From 5eeb5896438c8d198a9d713ff7e4ed81581d37e2 Mon Sep 17 00:00:00 2001 From: Seth L <81644108+sethAmazon@users.noreply.github.com> Date: Wed, 13 Apr 2022 11:30:52 -0400 Subject: [PATCH] Add GPG Signing For Packages Fixes (#420) (#438) --- .github/workflows/integrationTest.yml | 55 +++++++++++++++++++++++ integration/pkg/tools/create_pkg.sh | 2 +- integration/terraform/ec2/linux/README.md | 3 ++ 3 files changed, 59 insertions(+), 1 deletion(-) diff --git a/.github/workflows/integrationTest.yml b/.github/workflows/integrationTest.yml index 38cab67da1..55c01468f9 100644 --- a/.github/workflows/integrationTest.yml +++ b/.github/workflows/integrationTest.yml @@ -10,6 +10,9 @@ env: KEY_NAME: ${{ secrets.KEY_NAME }} VPC_SECURITY_GROUPS_IDS: ${{ secrets.VPC_SECURITY_GROUPS_IDS }} IAM_ROLE: ${{ secrets.IAM_ROLE }} + GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} + PASSPHRASE: ${{ secrets.PASSPHRASE }} + GPG_KEY_NAME: ${{ secrets.GPG_KEY_NAME }} on: push: @@ -70,6 +73,15 @@ jobs: if: steps.cached_binaries.outputs.cache-hit != 'true' run: make build package-rpm package-deb package-win package-darwin + - uses: olafurpg/setup-gpg@v3 + + - name: Sign packages + if: steps.cached_binaries.outputs.cache-hit != 'true' + run: | + export GPG_TTY=$(tty) + echo "${GPG_PRIVATE_KEY}" | gpg --batch --import - + for f in $(find build/bin/); do if [ ! -d $f ]; then echo "Signing file $f" && echo "${PASSPHRASE}" | gpg --detach-sign --passphrase-fd 0 --batch --default-key "${GPG_KEY_NAME}" $f ; fi ; done + - name: Upload to s3 if: steps.cached_binaries.outputs.cache-hit != 'true' run: aws s3 cp build/bin s3://${S3_INTEGRATION_BUCKET}/integration-test/binary/${{ github.sha }} --recursive @@ -214,6 +226,49 @@ jobs: cd buildMSI .\create_msi.ps1 ${{ github.sha }} ${{ secrets.S3_INTEGRATION_BUCKET }} + #GH actions set up gpg only works on ubuntu as of this commit date + GPGSignMacAndWindowsPackage: + name: 'SignMacAndWindowsPackage' + runs-on: ubuntu-latest + needs: [BuildMSI, MakeMacPkg] + steps: + - uses: actions/checkout@v2 + - uses: olafurpg/setup-gpg@v3 + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-access-key-id: ${{ secrets.TERRAFORM_AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.TERRAFORM_AWS_SECRET_ACCESS_KEY }} + aws-region: us-west-2 + + - name: Cache sig + id: cached_sig + uses: actions/cache@v2 + with: + key: "cached_sig_${{ github.sha }}" + path: go.mod + + - name: Download from s3 + if: steps.cached_sig.outputs.cache-hit != 'true' + run: | + mkdir packages + aws s3 cp s3://${S3_INTEGRATION_BUCKET}/integration-test/packaging/${{ github.sha }}/amazon-cloudwatch-agent.msi ./packages/amazon-cloudwatch-agent.msi + aws s3 cp s3://${S3_INTEGRATION_BUCKET}/integration-test/packaging/${{ github.sha }}/amazon-cloudwatch-agent.pkg ./packages/amazon-cloudwatch-agent.pkg + + - name: Sign packages + if: steps.cached_sig.outputs.cache-hit != 'true' + run: | + export GPG_TTY=$(tty) + echo "${GPG_PRIVATE_KEY}" | gpg --batch --import - + for f in $(find packages/); do if [ ! -d $f ]; then echo "Signing file $f" && echo "${PASSPHRASE}" | gpg --detach-sign --passphrase-fd 0 --batch --default-key "${GPG_KEY_NAME}" $f ; fi ; done + + - name: Upload to s3 + if: steps.cached_sig.outputs.cache-hit != 'true' + run: | + aws s3 cp packages/amazon-cloudwatch-agent.msi.sig s3://${S3_INTEGRATION_BUCKET}/integration-test/packaging/${{ github.sha }}/amazon-cloudwatch-agent.msi.sig + aws s3 cp packages/amazon-cloudwatch-agent.pkg.sig s3://${S3_INTEGRATION_BUCKET}/integration-test/packaging/${{ github.sha }}/amazon-cloudwatch-agent.pkg.sig + StartLocalStack: name: 'StartLocalStack' runs-on: ubuntu-latest diff --git a/integration/pkg/tools/create_pkg.sh b/integration/pkg/tools/create_pkg.sh index 18de457f7b..4dee1a28f6 100644 --- a/integration/pkg/tools/create_pkg.sh +++ b/integration/pkg/tools/create_pkg.sh @@ -26,7 +26,7 @@ mkdir artifact sudo pkgbuild --root /tmp/AmazonCWAgentPackage/ --install-location "/" --scripts /tmp/AmazonAgentScripts --identifier com.amazon.cloudwatch.agent --version=$AGENT_VERSION artifact/amazon-cloudwatch-agent.pkg aws s3 cp ./artifact/amazon-cloudwatch-agent.pkg "s3://$1/integration-test/packaging/$2/amazon-cloudwatch-agent.pkg" -#TODO uncomment when signing is implemented +#TODO uncomment for mac specific signing gpg is supported ## create a package.tar.gz for the uploding it to signing bucket #tar -cvzf artifact.gz -C artifact . #tar -cvzf package.tar.gz manifest.yaml artifact.gz diff --git a/integration/terraform/ec2/linux/README.md b/integration/terraform/ec2/linux/README.md index 91a4f6dee6..935d01062c 100644 --- a/integration/terraform/ec2/linux/README.md +++ b/integration/terraform/ec2/linux/README.md @@ -141,4 +141,7 @@ This process generates a new ami we can then use for testing KEY_NAME: ${Key pair name for ec2} VPC_SECURITY_GROUPS_IDS: ${Security group within your vpc the value should look like ["sg-013585129c1f92bf0"]} IAM_ROLE: ${Role the ec2 instance should assume} + GPG_PRIVATE_KEY: ${Your gpg private key} + PASSPHRASE: ${Passpharse for your gpg key} + GPG_KEY_NAME: ${Name of your gpg key} ``` \ No newline at end of file