CI: move grabpl package command to pkg/build (#55651)
* add grabpl package * update .drone.yml * resolve lint errors
This commit is contained in:
Kevin Minehart
GitHub
@@ -0,0 +1,84 @@
|
||||
package gpg
|
||||
|
||||
import (
|
||||
"encoding/base64"
|
||||
"fmt"
|
||||
"log"
|
||||
"os"
|
||||
|
||||
"github.com/grafana/grafana/pkg/build/config"
|
||||
)
|
||||
|
||||
func createTempFile(sfx string) (string, error) {
|
||||
f, err := os.CreateTemp("", fmt.Sprintf("*-%s", sfx))
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
if err := f.Close(); err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
return f.Name(), nil
|
||||
}
|
||||
|
||||
// LoadGPGKeys loads GPG key pair and password from the environment and writes them to corresponding files.
|
||||
//
|
||||
// The passed config's GPG fields also get updated. Make sure to call RemoveGPGFiles at application exit.
|
||||
func LoadGPGKeys(cfg *config.Config) error {
|
||||
var err error
|
||||
cfg.GPGPrivateKey, err = createTempFile("priv.key")
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
cfg.GPGPublicKey, err = createTempFile("pub.key")
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
cfg.GPGPassPath, err = createTempFile("")
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
gpgPrivKey := os.Getenv("GPG_PRIV_KEY")
|
||||
if gpgPrivKey == "" {
|
||||
return fmt.Errorf("$GPG_PRIV_KEY must be defined")
|
||||
}
|
||||
gpgPubKey := os.Getenv("GPG_PUB_KEY")
|
||||
if gpgPubKey == "" {
|
||||
return fmt.Errorf("$GPG_PUB_KEY must be defined")
|
||||
}
|
||||
gpgPass := os.Getenv("GPG_KEY_PASSWORD")
|
||||
if gpgPass == "" {
|
||||
return fmt.Errorf("$GPG_KEY_PASSWORD must be defined")
|
||||
}
|
||||
|
||||
gpgPrivKeyB, err := base64.StdEncoding.DecodeString(gpgPrivKey)
|
||||
if err != nil {
|
||||
return fmt.Errorf("couldn't decode $GPG_PRIV_KEY: %w", err)
|
||||
}
|
||||
gpgPubKeyB, err := base64.StdEncoding.DecodeString(gpgPubKey)
|
||||
if err != nil {
|
||||
return fmt.Errorf("couldn't decode $GPG_PUB_KEY: %w", err)
|
||||
}
|
||||
|
||||
if err := os.WriteFile(cfg.GPGPrivateKey, append(gpgPrivKeyB, '\n'), 0400); err != nil {
|
||||
return fmt.Errorf("failed to write GPG private key file: %w", err)
|
||||
}
|
||||
if err := os.WriteFile(cfg.GPGPublicKey, append(gpgPubKeyB, '\n'), 0400); err != nil {
|
||||
return fmt.Errorf("failed to write GPG public key file: %w", err)
|
||||
}
|
||||
if err := os.WriteFile(cfg.GPGPassPath, []byte(gpgPass+"\n"), 0400); err != nil {
|
||||
return fmt.Errorf("failed to write GPG password file: %w", err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// RemoveGPGFiles removes configured GPG files.
|
||||
func RemoveGPGFiles(cfg config.Config) {
|
||||
for _, fpath := range []string{cfg.GPGPrivateKey, cfg.GPGPublicKey, cfg.GPGPassPath} {
|
||||
if err := os.Remove(fpath); err != nil {
|
||||
log.Printf("failed to remove %q", fpath)
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,73 @@
|
||||
package gpg
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"log"
|
||||
"os"
|
||||
"os/exec"
|
||||
"path/filepath"
|
||||
|
||||
"github.com/grafana/grafana/pkg/build/config"
|
||||
"github.com/grafana/grafana/pkg/infra/fs"
|
||||
)
|
||||
|
||||
// writeRpmMacros writes ~/.rpmmacros.
|
||||
func writeRpmMacros(homeDir, gpgPassPath string) error {
|
||||
fpath := filepath.Join(homeDir, ".rpmmacros")
|
||||
content := fmt.Sprintf(`%%_signature gpg
|
||||
%%_gpg_path %s/.gnupg
|
||||
%%_gpg_name Grafana
|
||||
%%_gpgbin /usr/bin/gpg
|
||||
%%__gpg_sign_cmd %%{__gpg} gpg --batch --yes --pinentry-mode loopback --no-armor --passphrase-file %s --no-secmem-warning -u "%%{_gpg_name}" -sbo %%{__signature_filename} %%{__plaintext_filename}
|
||||
`, homeDir, gpgPassPath)
|
||||
//nolint:gosec
|
||||
if err := os.WriteFile(fpath, []byte(content), 0600); err != nil {
|
||||
return fmt.Errorf("failed to write %q: %w", fpath, err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// Import imports the GPG package signing key.
|
||||
// ~/.rpmmacros also gets written.
|
||||
func Import(cfg config.Config) error {
|
||||
exists, err := fs.Exists(cfg.GPGPrivateKey)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if !exists {
|
||||
return fmt.Errorf("GPG private key file doesn't exist: %q", cfg.GPGPrivateKey)
|
||||
}
|
||||
|
||||
log.Printf("Importing GPG key %q...", cfg.GPGPrivateKey)
|
||||
// nolint:gosec
|
||||
cmd := exec.Command("gpg", "--batch", "--yes", "--no-tty", "--allow-secret-key-import", "--import",
|
||||
cfg.GPGPrivateKey)
|
||||
if output, err := cmd.CombinedOutput(); err != nil {
|
||||
return fmt.Errorf("failed to import private key: %s", output)
|
||||
}
|
||||
|
||||
homeDir, err := os.UserHomeDir()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if err := writeRpmMacros(homeDir, cfg.GPGPassPath); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
pubKeysPath := filepath.Join(homeDir, ".rpmdb", "pubkeys")
|
||||
if err := os.MkdirAll(pubKeysPath, 0700); err != nil {
|
||||
return fmt.Errorf("failed to make %s: %w", pubKeysPath, err)
|
||||
}
|
||||
gpgPub, err := os.ReadFile(cfg.GPGPublicKey)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
//nolint:gosec
|
||||
if err := os.WriteFile(filepath.Join(homeDir, ".rpmdb", "pubkeys", "grafana.key"), gpgPub, 0400); err != nil {
|
||||
return fmt.Errorf("failed to write pub key to ~/.rpmdb: %w", err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
Reference in New Issue
Block a user