From 4e324e74e33a53269806e4b6a51a6ec40bef0e14 Mon Sep 17 00:00:00 2001
From: Walt <walt@gravitational.com>
Date: Thu, 6 Jan 2022 17:10:38 -0800
Subject: [PATCH] Sign rpm repo metadata (#9027)

This helps support zypper on Suse, and improves our general RPM
distribution security posture.  The threat model is someone compromises
AWS, but not our signing keys.  In this case, they could update repo
metatdata to point to an unsigned package.  With metadata signed, this
is no longer possible -- both the index and the package are verified.

For more info on this change, see this very helpful blog post:

  https://blog.packagecloud.io/eng/2014/11/24/howto-gpg-sign-verify-rpm-packages-yum-repositories/
---
 .drone.yml | 27 ++++++++++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)

diff --git a/.drone.yml b/.drone.yml
index 7a572fba4d3c5..2846b74cff892 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -5016,6 +5016,31 @@ steps:
     - yum -y install createrepo
     - createrepo --cachedir /rpmrepo/teleport/cache --update /rpmrepo/teleport
 
+  # This step requires centos:8 to get gpg 2.2+
+  # centos:7's gpg 2.0 doesn't understand the format of GPG_RPM_SIGNING_ARCHIVE
+  - name: Sign RPM repo metadata
+    image: centos:8
+    volumes:
+      - name: rpmrepo
+        path: /rpmrepo
+      # for in-memory tmpfs for key material
+      - name: tmpfs
+        path: /tmpfs
+    environment:
+      GNUPGHOME: /tmpfs/gnupg
+      GPG_RPM_SIGNING_ARCHIVE:
+        from_secret: GPG_RPM_SIGNING_ARCHIVE
+    commands:
+      - |
+        # extract signing key
+        mkdir -m0700 $GNUPGHOME
+        echo "$GPG_RPM_SIGNING_ARCHIVE" | base64 -d | tar -xzf - -C $GNUPGHOME
+        chown -R root:root $GNUPGHOME
+      # Sign rpm repo metadata (yum clients will automatically look for and verify repodata/repomd.xml.asc)
+      - gpg --detach-sign --armor /rpmrepo/teleport/repodata/repomd.xml
+      - cat /rpmrepo/teleport/repodata/repomd.xml.asc
+      - rm -rf $GNUPGHOME
+
   - name: Sync RPM repo changes to S3
     image: amazon/aws-cli
     environment:
@@ -5141,6 +5166,6 @@ volumes:
       name: drone-s3-debrepo-pvc
 ---
 kind: signature
-hmac: 5024d8ffe4db0d734fcb1f1a2a22d3ae2078d270dbaac7900eca0db2d1448655
+hmac: 1473746cd33150de6ce4e6be53478ad6961414d1e34987d9eff4b3e17bcfe5a2
 
 ...