Move signing packages script to docker container

Author: jacekwegr

.circleci/template.yml

@@ -707,15 +707,6 @@ jobs:
           name: Build package
           command: |
             ./tools/test.sh -p pkg -s false
-      - run:
-          name: Install packages necessary for signing
-          command: |
-            tools/circle-install-packages.sh \
-            'dpkg-sig rpm'
-      - run:
-          name: Sign package
-          command: |
-            ./tools/pkg/sign.sh
       - when:
           condition:
             matches:

tools/pkg/Dockerfile_deb

@@ -1,3 +1,4 @@
+# syntax=docker/dockerfile:1
 # vi: ft=dockerfile
 ARG builder_image
 ARG target_image
@@ -7,7 +8,15 @@ FROM $builder_image AS builder
 # Install build deps
 ENV DEBIAN_FRONTEND=noninteractive
 RUN apt-get update
-RUN apt-get install -y locales git make zlib1g-dev unixodbc-dev gcc g++ libssl-dev curl
+RUN apt-get install -y locales git make zlib1g-dev unixodbc-dev gcc g++ libssl-dev curl gpg wget gnupg
+
+# The signing script requires debsigs version 0.2 or higher, which is unavailable in
+# package repositories of Ubuntu versions earlier than 24.10 and Debian versions earlier than 13.
+# TODO: Switch to installing debsigs via apt once support for these older versions is dropped.
+RUN wget http://ftp.de.debian.org/debian/pool/main/d/debsigs/debsigs_0.2.2-1_all.deb && \
+    dpkg -i debsigs_0.2.2-1_all.deb && \
+    rm debsigs_0.2.2-1_all.deb && \
+    which debsigs
 
 ARG erlang_version
 
@@ -27,6 +36,12 @@ ARG revision
 
 RUN ./deb/build_package.sh $version $revision $erlang_version
 
+# Sign the built package with the keys provided
+RUN --mount=type=secret,id=GPG_PUBLIC_KEY,env=GPG_PUBLIC_KEY \
+    --mount=type=secret,id=GPG_PRIVATE_KEY,env=GPG_PRIVATE_KEY \
+    --mount=type=secret,id=GPG_PASS,env=GPG_PASS \
+    ./mongooseim/tools/pkg/sign.sh
+
 # Create image for sharing and validation of built package
 FROM $target_image AS target
 

tools/pkg/Dockerfile_rpm

@@ -1,3 +1,4 @@
+# syntax=docker/dockerfile:1
 # vi: ft=dockerfile
 ARG builder_image
 ARG target_image
@@ -6,7 +7,7 @@ FROM $builder_image AS builder
 
 # Install the build dependencies
 RUN dnf install -y rpm-build rpmdevtools git make zlib-devel unixODBC-devel gcc gcc-c++ \
-    openssl openssl-devel chrpath glibc-locale-source systemd-rpm-macros
+    openssl openssl-devel chrpath glibc-locale-source systemd-rpm-macros rpm-sign
 
 # Fix locale setup
 # See https://github.com/CentOS/sig-cloud-instance-images/issues/71#issuecomment-266957519
@@ -31,12 +32,18 @@ ARG revision
 
 RUN ./BUILD/mongooseim/tools/pkg/scripts/rpm/build_package.sh $version $revision $erlang_version
 
+# Sign the built package with the keys provided
+RUN --mount=type=secret,id=GPG_PUBLIC_KEY,env=GPG_PUBLIC_KEY \
+    --mount=type=secret,id=GPG_PRIVATE_KEY,env=GPG_PRIVATE_KEY \
+    --mount=type=secret,id=GPG_PASS,env=GPG_PASS \
+    ./BUILD/mongooseim/tools/pkg/sign.sh
+
 # Create image for sharing and validation of built package
 FROM $target_image AS target
 
 # Copy built package from previous image and install it with required dependencies
 WORKDIR /root/
-COPY --from=builder /root/mongooseim*.rpm .
+COPY --from=builder /root/rpmbuild/mongooseim*.rpm .
 RUN dnf -y update && dnf install -y mongooseim*.rpm
 
 # Simple check if MiM works

tools/pkg/build.sh

@@ -80,6 +80,9 @@ docker build -t mongooseim-${platform}:${version}-${revision} \
     --build-arg version=${version} \
     --build-arg revision=${revision} \
     --build-arg erlang_version=${erlang_version} \
+    --secret id=GPG_PUBLIC_KEY \
+    --secret id=GPG_PRIVATE_KEY \
+    --secret id=GPG_PASS \
     -f ${dockerfile_path} \
     $context_path
 

tools/pkg/scripts/deb/build_package.sh

@@ -38,7 +38,7 @@ date=$(date -R)
 sed -i "s#@DATE@#${date}#g" mongooseim/DEBIAN/changelog
 
 chown $USER:$USER -R mongooseim
-dpkg-deb -Zxz --build mongooseim ./
+dpkg --build mongooseim ./
 
 source /etc/os-release
 os=$ID

tools/pkg/scripts/rpm/build_package.sh

@@ -21,4 +21,4 @@ os_version=$VERSION_ID
 package_os_file_name=${os}~${os_version}
 
 mv ~/rpmbuild/RPMS/${arch}/mongooseim-${version}-${revision}.${arch}.rpm \
-    ~/mongooseim_${version}_${revision}_otp_${otp_version}~${package_os_file_name}_${package_name_arch}.rpm
+    ~/rpmbuild/mongooseim_${version}_${revision}_otp_${otp_version}~${package_os_file_name}_${package_name_arch}.rpm

tools/pkg/sign.sh

@@ -3,8 +3,7 @@ set -e
 
 trap 'rm -f ~/.rpmmacros' EXIT
 
-cd tools/pkg/packages
-PACKAGE_NAME=$(ls)
+PACKAGE_NAME=$(find . -maxdepth 1 -type f \( -name "*.deb" -o -name "*.rpm" \))
 
 echo "$GPG_PRIVATE_KEY" | base64 -d | gpg --batch --pinentry-mode loopback --import
 
@@ -22,17 +21,18 @@ if [[ "$PACKAGE_NAME" == *.deb ]]; then
     gpg --import public.key
     rm -f public.key
 
-    dpkg-sig --sign builder -g "--no-tty --pinentry-mode loopback --passphrase $GPG_PASS" -k "$GPG_KEY_ID" $PACKAGE_NAME
+    debsigs --gpgopts "--no-tty --pinentry-mode loopback --passphrase $GPG_PASS" \
+            --sign=origin -k="$GPG_KEY_ID" "$PACKAGE_NAME"
     echo "DEB package signed successfully: $PACKAGE_NAME"
 
-    dpkg-sig --verify "$PACKAGE_NAME"
+    debsigs --verify "$PACKAGE_NAME"
     echo "DEB package verified successfully: $PACKAGE_NAME"
 elif [[ "$PACKAGE_NAME" == *.rpm ]]; then
     rpm --import public.key
     rm -f public.key
 
     cat > ~/.rpmmacros <<EOF
-          %__gpg $(which gpg)
+          %__gpg $(type -p gpg)
           %_gpg_path $HOME/.gnupg
           %_gpg_name $GPG_KEY_EMAIL
           %_signature gpg
@@ -51,6 +51,6 @@ EOF
 
     rm -f ~/.rpmmacros
 else
-    echo "Unknown package type: $PACKAGE_NAME"
+    echo "No packages found to sign"
     exit 1
 fi