From 22a922bf55b820e28a6b7377394ed65acc423de0 Mon Sep 17 00:00:00 2001
From: Frank Brehm <frank@brehm-online.com>
Date: Thu, 29 Dec 2022 17:45:05 +0100
Subject: [PATCH] Adding gitlab/sign-template.yaml and
 gitlab/sign-packages.yaml

---
 gitlab/sign-packages.yaml |  33 ++++++++
 gitlab/sign-template.yaml | 155 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 188 insertions(+)
 create mode 100644 gitlab/sign-packages.yaml
 create mode 100644 gitlab/sign-template.yaml

diff --git a/gitlab/sign-packages.yaml b/gitlab/sign-packages.yaml
new file mode 100644
index 0000000..ef8cb55
--- /dev/null
+++ b/gitlab/sign-packages.yaml
@@ -0,0 +1,33 @@
+---
+
+include:
+  - local: /gitlab/sign-template.yaml
+
+# ---------------------------
+Sign EL 7 packages:
+  extends:
+    - '.setup-sign-environment'
+  needs:
+    - 'build CentOS 7 with Python 3.6'
+  dependencies:
+    - 'build CentOS 7 with Python 3.6'
+
+# ---------------------------
+Sign EL 8 packages:
+  extends:
+    - '.setup-sign-environment'
+  needs:
+    - 'build CentOS 8 with Python 3.8'
+  dependencies:
+    - 'build CentOS 8 with Python 3.8'
+
+# ---------------------------
+Sign EL 9 packages:
+  extends:
+    - '.setup-sign-environment'
+  needs:
+    - 'build CentOS 9 with Python 3'
+  dependencies:
+    - 'build CentOS 9 with Python 3'
+
+# vim: et tabstop=2 expandtab shiftwidth=2 softtabstop=2 list
diff --git a/gitlab/sign-template.yaml b/gitlab/sign-template.yaml
new file mode 100644
index 0000000..be00ce9
--- /dev/null
+++ b/gitlab/sign-template.yaml
@@ -0,0 +1,155 @@
+---
+
+variables:
+  PKG_NAME: 'some_python_package'
+  TEST_LOCALES: 'en_US.UTF-8 de_DE.UTF-8'
+  USED_LC: 'en_US.utf8'
+  USED_YUM_REPO_GPG_PASSWD: ''
+  USED_YUM_REPO_GPG_KEY_PUB: 'nada'
+  USED_YUM_REPO_GPG_KEY_SEC: ''
+  YUM: 'dnf'
+  YUM_REPO_GPG_ID: 'C0E73F70'
+
+#---------------------------
+.setup-sign-environment:
+  stage: sign
+  rules:
+    - if: '$CI_COMMIT_TAG'
+    - if: $CI_COMMIT_BRANCH == "master"
+    - if: $CI_COMMIT_BRANCH == "main"
+    - if: $CI_COMMIT_BRANCH == "test"
+    - if: $CI_COMMIT_BRANCH =~ /test-.*/
+    - if: $CI_COMMIT_BRANCH =~ /build.*/
+    - if: $CI_COMMIT_BRANCH == "develop"
+  tags:
+    - docker
+  artifacts:
+    name: "$CI_JOB_NAME-$CI_COMMIT_REF_NAME"
+    paths:
+      - rpmdir/RPMS/*/*.rpm
+      - rpmdir/SRPMS/*.src.rpm
+    expire_in: '1 week'
+  image: dokken/centos-stream-8
+  script:
+    - |
+      echo "All locales"
+      locale -a
+    - |
+      echo -e "\e[0Ksection_start:$( date +%s ):install_locales[collapsed=true]\r\e[0KConfiguring and installing locales ..."
+      if [[ -n "${TEST_LOCALES}" ]] ; then
+          if echo "${TEST_LOCALES}" | grep -w 'en_US.UTF-8' >/dev/null ; then
+              USED_LOCALES="${TEST_LOCALES}"
+          else
+              USED_LOCALES="en_US.UTF-8 ${TEST_LOCALES}"
+          fi
+      else
+          USED_LOCALES="en_US.UTF-8"
+      fi
+      packages="glibc-all-langpacks"
+      for locale in ${TEST_LOCALES} ; do
+          my_locale=$( echo "${locale}" | cut -d. -f1 )
+          if [[ "${my_locale}" =~ ^en_GB|pt_BR|zh_CN|zh_TW$ ]] ; then
+              lang="${my_locale}"
+          else
+              lang=$( echo "${my_locale}" | cut -d_ -f1 )
+          fi
+          langpack="langpacks-${lang}"
+          if echo "${packages}" | grep -w "${langpack}" >/dev/null ; then
+              :
+          else
+              packages+=" ${langpack}"
+          fi
+      done
+      echo "Packages to install: ${packages}"
+      ${YUM} --assumeyes install ${packages}
+      echo -e "\e[0Ksection_end:$( date +%s ):install_locales\r\e[0K"
+    - |
+      echo -e "\e[0Ksection_start:$( date +%s ):all_locales[collapsed=true]\r\e[0KAll locales"
+      echo "All locales"
+      locale -a
+      echo
+      echo "locales:"
+      locale
+      echo -e "\e[0Ksection_end:$( date +%s ):all_locales\r\e[0K"
+    - |
+      echo
+      echo "Exporting LC_ALL ..."
+      export LC_ALL="${USED_LC}"
+      export LANG="${USED_LC}"
+      echo
+      echo "locales:"
+      locale
+    - |
+      echo -e "\e[0Ksection_start:$( date +%s ):yum_upgrade[collapsed=true]\r\e[0KExecuting: ${YUM} upgrade ..."
+      ${YUM} --assumeyes upgrade
+      echo -e "\e[0Ksection_end:$( date +%s ):yum_upgrade\r\e[0K"
+    - |
+      echo -e "\e[0Ksection_start:$( date +%s ):install_additional[collapsed=true]\r\e[0KExecuting: Installing additional packages ..."
+      install_packages="rpm-sign expect"
+      echo "Additonal packages to install: ${install_packages}"
+      ${YUM} --assumeyes install ${install_packages}
+      echo -e "\e[0Ksection_end:$( date +%s ):install_additional\r\e[0K"
+    - |
+      echo "Generating $HOME/.rpmmacros ..."
+      GPG_CMD="gpg --verbose --no-armor --batch --pinentry-mode loopback --no-secmem-warning"
+      GPG_CMD+=" --passphrase '${USED_YUM_REPO_GPG_PASSWD}'"
+      GPG_CMD+=" -u \"%{_gpg_name}\" -sbo %{__signature_filename} %{__plaintext_filename}"
+      echo
+      echo "%__python3 /bin/python${PYTHON_VERSION_DOT}" >  "${HOME}/.rpmmacros"
+      echo "%_signature gpg"                             >> "${HOME}/.rpmmacros"
+      echo "%_gpg_name ${YUM_REPO_GPG_ID}"               >> "${HOME}/.rpmmacros"
+      echo "%__gpg_sign_cmd %{__gpg} ${GPG_CMD}"         >> "${HOME}/.rpmmacros"
+      echo "Generated $HOME/.rpmmacros:"
+      echo "--------->"
+      cat $HOME/.rpmmacros
+      echo "<---------"
+      echo
+    - |
+      echo "Tweaking /usr/lib/rpm/rpmpopt-* ..."
+      ls -l /usr/lib/rpm/rpmpopt-*
+      rpmoptfile=$( ls -1 /usr/lib/rpm/rpmpopt-* | head -n 1 )
+      rpmoptfile_base=$( basename "${rpmoptfile}" )
+      rpmoptfile_dir=$( dirname "${rpmoptfile}" )
+      rpmoptfile_bak="${rpmoptfile_dir}/.~${rpmoptfile_base}.bak"
+      cp -v -i "${rpmoptfile}" "${rpmoptfile_bak}"
+      sed -i -e 's/\(--addsign.*\) <.*/\1\x27 \\/' "${rpmoptfile}"
+      ls -l "${rpmoptfile}" "${rpmoptfile_bak}"
+      diff -u "${rpmoptfile_bak}" "${rpmoptfile}" || true
+      echo
+    - |
+      echo
+      echo "Importing public GPG key ..."
+      echo "${USED_YUM_REPO_GPG_KEY_PUB}" | gpg --import
+      gpg --list-public-keys
+    - |
+      echo
+      echo "Importing secret GPG key ..."
+      pw='******'
+      sec_key='******** Secret key ********'
+      if [[ -z "${USED_YUM_REPO_GPG_PASSWD}" ]] ; then
+        pw=''
+      fi
+      if [[ -z "${USED_YUM_REPO_GPG_KEY_SEC}" ]] ; then
+        sec_key=''
+      fi
+      echo "echo '${sec_key}' | gpg --import --batch --pinentry-mode loopback --passphrase '${pw}'"
+      echo "${USED_YUM_REPO_GPG_KEY_SEC}" | gpg --import --batch --pinentry-mode loopback --passphrase "${USED_YUM_REPO_GPG_PASSWD}"
+      gpg --list-secret-keys
+    - |
+      echo
+      echo "Signing packages ..."
+      for f in $( find rpmdir -type f -iname "*.rpm" ) ; do
+          echo "  * ${f} ..."
+          echo "Checking existing signature:"
+          rpm --checksig "${f}" || true
+          rpmsign --addsign "${f}"
+          echo "Checking new signature:"
+          rpm --checksig "${f}" || true
+          echo "Show signature:"
+          rpm -q --qf '%{SIGPGP:pgpsig} %{SIGGPG:pgpsig}\n' -p "${f}" || true
+      done
+    - |
+      echo "Results:"
+      find rpmdir/*RPMS -type f -print0 | xargs --null --no-run-if-empty ls -l -d --color=always
+
+# vim: et tabstop=2 expandtab shiftwidth=2 softtabstop=2 list
-- 
2.39.5