Adding jobs for signing built packages

author Frank Brehm <frank.brehm@pixelpark.com>

Mon, 20 Dec 2021 15:14:01 +0000 (16:14 +0100)

committer Frank Brehm <frank.brehm@pixelpark.com>

Mon, 20 Dec 2021 15:14:01 +0000 (16:14 +0100)
author Frank Brehm <frank.brehm@pixelpark.com>
Mon, 20 Dec 2021 15:14:01 +0000 (16:14 +0100)
committer Frank Brehm <frank.brehm@pixelpark.com>
Mon, 20 Dec 2021 15:14:01 +0000 (16:14 +0100)
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml

index 1b227b59253e105ce2d01e974b063deca9a52567..cbb115c01717f5fe7f33e0b873ce63d58c70d821 100644 (file)
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -4,7 +4,9 @@ stages:
    - test
    - linter
    - build
+  - sign
    - deploy
+  - notify
  
  variables:
    DEBFULLNAME: 'Frank Brehm'
@@ -25,7 +27,6 @@ variables:
    YUM_REPO_USER: 'rpm-repo'
    YUM_REPO_DIR_HTTP: '/Linux/yum/pixelpark'
    YUM_REPO_DIR: "/srv/www/repo${YUM_REPO_DIR_HTTP}"
-  YUM_REPO_ADDSIGN_SCRIPT: '/home/rpm-repo/bin/rpm-addsign-wrapper.expect'
    YUM_REPO_GPG_KEY_PUB: 'nada'
    YUM_REPO_GPG_KEY_SEC: 'nada'
  
@@ -272,3 +273,78 @@ build CentOS 8 with Python 3.8:
      - '.pkg-build-rules'
    image: centos:8
  
+.pkg-sign-rules:
+  rules:
+    - if: '$CI_COMMIT_TAG'
+    - if: $CI_COMMIT_BRANCH == "master"
+    - if: $CI_COMMIT_BRANCH == "main"
+    - if: $CI_COMMIT_BRANCH == "develop"
+  stage: sign
+  tags:
+    - docker
+  image: centos:7
+  before_script:
+    - |
+      echo "All locales"
+      locale -a
+    - |
+      echo "Installing locales ..."
+      for l in de_AT de_CH de_DE en_CA en_GB en_IE en_IN en_US; do
+        echo "${l}.utf8"
+        localedef --charmap UTF-8 --inputfile "${l}" "${l}.utf8"
+      done
+    - |
+      echo "All locales"
+      locale -a
+      echo
+      echo "locales:"
+      locale
+    - |
+      echo "Exporting LC_ALL ..."
+      export LC_ALL="${USED_LC}"
+      echo
+      echo "locales:"
+      locale
+    - yum makecache
+    - yum --assumeyes upgrade
+    - yum --assumeyes install rpm-sign expect
+  script:
+    - ls -lA rpmdir/RPMS/*/* rpmdir/SRPMS/*
+    - echo -e "%_signature gpg\n%_gpg_name ${YUM_REPO_GPG_ID}" >$HOME/.rpmmacros
+    - echo "$YUM_REPO_GPG_KEY_PUB" | gpg --import
+    - gpg --list-public-keys
+    - echo "$YUM_REPO_GPG_KEY_SEC" | gpg --import
+    - gpg --list-secret-keys
+    - 'for f in $( find rpmdir -type f -iname "*.rpm" ) ; do echo "Signing ${f} ..."; ./rpm-addsign-wrapper.expect "${f}" "${YUM_REPO_GPG_PASSWD}"; done'
+    - |
+      echo "Signing packages ..."
+      for f in $( find rpmdir -type f -iname "*.rpm" ) ; do
+          echo "  * ${f} ..."
+          ./rpm-addsign-wrapper.expect "${f}" "${YUM_REPO_GPG_PASSWD}"
+      done
+    - |
+      echo "Results:"
+      find rpmdir/*RPMS -type f -print0 | xargs --null --no-run-if-empty ls -l -d --color=always
+  artifacts:
+    name: "$CI_JOB_NAME-$CI_COMMIT_REF_NAME"
+    paths:
+      - rpmdir/RPMS/*/*.rpm
+      - rpmdir/SRPMS/*.src.rpm
+    expire_in: '1 week'
+
+Sign EL 7 packages:
+  extends:
+    - '.pkg-sign-rules'
+  needs:
+    - 'build CentOS 7 with Python 3.6'
+  dependencies:
+    - 'build CentOS 7 with Python 3.6'
+
+Sign EL 8 packages:
+  extends:
+    - '.pkg-sign-rules'
+  needs:
+    - 'build CentOS 8 with Python 3.8'
+  dependencies:
+    - 'build CentOS 8 with Python 3.8'
+
author	Frank Brehm <frank.brehm@pixelpark.com>
	Mon, 20 Dec 2021 15:14:01 +0000 (16:14 +0100)
committer	Frank Brehm <frank.brehm@pixelpark.com>
	Mon, 20 Dec 2021 15:14:01 +0000 (16:14 +0100)