TUN-6270: Import gpg keys from environment variables

sudarshan-reddy · sudarshan-reddy · commit 7ce2bb8b2f07 · 2022-05-23T14:51:26.000+01:00
We now keep the gpg key inputs configurable. This PR imports base64
encoded gpg details into the build environment and uses this information
to sign the linux builds.
diff --git a/cfsetup.yaml b/cfsetup.yaml
@@ -48,6 +48,7 @@ stretch: &stretch
       - pip3 install pynacl==1.4.0
       - pip3 install pygithub==1.55
       - pip3 install boto3==1.22.9
+      - pip3 install gnupg==2.3.1
     post-cache:
       # build all packages (except macos and FIPS) and move them to /cfsetup/built_artifacts
       - ./build-packages.sh
diff --git a/release_pkgs.py b/release_pkgs.py
@@ -11,10 +11,12 @@
 import subprocess
 import os
 import argparse
+import base64
 import logging
 import shutil
 from hashlib import sha256
 
+import gnupg
 import boto3
 from botocore.client import Config
 from botocore.exceptions import ClientError
@@ -133,6 +135,20 @@ def _setup_rpm_pkg_directories(self, artifacts_path, archs=["aarch64", "x86_64",
                         old_path = os.path.join(root, file)
                         new_path = os.path.join(new_dir, file)
                         shutil.copyfile(old_path, new_path)
+    
+    """
+        imports gpg keys into the system so reprepro and createrepo can use it to sign packages.
+        it returns the GPG ID after a successful import
+    """
+    def import_gpg_keys(self, private_key, public_key):
+        gpg = gnupg.GPG()
+        private_key = base64.b64decode(private_key)
+        gpg.import_keys(private_key)
+        public_key = base64.b64decode(public_key)
+        gpg.import_keys(public_key)
+        data = gpg.list_keys(secret=True)
+        return (data[0]["fingerprint"])
+
 
 """
     Walks through a directory and uploads it's assets to R2.
@@ -231,8 +247,13 @@ def parse_args():
     )
 
     parser.add_argument(
-            "--gpg-key-id", default=os.environ.get("GPG_KEY_ID"), help="gpg key ID that's being used to sign release\
-            packages."
+            "--gpg-private-key", default=os.environ.get("LINUX_SIGNING_PRIVATE_KEY"), help="GPG private key to sign the\
+            packages"
+    )
+
+    parser.add_argument(
+            "--gpg-public-key", default=os.environ.get("LINUX_SIGNING_PUBLIC_KEY"), help="GPG public key used for\
+            signing packages"
     )
 
     parser.add_argument(
@@ -257,8 +278,10 @@ def parse_args():
         exit(1)
 
     pkg_creator = PkgCreator()
+    gpg_key_id = pkg_creator.import_gpg_keys(args.gpg_private_key, args.gpg_public_key)
+
     pkg_uploader = PkgUploader(args.account, args.bucket, args.id, args.secret)
-    create_deb_packaging(pkg_creator, pkg_uploader, args.deb_based_releases, args.gpg_key_id, args.binary, 
-            args.archs, "main", args.release_tag)
+    create_deb_packaging(pkg_creator, pkg_uploader, args.deb_based_releases, gpg_key_id, args.binary, args.archs,
+            "main", args.release_tag)
     
     create_rpm_packaging(pkg_creator, pkg_uploader, "./built_artifacts", args.release_tag, args.binary )
