+import_gpg_key() {
+    gpg --import --pinentry-mode loopback --batch --passphrase-file \
+    /tmp/rpm-gpg-publish.passphrase /tmp/rpm-gpg-publish.private
+
+    gpg --list-keys --fingerprint | grep "${GPG_MAIL}" -B 1 \
+    | tr -d ' ' | head -1 | awk 'BEGIN { FS = "\n" } ; { print $1":6:" }' \
+    | gpg --import-ownertrust
+}
+
+
+
+rpm_checksig() {
+    rpm --import https://repos.apiseven.com/KEYS
+
+    out=$(rpm --checksig ./${TARGET_APP}-${TAG_VERSION}-0.el7.x86_64.rpm)
+    if ! echo "$out" | grep "digests signatures OK"; then
+        echo "failed: check rpm digests signatures"
+        exit 1
+    fi
+}
+
+
+init_rpmmacros() {
+    cat > ~/.rpmmacros <<EOF
+# Macros for signing RPMs.
+%_signature gpg
+%_gpg_path ${HOME}/.gnupg
+%_gpg_name ${GPG_NAME} ${GPG_MAIL}
+%_gpgbin /usr/bin/gpg
+%__gpg_sign_cmd %{__gpg} gpg --batch --verbose --no-armor --pinentry-mode loopback --passphrase-file /tmp/rpm-gpg-publish.passphrase --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename}
+EOF
+}
+
+
+sign_target_app_rpm() {
+    import_gpg_key
+
+    init_rpmmacros
+
+    rpmsign --addsign ./${TARGET_APP}-${TAG_VERSION}-0.el7.x86_64.rpm
+
+    rpm_checksig
+}
+
+
+download_ossutil64() {
+    echo "[Credentials]" >> /tmp/ossutilconfig
+    echo "language=EN" >> /tmp/ossutilconfig
+    echo "endpoint=oss-cn-shenzhen.aliyuncs.com" >> /tmp/ossutilconfig
+    echo "accessKeyID=${ACCESS_KEY_ID}" >> /tmp/ossutilconfig
+    echo "accessKeySecret=${ACCESS_KEY_SECRET}" >> /tmp/ossutilconfig
+    wget http://gosspublic.alicdn.com/ossutil/1.7.3/ossutil64
+    chmod 755 ossutil64
+}
+
+
+backup_and_rebuild_repo() {
+    download_ossutil64
+
+    # backup origin repo
+    ./ossutil64 cp -r oss://tzs-apisix-repo/packages/centos/7/x86_64 oss://tzs-apisix-repo/packages/backup/centos/7/x86_64_${DATE_TAG} --config-file=/tmp/ossutilconfig
+
+    # download origin repo
+    ./ossutil64 cp -r oss://apisix-repo/packages/centos/7/x86_64 ./ --config-file=/tmp/ossutilconfig
+
+    # rebuild repo
+    cp ./${TARGET_APP}-${TAG_VERSION}-0.el7.x86_64.rpm ./x86_64
+    cd ./x86_64
+
+    sudo apt-get update
+    sudo apt install createrepo -y
+    createrepo .
+    cd ../
+}
+
+
+sign_repo_metadata() {
+    rm ./x86_64/repodata/repomd.xml.asc
+    gpg --batch --pinentry-mode loopback --passphrase-file /tmp/rpm-gpg-publish.passphrase --detach-sign --armor ./x86_64/repodata/repomd.xml
+
+    out=$(gpg --verify x86_64/repodata/repomd.xml.asc 2>&1)
+    if ! echo "$out" | grep -iq 'Good signature'; then
+        echo "failed: check rpm metadata signatures"
+        exit 1
+    fi
+}
+
+
+upload_new_repo() {
+    # rm origin repo and upload new repo
+    ./ossutil64 rm -r -f oss://apisix-repo/packages/centos/7/x86_64 --config-file=/tmp/ossutilconfig
+    ./ossutil64 cp -r ./x86_64 oss://apisix-repo/packages/centos/7/x86_64 --config-file=/tmp/ossutilconfig
+}
+
+
+check_down_load_rpm() {
+    mkdir temp && cd temp
+    wget https://apisix-repo.oss-cn-shanghai.aliyuncs.com/packages/centos/7/x86_64/${TARGET_APP}-${TAG_VERSION}-0.el7.x86_64.rpm
+    if [ ! -f ${TARGET_APP}-${TAG_VERSION}-0.el7.x86_64.rpm ]; then
+        echo "failed: download new ${TARGET_APP} rpm package"
+        exit 1
+    fi
+    cd ../
+}
+
+
+rm_backup_repo() {
+    ./ossutil64 rm -r -f oss://tzs-apisix-repo/packages/backup/centos/7/x86_64_${DATE_TAG} --config-file=/tmp/ossutilconfig
+}
+
+
+case_opt=$1
+
+case ${case_opt} in
+sign_target_app_rpm)
+    sign_target_app_rpm
+    ;;
+backup_and_rebuild_repo)
+    backup_and_rebuild_repo
+    ;;
+sign_repo_metadata)
+    sign_repo_metadata
+    ;;
+upload_new_repo)
+    upload_new_repo
+    ;;
+check_down_load_rpm)
+    check_down_load_rpm
+    ;;
+rm_backup_repo)
+    rm_backup_repo
+    ;;
+esac
