Unverified Commit fadd6ac7 authored by Chris Lamb's avatar Chris Lamb 💬 Committed by Holger Levsen
Browse files

reproducible Debian: Greate GPG key on nodes at deploy time, not "lazily".



Signed-off-by: Chris Lamb's avatarChris Lamb <lamby@debian.org>
Signed-off-by: Holger Levsen's avatarHolger Levsen <holger@layer-acht.org>
parent d7866ad7
...@@ -774,24 +774,6 @@ check_buildinfo() { ...@@ -774,24 +774,6 @@ check_buildinfo() {
} }
sign_buildinfo() { sign_buildinfo() {
# Greate GPG key if it does not already exist
if ! gpg --with-colons --fixed-list-mode --list-secret-keys | cut -d: -f1 | grep -qsFx 'sec' >/dev/null 2>&1
then
log_info "Generating GPG key"
gpg --no-tty --batch --gen-key <<EOF
Key-Type: RSA
Key-Length: 4096
Key-Usage: sign
Name-Real: $(hostname -f)
Name-Comment: Automatically generated key for signing .buildinfo files
Expire-Date: 0
%no-ask-passphrase
%no-protection
%commit
EOF
fi
log_info "Signing $BUILDINFO as $BUILDINFO_SIGNED" log_info "Signing $BUILDINFO as $BUILDINFO_SIGNED"
gpg --output=$BUILDINFO_SIGNED --clearsign $BUILDINFO gpg --output=$BUILDINFO_SIGNED --clearsign $BUILDINFO
log_info "Signed $BUILDINFO as $BUILDINFO_SIGNED" log_info "Signed $BUILDINFO as $BUILDINFO_SIGNED"
......
...@@ -678,6 +678,29 @@ if [ "$HOSTNAME" = "jenkins" ] || [ "$HOSTNAME" = "jenkins-test-vm" ] ; then ...@@ -678,6 +678,29 @@ if [ "$HOSTNAME" = "jenkins" ] || [ "$HOSTNAME" = "jenkins-test-vm" ] ; then
rm -f $TMPFILE rm -f $TMPFILE
fi fi
# Greate GPG key on nodes if they do not already exist in order to sign .buildinfo files
if [ "$HOSTNAME" != "jenkins" ] || [ "$HOSTNAME" = "jenkins-test-vm" ] ; then
if gpg --with-colons --fixed-list-mode --list-secret-keys | cut -d: -f1 | grep -qsFx 'sec' >/dev/null 2>&1
then
explain "$(date) Not generating GPG key as one already exists"
else
explain "$(date) Generating GPG key"
gpg --no-tty --batch --gen-key <<EOF
Key-Type: RSA
Key-Length: 4096
Key-Usage: sign
Name-Real: $(hostname -a)
Name-Comment: Automatically generated key for signing .buildinfo files
Expire-Date: 0
%no-ask-passphrase
%no-protection
%commit
EOF
fi
fi
# #
# almost finally… # almost finally…
# #
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment