BH1SCW/rpmgpgsign.sh

## rpmgpgsign.sh
#!/bin/bash

##############################################################################
# Wrapper for non-interactive signing of RPMs.
#
# _NOTE: This uses environment variables for sensitive information (the GPG
# passphrase), so should not be used on an untrusted or shared host._
#
# Prep
# ----
#  * Make a GPG key, for example see "Create a GPG Key Pair" at:
#    http://giovannitorres.me/how-to-setup-an-rpm-signing-key.html
#
# Setup
# -----
#  * `yum install -y expect rpm-sign`
#
# Running
# -------
#  * Strongly advised to not run this as root!
#  * Set environment variables and/or container volume mount to default paths
#  * Such as:
#
#    env REPOS=/export/repo/demo GNUPGHOME=$HOME/.gnupg GPGKEYID=12345678 \
#      GPGPASSPHRASE=demo ./rpmgpgsign.sh
#
# License
# -------
#  * BSD-2-Clause
#
##############################################################################

##############################################################################
#
# Copyright 2020, NDP LLC
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# 1. Redistributions of source code must retain the above copyright notice,
# this list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
#
##############################################################################

# REPOS: space separated paths to search for RPMs to sign
export REPOS="${REPOS:-/repo}"

# GNUPGHOME: path to location of user GPG key
export GNUPGHOME="${GNUPGHOME:-/gpg/.gnupg}"

# GPGKEYID: which key from $GNUPGHOME to use for signing
export GPGKEYID="${GPGKEYID:-}"

# GPGPASSPHRASE: passphrease for the key $GPGKEYID
export GPGPASSPHRASE="${GPGPASSPHRASE:-}"

# Be Jenkins/CI friendly
WORKSPACE="${WORKSPACE:-$(pwd)}"

##############################################################################

cat - > "${WORKSPACE}/sign_rpms.sh" <<'EOF'
#!/bin/expect -f
set keyid $env(GPGKEYID)
spawn rpmsign --digest-algo=sha256 --key-id=$keyid --addsign {*}$argv
expect {
  -re "Enter pass phrase:" {
    send "$env(GPGPASSPHRASE)\n"
    exp_continue
  }

  eof {
    catch wait result
  }
}
exit [ lindex $result 3 ]
EOF

# SIGN RPMS
for i in ${REPOS}; do
  repomanage -n -c "$i" | xargs -r -d '\n' expect -f "${WORKSPACE}/sign_rpms.sh"
done

# cleanup (ignore errors)
rm /var/tmp/rpm-tmp.* 2>/dev/null || true
	#!/bin/bash

	##############################################################################
	# Wrapper for non-interactive signing of RPMs.
	#
	# _NOTE: This uses environment variables for sensitive information (the GPG
	# passphrase), so should not be used on an untrusted or shared host._
	#
	# Prep
	# ----
	# * Make a GPG key, for example see "Create a GPG Key Pair" at:
	# http://giovannitorres.me/how-to-setup-an-rpm-signing-key.html
	#
	# Setup
	# -----
	# * `yum install -y expect rpm-sign`
	#
	# Running
	# -------
	# * Strongly advised to not run this as root!
	# * Set environment variables and/or container volume mount to default paths
	# * Such as:
	#
	# env REPOS=/export/repo/demo GNUPGHOME=$HOME/.gnupg GPGKEYID=12345678 \
	# GPGPASSPHRASE=demo ./rpmgpgsign.sh
	#
	# License
	# -------
	# * BSD-2-Clause
	#
	##############################################################################

	##############################################################################
	#
	# Copyright 2020, NDP LLC
	#
	# Redistribution and use in source and binary forms, with or without
	# modification, are permitted provided that the following conditions are met:
	#
	# 1. Redistributions of source code must retain the above copyright notice,
	# this list of conditions and the following disclaimer.
	#
	# 2. Redistributions in binary form must reproduce the above copyright notice,
	# this list of conditions and the following disclaimer in the documentation
	# and/or other materials provided with the distribution.
	#
	# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
	# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
	# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
	# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
	# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
	# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
	# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
	# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
	# POSSIBILITY OF SUCH DAMAGE.
	#
	##############################################################################

	# REPOS: space separated paths to search for RPMs to sign
	export REPOS="${REPOS:-/repo}"

	# GNUPGHOME: path to location of user GPG key
	export GNUPGHOME="${GNUPGHOME:-/gpg/.gnupg}"

	# GPGKEYID: which key from $GNUPGHOME to use for signing
	export GPGKEYID="${GPGKEYID:-}"

	# GPGPASSPHRASE: passphrease for the key $GPGKEYID
	export GPGPASSPHRASE="${GPGPASSPHRASE:-}"

	# Be Jenkins/CI friendly
	WORKSPACE="${WORKSPACE:-$(pwd)}"

	##############################################################################

	cat - > "${WORKSPACE}/sign_rpms.sh" <<'EOF'
	#!/bin/expect -f
	set keyid $env(GPGKEYID)
	spawn rpmsign --digest-algo=sha256 --key-id=$keyid --addsign {*}$argv
	expect {
	-re "Enter pass phrase:" {
	send "$env(GPGPASSPHRASE)\n"
	exp_continue
	}

	eof {
	catch wait result
	}
	}
	exit [ lindex $result 3 ]
	EOF

	# SIGN RPMS
	for i in ${REPOS}; do
	repomanage -n -c "$i" \| xargs -r -d '\n' expect -f "${WORKSPACE}/sign_rpms.sh"
	done

	# cleanup (ignore errors)
	rm /var/tmp/rpm-tmp.* 2>/dev/null \|\| true