cfm/.gitignore

## .gitignore
*.rpm

## README.md

      
    Raw
  

              README.md
            
          
    Expected results


Command
rpm --version
Result


make buster
4.14.2.1
Hashes match!


make fedora-27
4.14.2.1
Hashes match!


make fedora-37
4.18.0
Hashes do not match!


## buster.Dockerfile
FROM debian:buster

RUN apt-get update

RUN apt-get install --yes \
    expect \
	gpg \
	rpm \
    wget

COPY ./test ./

ENTRYPOINT ./test

## fedora-27.Dockerfile
FROM fedora:27

RUN dnf install -y \
    gnupg2 \
    hostname \
    rpm-sign \
    wget \
    which

COPY ./test ./

ENTRYPOINT ./test

## fedora-37.Dockerfile
FROM fedora:37

RUN dnf install -y \
    hostname \
    rpm-sign \
    wget

COPY ./test ./

ENTRYPOINT ./test

## Makefile
buster:
	docker build -f buster.Dockerfile -t sdw-846-buster .
	docker run sdw-846-buster

fedora-27:
	docker build -f fedora-27.Dockerfile -t sdw-846-f27 .
	docker run sdw-846-f27

fedora-37:
	docker build -f fedora-37.Dockerfile -t sdw-846-f37 .
	docker run sdw-846-f37

## test
#!/bin/sh
set -eux

uid="$(whoami)@$(hostname)"
gpg="$(which gpg || which gpg2)"
cd /tmp

# Generate a disposable signing key.
$gpg --quick-generate-key \
	--batch \
	--passphrase "" \
	"$uid"
$gpg --export -a "$uid" > key
rpm --import key

# Set up RPM to sign with it.
cat > ~/.rpmmacros <<EOF
%_signature gpg
%__gpg ${gpg}
%_gpg_name ${uid}
EOF

# Grab one of our (freedomofpress/securedrop-workstation)'s packages.
wget -O before.rpm https://yum.securedrop.org/workstation/dom0/f32/securedrop-workstation-dom0-config-0.7.0-1.fc32.noarch.rpm

# Before:
rpm --delsign before.rpm
rpm --checksig before.rpm
before=$(sha256sum before.rpm | cut -d " " -f 1)

# Sign it:
cp before.rpm after.rpm
rpm --addsign after.rpm
rpm --checksig after.rpm
sha256sum after.rpm

# After:
rpm --delsign after.rpm
rpm --checksig after.rpm
after=$(sha256sum after.rpm | cut -d " " -f 1)

# Check and report.
rpm --version
test "$after" = "$before" && echo "Hashes match!" || (
	echo "Hashes do not match!  Pausing for 60 sec to let you grab the files for inspection (e.g., via diffoscope):" &&
	echo "docker container cp \$CONTAINER_ID:/tmp/before.rpm ." &&
	echo "docker container cp \$CONTAINER_ID:/tmp/after.rpm ." &&
	sleep 60 &&
	exit 1
	)
Command	`rpm --version`	Result
`make buster`	4.14.2.1	`Hashes match!`
`make fedora-27`	4.14.2.1	`Hashes match!`
`make fedora-37`	4.18.0	`Hashes do not match!`
	FROM debian:buster

	RUN apt-get update

	RUN apt-get install --yes \
	expect \
	gpg \
	rpm \
	wget

	COPY ./test ./

	ENTRYPOINT ./test
	FROM fedora:27

	RUN dnf install -y \
	gnupg2 \
	hostname \
	rpm-sign \
	wget \
	which

	COPY ./test ./

	ENTRYPOINT ./test
	FROM fedora:37

	RUN dnf install -y \
	hostname \
	rpm-sign \
	wget

	COPY ./test ./

	ENTRYPOINT ./test
	buster:
	docker build -f buster.Dockerfile -t sdw-846-buster .
	docker run sdw-846-buster

	fedora-27:
	docker build -f fedora-27.Dockerfile -t sdw-846-f27 .
	docker run sdw-846-f27

	fedora-37:
	docker build -f fedora-37.Dockerfile -t sdw-846-f37 .
	docker run sdw-846-f37
	#!/bin/sh
	set -eux

	uid="$(whoami)@$(hostname)"
	gpg="$(which gpg \|\| which gpg2)"
	cd /tmp

	# Generate a disposable signing key.
	$gpg --quick-generate-key \
	--batch \
	--passphrase "" \
	"$uid"
	$gpg --export -a "$uid" > key
	rpm --import key

	# Set up RPM to sign with it.
	cat > ~/.rpmmacros <<EOF
	%_signature gpg
	%__gpg ${gpg}
	%_gpg_name ${uid}
	EOF

	# Grab one of our (freedomofpress/securedrop-workstation)'s packages.
	wget -O before.rpm https://yum.securedrop.org/workstation/dom0/f32/securedrop-workstation-dom0-config-0.7.0-1.fc32.noarch.rpm

	# Before:
	rpm --delsign before.rpm
	rpm --checksig before.rpm
	before=$(sha256sum before.rpm \| cut -d " " -f 1)

	# Sign it:
	cp before.rpm after.rpm
	rpm --addsign after.rpm
	rpm --checksig after.rpm
	sha256sum after.rpm

	# After:
	rpm --delsign after.rpm
	rpm --checksig after.rpm
	after=$(sha256sum after.rpm \| cut -d " " -f 1)

	# Check and report.
	rpm --version
	test "$after" = "$before" && echo "Hashes match!" \|\| (
	echo "Hashes do not match! Pausing for 60 sec to let you grab the files for inspection (e.g., via diffoscope):" &&
	echo "docker container cp \$CONTAINER_ID:/tmp/before.rpm ." &&
	echo "docker container cp \$CONTAINER_ID:/tmp/after.rpm ." &&
	sleep 60 &&
	exit 1
	)