Adds a package signing task #189
Conversation
| 'find . -name "signed-artifacts" -prune -o -path "*/{subdir}/*.tar.bz2" -print0 | xargs -0 -I file mv file signed-artifacts/{subdir}\n' # NOQA | ||
| 'find . -name "signed-artifacts" -prune -o -path "*/noarch/*.tar.bz2" -print0 | xargs -0 -I file mv file signed-artifacts/noarch\n' # NOQA |
There was a problem hiding this comment.
Do the .conda files need to be moved into the signed-artifacts directory as well?
There was a problem hiding this comment.
I added lines for any .sig files, as well. I'm still a bit lost on why the add_consolidate_task is written the way it is. It seems like it is searching the build directory for files that shouldn't exist, but I'm wondering if it's supposed to be that way to 'consolidate' any artifacts from pre-req build operations.
conda.recipe/meta.yaml
Outdated
| @@ -19,6 +19,7 @@ requirements: | |||
| - conda | |||
| - contextlib2 | |||
| - networkx >=2.0 | |||
| - pynacl | |||
There was a problem hiding this comment.
Is pynacl needed to run c3i or is it a requirement for the .signing task? If it is the later this is not needed.
There was a problem hiding this comment.
Thanks! I was wondering if this was the right place to insert the dependency. I do believe we'll need to add it somewhere, though.
There was a problem hiding this comment.
If I understand it correctly, the docker image is where the signing will occur. So, either we need to build a new docker image with pynacl baked in, or we pip install pynacl (or conda install pynacl) right before using it each time.
It's a lightweight library, so I don't feel too bad about installing it each time we use it, but it's admittedly not ideal.
The alternative of building a new docker image doesn't seem great, either.
| 'find . -name "signed-artifacts" -prune -o -path "*/noarch/*.conda" -print0 | xargs -0 -I file mv file signed-artifacts/noarch\n' # NOQA | ||
| 'find . -name "signed-artifacts" -prune -o -path "*/{subdir}/*.sig" -print0 | xargs -0 -I file mv file signed-artifacts/{subdir}\n' # NOQA | ||
| 'find . -name "signed-artifacts" -prune -o -path "*/noarch/*.sig" -print0 | xargs -0 -I file mv file signed-artifacts/noarch\n' # NOQA | ||
| 'pushd signed-artifacts/{subdir} && TODO_SIGN_ARTIFACTS && popd\n' # NOQA |
There was a problem hiding this comment.
Any suggestions on how to implement the TODO_SIGN_ARTIFACTS piece?
I'm planning to pass in the ED25519 signing key secret as hex. It's pretty simple (~10 lines of python) to use the nacl module to create a signing key with ascii hex secrets and write out a signature file - but I feel gross inlining python in shell this way.
There was a problem hiding this comment.
I also don't want to leak the signing secret in builder output, and I'm not sure if doing it this way would do that.
There was a problem hiding this comment.
This is how I'm creating sig files in Prefect.
So, you can see I need the json module and nacl. That should be it.
Adds a task to create package signatures for all built artifacts.
TODO
repodata.jsonto mimic prefect's feedstock build flow