Skip to content

Commit

Permalink
Add GPG Signing For Packages Fixes (#420) (#438)
Browse files Browse the repository at this point in the history
  • Loading branch information
sethAmazon authored Apr 13, 2022
1 parent eada43b commit 5eeb589
Show file tree
Hide file tree
Showing 3 changed files with 59 additions and 1 deletion.
55 changes: 55 additions & 0 deletions .github/workflows/integrationTest.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ env:
KEY_NAME: ${{ secrets.KEY_NAME }}
VPC_SECURITY_GROUPS_IDS: ${{ secrets.VPC_SECURITY_GROUPS_IDS }}
IAM_ROLE: ${{ secrets.IAM_ROLE }}
GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
PASSPHRASE: ${{ secrets.PASSPHRASE }}
GPG_KEY_NAME: ${{ secrets.GPG_KEY_NAME }}

on:
push:
Expand Down Expand Up @@ -70,6 +73,15 @@ jobs:
if: steps.cached_binaries.outputs.cache-hit != 'true'
run: make build package-rpm package-deb package-win package-darwin

- uses: olafurpg/setup-gpg@v3

- name: Sign packages
if: steps.cached_binaries.outputs.cache-hit != 'true'
run: |
export GPG_TTY=$(tty)
echo "${GPG_PRIVATE_KEY}" | gpg --batch --import -
for f in $(find build/bin/); do if [ ! -d $f ]; then echo "Signing file $f" && echo "${PASSPHRASE}" | gpg --detach-sign --passphrase-fd 0 --batch --default-key "${GPG_KEY_NAME}" $f ; fi ; done
- name: Upload to s3
if: steps.cached_binaries.outputs.cache-hit != 'true'
run: aws s3 cp build/bin s3://${S3_INTEGRATION_BUCKET}/integration-test/binary/${{ github.sha }} --recursive
Expand Down Expand Up @@ -214,6 +226,49 @@ jobs:
cd buildMSI
.\create_msi.ps1 ${{ github.sha }} ${{ secrets.S3_INTEGRATION_BUCKET }}
#GH actions set up gpg only works on ubuntu as of this commit date
GPGSignMacAndWindowsPackage:
name: 'SignMacAndWindowsPackage'
runs-on: ubuntu-latest
needs: [BuildMSI, MakeMacPkg]
steps:
- uses: actions/checkout@v2
- uses: olafurpg/setup-gpg@v3

- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.TERRAFORM_AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.TERRAFORM_AWS_SECRET_ACCESS_KEY }}
aws-region: us-west-2

- name: Cache sig
id: cached_sig
uses: actions/cache@v2
with:
key: "cached_sig_${{ github.sha }}"
path: go.mod

- name: Download from s3
if: steps.cached_sig.outputs.cache-hit != 'true'
run: |
mkdir packages
aws s3 cp s3://${S3_INTEGRATION_BUCKET}/integration-test/packaging/${{ github.sha }}/amazon-cloudwatch-agent.msi ./packages/amazon-cloudwatch-agent.msi
aws s3 cp s3://${S3_INTEGRATION_BUCKET}/integration-test/packaging/${{ github.sha }}/amazon-cloudwatch-agent.pkg ./packages/amazon-cloudwatch-agent.pkg
- name: Sign packages
if: steps.cached_sig.outputs.cache-hit != 'true'
run: |
export GPG_TTY=$(tty)
echo "${GPG_PRIVATE_KEY}" | gpg --batch --import -
for f in $(find packages/); do if [ ! -d $f ]; then echo "Signing file $f" && echo "${PASSPHRASE}" | gpg --detach-sign --passphrase-fd 0 --batch --default-key "${GPG_KEY_NAME}" $f ; fi ; done
- name: Upload to s3
if: steps.cached_sig.outputs.cache-hit != 'true'
run: |
aws s3 cp packages/amazon-cloudwatch-agent.msi.sig s3://${S3_INTEGRATION_BUCKET}/integration-test/packaging/${{ github.sha }}/amazon-cloudwatch-agent.msi.sig
aws s3 cp packages/amazon-cloudwatch-agent.pkg.sig s3://${S3_INTEGRATION_BUCKET}/integration-test/packaging/${{ github.sha }}/amazon-cloudwatch-agent.pkg.sig
StartLocalStack:
name: 'StartLocalStack'
runs-on: ubuntu-latest
Expand Down
2 changes: 1 addition & 1 deletion integration/pkg/tools/create_pkg.sh
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ mkdir artifact
sudo pkgbuild --root /tmp/AmazonCWAgentPackage/ --install-location "/" --scripts /tmp/AmazonAgentScripts --identifier com.amazon.cloudwatch.agent --version=$AGENT_VERSION artifact/amazon-cloudwatch-agent.pkg
aws s3 cp ./artifact/amazon-cloudwatch-agent.pkg "s3://$1/integration-test/packaging/$2/amazon-cloudwatch-agent.pkg"

#TODO uncomment when signing is implemented
#TODO uncomment for mac specific signing gpg is supported
## create a package.tar.gz for the uploding it to signing bucket
#tar -cvzf artifact.gz -C artifact .
#tar -cvzf package.tar.gz manifest.yaml artifact.gz
Expand Down
3 changes: 3 additions & 0 deletions integration/terraform/ec2/linux/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -141,4 +141,7 @@ This process generates a new ami we can then use for testing
KEY_NAME: ${Key pair name for ec2}
VPC_SECURITY_GROUPS_IDS: ${Security group within your vpc the value should look like ["sg-013585129c1f92bf0"]}
IAM_ROLE: ${Role the ec2 instance should assume}
GPG_PRIVATE_KEY: ${Your gpg private key}
PASSPHRASE: ${Passpharse for your gpg key}
GPG_KEY_NAME: ${Name of your gpg key}
```

0 comments on commit 5eeb589

Please sign in to comment.