Kevin Minehart
8e9aa45716
* Chore: Add go workspace (#83191) --------- Co-authored-by: ismail simsek <ismailsimsek09@gmail.com> * CI: Make pkg/build its own module, remove unused Grafana modules in go.mo… (#89243) * Make pkg/build its own module, remove unused Grafana modules in go.mod/go.sum * fix go.work format * log errors on file close errors * CI: Add release-pr workflow (#89005) * Add release-pr workflow * update CODEOWNERS * CI: Trigger release pr workflow when a release is completed (#89062) * Automation: Verify release artifacts on grafana.com (#89197) * baldm0mma/verify_release/ create verify_release_for_download function * baldm0mma/verify_release/ add name, image, env * baldm0mma/verify_release/ add initial commands * baldm0mma/verify_release/ add deps? * baldm0mma/verify_release/ update location * baldm0mma/verify_release/ add anno to lib-star * bald0mma/verify_release/ update func name to verify_grafanacom_step * baldm0mma/verify_release/ add verify shell script * baldm0mma/verify_release/ add script content, first attempt * baldm0mma/verify_release/ add node image to verify_grafanacom_step * baldm0mma/verify_release/ add gcom secret note * baldm0mma/verify_release/ add sudo to apt-get * baldm0mma/verify_release/ add anno * baldm0mma/verify_release/ add anno to secrets * baldm0mma/verify_release/ update commands to reflect node env image * baldm0mma/verify_release/ update annos * baldm0mma/verify_release/ update tag variable * baldm0mma/verify release/ add whitespace * baldm0mma/verify_releases/ update with no bash loops * baldm0mma/verify_release/ update exit logic * baldm0mma/verify_release/ remove annos * baldm0mma/verify_releasse/ resign and build yml * baldm0mma/verify_release/ remove annos * baldm0mma/verify_release/ update signature * baldm0mma/verify_release/ download curl * baldm0mma/verify_release/ remove temp key folder removal * baldm0mma/verify_release/ account for artifact download time * baldm0mma/verify_release/ add anno * baldm0mma/verify_release/ update location * baldm0mma/verify_release/ update script * baldm0mma/verify_release/ make drone * baldm0mma/verify_release/ update script for oss or ent * baldm0mma/verify_release/ add promotion option * baldm0mma/verify_release/ make drone * Update scripts/drone/events/release.star Co-authored-by: Kevin Minehart <5140827+kminehart@users.noreply.github.com> * Update scripts/drone/steps/lib.star Co-authored-by: Kevin Minehart <5140827+kminehart@users.noreply.github.com> * Update scripts/drone/steps/lib.star Co-authored-by: Kevin Minehart <5140827+kminehart@users.noreply.github.com> * baldm0mma/verify_release/ update drone * Update scripts/drone/events/release.star Co-authored-by: Kevin Minehart <5140827+kminehart@users.noreply.github.com> * baldm0mma/verify_release/ update drone * Update scripts/drone/steps/lib.star Co-authored-by: Kevin Minehart <5140827+kminehart@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Kevin Minehart <5140827+kminehart@users.noreply.github.com> * baldm0mma/update drone * baldm0mma/verify_release/ update path * baldm0mma/verify_release/ make drone * baldm0mma/update drone * Apply suggestions from code review Co-authored-by: Kevin Minehart <5140827+kminehart@users.noreply.github.com> * baldm0mma/verify_release/ update for loop to account for failure * baldm0mma/verify_release/ make drone * baldm0mma/verify_release/ make format-drone * baldm0mma/verify_release/ rem unused var --------- Co-authored-by: Kevin Minehart <5140827+kminehart@users.noreply.github.com> --------- Co-authored-by: Todd Treece <360020+toddtreece@users.noreply.github.com> Co-authored-by: ismail simsek <ismailsimsek09@gmail.com> Co-authored-by: Jev Forsberg <46619047+baldm0mma@users.noreply.github.com>
74 lines
2.0 KiB
Go
74 lines
2.0 KiB
Go
package gpg
|
|
|
|
import (
|
|
"fmt"
|
|
"log"
|
|
"os"
|
|
"os/exec"
|
|
"path/filepath"
|
|
|
|
"github.com/grafana/grafana/pkg/build/config"
|
|
"github.com/grafana/grafana/pkg/build/fsutil"
|
|
)
|
|
|
|
// writeRpmMacros writes ~/.rpmmacros.
|
|
func writeRpmMacros(homeDir, gpgPassPath string) error {
|
|
fpath := filepath.Join(homeDir, ".rpmmacros")
|
|
content := fmt.Sprintf(`%%_signature gpg
|
|
%%_gpg_path %s/.gnupg
|
|
%%_gpg_name Grafana
|
|
%%_gpgbin /usr/bin/gpg
|
|
%%__gpg_sign_cmd %%{__gpg} gpg --batch --yes --pinentry-mode loopback --no-armor --passphrase-file %s --no-secmem-warning -u "%%{_gpg_name}" -sbo %%{__signature_filename} %%{__plaintext_filename}
|
|
`, homeDir, gpgPassPath)
|
|
//nolint:gosec
|
|
if err := os.WriteFile(fpath, []byte(content), 0600); err != nil {
|
|
return fmt.Errorf("failed to write %q: %w", fpath, err)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// Import imports the GPG package signing key.
|
|
// ~/.rpmmacros also gets written.
|
|
func Import(cfg config.Config) error {
|
|
exists, err := fsutil.Exists(cfg.GPGPrivateKey)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if !exists {
|
|
return fmt.Errorf("GPG private key file doesn't exist: %q", cfg.GPGPrivateKey)
|
|
}
|
|
|
|
log.Printf("Importing GPG key %q...", cfg.GPGPrivateKey)
|
|
// nolint:gosec
|
|
cmd := exec.Command("gpg", "--batch", "--yes", "--no-tty", "--allow-secret-key-import", "--import",
|
|
cfg.GPGPrivateKey)
|
|
if output, err := cmd.CombinedOutput(); err != nil {
|
|
return fmt.Errorf("failed to import private key: %s", output)
|
|
}
|
|
|
|
homeDir, err := os.UserHomeDir()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if err := writeRpmMacros(homeDir, cfg.GPGPassPath); err != nil {
|
|
return err
|
|
}
|
|
|
|
pubKeysPath := filepath.Join(homeDir, ".rpmdb", "pubkeys")
|
|
if err := os.MkdirAll(pubKeysPath, 0700); err != nil {
|
|
return fmt.Errorf("failed to make %s: %w", pubKeysPath, err)
|
|
}
|
|
gpgPub, err := os.ReadFile(cfg.GPGPublicKey)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
//nolint:gosec
|
|
if err := os.WriteFile(filepath.Join(homeDir, ".rpmdb", "pubkeys", "grafana.key"), gpgPub, 0400); err != nil {
|
|
return fmt.Errorf("failed to write pub key to ~/.rpmdb: %w", err)
|
|
}
|
|
|
|
return nil
|
|
}
|