From 04449311128aeea214d00fac22532b48403db52b Mon Sep 17 00:00:00 2001 From: Hannes Wellmann Date: Mon, 6 Jan 2025 23:03:26 +0100 Subject: [PATCH] [I/Y-Build] Simplify GPG-signing in I/Y-builds Importing the secret-key is not necessary when signing with the bouncy-castle (BC) signer. Therefore just import the key where the gpg executable is used (i.e. when signing the list of artifact checksums). --- JenkinsJobs/Builds/build.jenkinsfile | 18 ------------------ JenkinsJobs/YBuilds/P_build.groovy | 19 ------------------- cje-production/P-build/mb220_buildSdkPatch.sh | 1 + cje-production/mbscripts/mb011_loadPGPKeys.sh | 8 -------- .../mbscripts/mb220_buildSdkPatch.sh | 1 + .../eclipse/extras/produceChecksum.sh | 9 +++++++++ .../pom.xml | 2 -- 7 files changed, 11 insertions(+), 47 deletions(-) delete mode 100644 cje-production/mbscripts/mb011_loadPGPKeys.sh diff --git a/JenkinsJobs/Builds/build.jenkinsfile b/JenkinsJobs/Builds/build.jenkinsfile index 6c00fb5d72d..5321114a4bb 100644 --- a/JenkinsJobs/Builds/build.jenkinsfile +++ b/JenkinsJobs/Builds/build.jenkinsfile @@ -97,24 +97,6 @@ spec: } } } - stage('Load PGP keys'){ - environment { - KEYRING = credentials('secret-subkeys-releng.asc') - KEYRING_PASSPHRASE = credentials('secret-subkeys-releng.asc-passphrase') - } - steps { - dir("${CJE_ROOT}/mbscripts") { - sh ''' - ./mb011_loadPGPKeys.sh 2>&1 | tee $logDir/mb011_loadPGPKeys.sh.log - if [[ ${PIPESTATUS[0]} -ne 0 ]] - then - echo "Failed in Load PGP keys" - exit 1 - fi - ''' - } - } - } stage('Export environment variables stage 1'){ steps { script { diff --git a/JenkinsJobs/YBuilds/P_build.groovy b/JenkinsJobs/YBuilds/P_build.groovy index 7171dbcaad6..a3b686b0d2c 100644 --- a/JenkinsJobs/YBuilds/P_build.groovy +++ b/JenkinsJobs/YBuilds/P_build.groovy @@ -105,25 +105,6 @@ spec: } } } - stage('Load PGP keys'){ - environment { - KEYRING = credentials('secret-subkeys-releng.asc') - KEYRING_PASSPHRASE = credentials('secret-subkeys-releng.asc-passphrase') - } - steps { - container('jnlp') { - sh \'\'\' - cd ${WORKSPACE}/eclipse.platform.releng.aggregator/eclipse.platform.releng.aggregator/cje-production/mbscripts - ./mb011_loadPGPKeys.sh 2>&1 | tee $logDir/mb011_loadPGPKeys.sh.log - if [[ ${PIPESTATUS[0]} -ne 0 ]] - then - echo "Failed in Load PGP keys" - exit 1 - fi - \'\'\' - } - } - } stage('Export environment variables stage 1'){ steps { container('jnlp') { diff --git a/cje-production/P-build/mb220_buildSdkPatch.sh b/cje-production/P-build/mb220_buildSdkPatch.sh index 351782b4f83..dc7a70d8cda 100755 --- a/cje-production/P-build/mb220_buildSdkPatch.sh +++ b/cje-production/P-build/mb220_buildSdkPatch.sh @@ -39,6 +39,7 @@ mvn -f eclipse.platform.releng.tychoeclipsebuilder/${PATCH_OR_BRANCH_LABEL}/pom. -Dtycho.debug.artifactcomparator \ -Dtycho.localArtifacts=ignore \ -Dcbi.jarsigner.continueOnFail=true \ + -Dtycho.pgp.signer=bc -Dtycho.pgp.signer.bc.secretKeys="${KEYRING}" \ -Djgit.dirtyWorkingTree=error \ -Dmaven.repo.local=$LOCAL_REPO \ -Djava.io.tmpdir=$CJE_ROOT/$TMP_DIR \ diff --git a/cje-production/mbscripts/mb011_loadPGPKeys.sh b/cje-production/mbscripts/mb011_loadPGPKeys.sh deleted file mode 100644 index 9a0ec9588a7..00000000000 --- a/cje-production/mbscripts/mb011_loadPGPKeys.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash - -#import gpg keys -gpg --batch --import "${KEYRING}" -for fpr in $(gpg --list-keys --with-colons | awk -F: '/fpr:/ {print $10}' | sort -u); -do - echo -e "5\ny\n" | gpg --batch --command-fd 0 --expert --edit-key "${fpr}" trust; -done \ No newline at end of file diff --git a/cje-production/mbscripts/mb220_buildSdkPatch.sh b/cje-production/mbscripts/mb220_buildSdkPatch.sh index 9d31b4fa63d..691a3f3e185 100755 --- a/cje-production/mbscripts/mb220_buildSdkPatch.sh +++ b/cje-production/mbscripts/mb220_buildSdkPatch.sh @@ -36,6 +36,7 @@ mvn clean verify -DskipTests=true ${MVN_ARGS} \ -Dtycho.debug.artifactcomparator \ -Dtycho.localArtifacts=ignore \ -Dcbi.jarsigner.continueOnFail=true \ + -Dtycho.pgp.signer=bc -Dtycho.pgp.signer.bc.secretKeys="${KEYRING}" \ -Djgit.dirtyWorkingTree=error \ -Dmaven.repo.local=$LOCAL_REPO \ -Djava.io.tmpdir=$CJE_ROOT/$TMP_DIR \ diff --git a/eclipse.platform.releng.tychoeclipsebuilder/eclipse/extras/produceChecksum.sh b/eclipse.platform.releng.tychoeclipsebuilder/eclipse/extras/produceChecksum.sh index 216149d4c46..4eda39dfa37 100755 --- a/eclipse.platform.releng.tychoeclipsebuilder/eclipse/extras/produceChecksum.sh +++ b/eclipse.platform.releng.tychoeclipsebuilder/eclipse/extras/produceChecksum.sh @@ -42,6 +42,15 @@ echo "[DEBUG] Producing GPG signatures starting." set -e if [ ! -z "${KEYRING_PASSPHRASE}" ] then + #import gpg keys in fresh gpg-homedir + gpg_home="${WORKSPACE}/tools/${client}/gpg/" + mkdir -p ${gpg_home} + alias gpg='gpg --homedir "${gpg_home}"' + gpg --batch --import "${KEYRING}" + for fpr in $(gpg --list-keys --with-colons | awk -F: '/fpr:/ {print $10}' | sort -u); do + echo -e "5\ny\n" | gpg --batch --command-fd 0 --expert --edit-key "${fpr}" trust; + done + gpg --detach-sign --armor --output ${allCheckSumsSHA512}.asc --batch --pinentry-mode loopback --passphrase-fd 0 ${allCheckSumsSHA512} <<< "${KEYRING_PASSPHRASE}" else # We don't treat as ERROR since would be normal in a "local build". diff --git a/eclipse.platform.releng.tychoeclipsebuilder/pom.xml b/eclipse.platform.releng.tychoeclipsebuilder/pom.xml index fc700bef7f1..2edd3ff9c7d 100644 --- a/eclipse.platform.releng.tychoeclipsebuilder/pom.xml +++ b/eclipse.platform.releng.tychoeclipsebuilder/pom.xml @@ -42,8 +42,6 @@ tycho-gpg-plugin ${tycho.version} - bc - b6d3ab9bcc641282 false true skip