This is an automated email from the ASF dual-hosted git repository.
rantunes pushed a commit to branch main
in repository
https://gitbox.apache.org/repos/asf/incubator-kie-kogito-pipelines.git
The following commit(s) were added to refs/heads/main by this push:
new 61910eb2 kie-issues#1387: Adjust pipelines to use the gpg key provided
by Apache to sign the artifacts (#1222)
61910eb2 is described below
commit 61910eb290a4f3fe4ac822f88898f815690d4068
Author: Rodrigo Antunes <[email protected]>
AuthorDate: Tue Jul 16 11:17:02 2024 -0300
kie-issues#1387: Adjust pipelines to use the gpg key provided by Apache to
sign the artifacts (#1222)
* Adjust pipelines to use the gpg key provided by Apache to sign the
artifacts
* Fix import gpg key function
---
.ci/jenkins/Jenkinsfile.zip.sources | 27 +++++++++-------------
.ci/jenkins/config/branch.yaml | 4 ++--
.../vars/release.groovy | 17 ++++++++++++++
3 files changed, 30 insertions(+), 18 deletions(-)
diff --git a/.ci/jenkins/Jenkinsfile.zip.sources
b/.ci/jenkins/Jenkinsfile.zip.sources
index 011835fc..617ecbce 100644
--- a/.ci/jenkins/Jenkinsfile.zip.sources
+++ b/.ci/jenkins/Jenkinsfile.zip.sources
@@ -23,17 +23,16 @@ pipeline {
archiveArtifacts artifacts: "**/${SOURCES_FILE_NAME}"
}
}
-// stage('Sign and upload the sources.zip') {
-// steps {
-// script {
-// // TODO: Uncomment (and adjust) when we have required
credentials available
-//
release.gpgImportKeyFromFileWithPassword(getReleaseGpgSignKeyCredsId(),
getReleaseGpgSignPassphraseCredsId())
-//
release.gpgSignFileDetachedSignatureWithPassword(SOURCES_FILE_NAME,
SIGNATURE_FILE_NAME, getReleaseGpgSignPassphraseCredsId())
-//
release.svnUploadFileToRepository(getReleaseSvnRepository(),
getReleaseSvnCredsId(), TARGET_VERSION, SOURCES_FILE_NAME, SIGNATURE_FILE_NAME)
-// }
-// archiveArtifacts artifacts: "**/${SIGNATURE_FILE_NAME}"
-// }
-// }
+ stage('Sign and upload the sources.zip') {
+ steps {
+ script {
+
release.gpgImportKeyFromStringWithoutPassword(getReleaseGpgSignKeyCredsId())
+
release.gpgSignFileDetachedSignatureWithoutPassword(SOURCES_FILE_NAME,
SIGNATURE_FILE_NAME)
+
release.svnUploadFileToRepository(getReleaseSvnRepository(),
getReleaseSvnCredsId(), TARGET_VERSION, SOURCES_FILE_NAME, SIGNATURE_FILE_NAME)
+ }
+ archiveArtifacts artifacts: "**/${SIGNATURE_FILE_NAME}"
+ }
+ }
}
}
@@ -42,14 +41,10 @@ String getReleaseGpgSignKeyCredsId() {
return env.RELEASE_GPG_SIGN_KEY_CREDS_ID
}
-String getReleaseGpgSignPassphraseCredsId() {
- return env.RELEASE_GPG_SIGN_PASSPHRASE_CREDS_ID
-}
-
String getReleaseSvnRepository() {
return env.RELEASE_SVN_REPOSITORY
}
String getReleaseSvnCredsId() {
return env.RELEASE_SVN_CREDS_ID
-}
\ No newline at end of file
+}
diff --git a/.ci/jenkins/config/branch.yaml b/.ci/jenkins/config/branch.yaml
index ade29493..a7a76e16 100644
--- a/.ci/jenkins/config/branch.yaml
+++ b/.ci/jenkins/config/branch.yaml
@@ -90,8 +90,8 @@ cloud:
release:
gpg:
sign:
- key-credentials-id: 'asf-release-gpg-signing-key'
- passphrase-credentials-id: 'asf-release-gpg-signing-key-passphrase'
+ key-credentials-id: 'GPG_KEY'
+ passphrase-credentials-id: ''
svn:
staging-repository: <TO-BE-DEFINED>
credentials-id: <TO-BE-DEFINED>
diff --git a/jenkins-pipeline-shared-libraries/vars/release.groovy
b/jenkins-pipeline-shared-libraries/vars/release.groovy
index 1af2d4c6..6bb9564e 100644
--- a/jenkins-pipeline-shared-libraries/vars/release.groovy
+++ b/jenkins-pipeline-shared-libraries/vars/release.groovy
@@ -13,12 +13,29 @@ def gpgImportKeyFromFileWithPassword(String
gpgKeyCredentialsId, String gpgKeyPa
}
}
+def gpgImportKeyFromStringWithoutPassword(String gpgKeyCredentialsId) {
+ withCredentials([string(credentialsId: gpgKeyCredentialsId, variable:
'SIGNING_KEY')]) {
+ // copy the key to singkey.gpg file in *plain text* so we can import it
+ sh """
+ echo "$SIGNING_KEY" > $WORKSPACE/signkey.gpg
+ # Please do not remove list keys command. When gpg is run for the
first time, it may initialize some internals.
+ gpg --list-keys
+ gpg --batch --pinentry-mode=loopback --import signkey.gpg
+ rm $WORKSPACE/signkey.gpg
+ """
+ }
+}
+
def gpgSignFileDetachedSignatureWithPassword(String file, String
signatureTarget, String gpgKeyPasswordCredentialsId) {
withCredentials([string(credentialsId: gpgKeyPasswordCredentialsId,
variable: 'SIGNING_KEY_PASSWORD')]) {
sh "gpg --batch --sign --pinentry-mode=loopback --passphrase
\"${SIGNING_KEY_PASSWORD}\" --output ${signatureTarget} --detach-sig ${file}"
}
}
+def gpgSignFileDetachedSignatureWithoutPassword(String file, String
signatureTarget) {
+ sh "gpg --batch --sign --pinentry-mode=loopback --output
${signatureTarget} --detach-sig ${file}"
+}
+
boolean gpgIsValidDetachedSignature(String file, String signature) {
return sh(returnStatus: true, script: "gpg --batch --verify ${signature}
${file}") == 0
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
