diff options
| author | Sravan Kumar Lakkimsetti | 2020-10-27 08:12:44 +0000 |
|---|---|---|
| committer | Sravan Kumar Lakkimsetti | 2020-10-27 08:17:21 +0000 |
| commit | 6589aab4b5b473ec2f2883ff0673bfb006a05ead (patch) | |
| tree | f556783497b3f0698b39db28b4e61a18444e98a5 | |
| parent | d78d0fc4e62a5a9413f3b634a0e90ea7be3c8d5c (diff) | |
| download | eclipse.platform.releng.aggregator-6589aab4b5b473ec2f2883ff0673bfb006a05ead.tar.gz eclipse.platform.releng.aggregator-6589aab4b5b473ec2f2883ff0673bfb006a05ead.tar.xz eclipse.platform.releng.aggregator-6589aab4b5b473ec2f2883ff0673bfb006a05ead.zip | |
Bug 560258 - Gpg sign checksums on new infra build
This reverts commit 37b25bfa6592df0e2ba10538b7bbb7d0d98ae931.
Change-Id: Ie1f0c5ff123f4466f25fb5a243e0e0d84d598039
5 files changed, 36 insertions, 11 deletions
diff --git a/JenkinsJobs/Builds/I-build.groovy b/JenkinsJobs/Builds/I-build.groovy index db12be85a..c88d2e659 100644 --- a/JenkinsJobs/Builds/I-build.groovy +++ b/JenkinsJobs/Builds/I-build.groovy @@ -196,7 +196,6 @@ spec: exit 1 fi cd ${WORKSPACE} - scp genie.releng@projects-storage.eclipse.org:/opt/public/hipp/homes/genie.releng/*.passphrase . ''' } } @@ -300,6 +299,10 @@ spec: } } stage('Gather Eclipse Parts'){ + environment { + KEYRING = credentials('secret-subkeys-releng.asc') + KEYRING_PASSPHRASE = credentials('secret-subkeys-releng.acs-passphrase') + } steps { container('jnlp') { withEnv(["JAVA_HOME=${ tool 'openjdk-jdk11-latest' }"]) { @@ -319,6 +322,10 @@ spec: } } stage('Gather Equinox Parts'){ + environment { + KEYRING = credentials('secret-subkeys-releng.asc') + KEYRING_PASSPHRASE = credentials('secret-subkeys-releng.acs-passphrase') + } steps { container('jnlp') { withEnv(["JAVA_HOME=${ tool 'openjdk-jdk11-latest' }"]) { diff --git a/JenkinsJobs/Builds/Y-build.groovy b/JenkinsJobs/Builds/Y-build.groovy index b1caec949..ace6f5e50 100644 --- a/JenkinsJobs/Builds/Y-build.groovy +++ b/JenkinsJobs/Builds/Y-build.groovy @@ -314,6 +314,10 @@ spec: } } stage('Gather Eclipse Parts'){ + environment { + KEYRING = credentials('secret-subkeys-releng.asc') + KEYRING_PASSPHRASE = credentials('secret-subkeys-releng.acs-passphrase') + } steps { container('jnlp') { withEnv(["JAVA_HOME=${ tool 'openjdk-jdk11-latest' }"]) { @@ -333,6 +337,10 @@ spec: } } stage('Gather Equinox Parts'){ + environment { + KEYRING = credentials('secret-subkeys-releng.asc') + KEYRING_PASSPHRASE = credentials('secret-subkeys-releng.acs-passphrase') + } steps { container('jnlp') { withEnv(["JAVA_HOME=${ tool 'openjdk-jdk11-latest' }"]) { diff --git a/cje-production/mbscripts/mb300_gatherEclipseParts.sh b/cje-production/mbscripts/mb300_gatherEclipseParts.sh index 7711d52e8..a98e0c6ac 100755 --- a/cje-production/mbscripts/mb300_gatherEclipseParts.sh +++ b/cje-production/mbscripts/mb300_gatherEclipseParts.sh @@ -224,6 +224,13 @@ $JavaCMD -jar $LAUNCHER_JAR \ verifyCompile popd +#import gpg keys +gpg --batch --import "${KEYRING}" +for fpr in $(gpg --list-keys --with-colons | awk -F: '/fpr:/ {print $10}' | sort -u); +do + echo -e "5\ny\n" | gpg --batch --command-fd 0 --expert --edit-key "${fpr}" trust; +done + # publish Eclipse pushd $CJE_ROOT ANT_SCRIPT=$ECLIPSE_BUILDER_DIR/eclipse/helper.xml diff --git a/cje-production/mbscripts/mb310_gatherEquinoxParts.sh b/cje-production/mbscripts/mb310_gatherEquinoxParts.sh index 9604a786c..f395b725d 100755 --- a/cje-production/mbscripts/mb310_gatherEquinoxParts.sh +++ b/cje-production/mbscripts/mb310_gatherEquinoxParts.sh @@ -51,6 +51,13 @@ if [ -d $REPO_DIR ]; then popd fi +#import gpg keys +gpg --batch --import "${KEYRING}" +for fpr in $(gpg --list-keys --with-colons | awk -F: '/fpr:/ {print $10}' | sort -u); +do + echo -e "5\ny\n" | gpg --batch --command-fd 0 --expert --edit-key "${fpr}" trust; +done + # publish Equinox pushd $CJE_ROOT mkdir -p $ECLIPSE_BUILDER_DIR/equinox/$TMP_DIR diff --git a/eclipse.platform.releng.tychoeclipsebuilder/eclipse/extras/produceChecksum.sh b/eclipse.platform.releng.tychoeclipsebuilder/eclipse/extras/produceChecksum.sh index 4aeed03d1..d0a76f31e 100755 --- a/eclipse.platform.releng.tychoeclipsebuilder/eclipse/extras/produceChecksum.sh +++ b/eclipse.platform.releng.tychoeclipsebuilder/eclipse/extras/produceChecksum.sh @@ -109,18 +109,14 @@ done echo "[DEBUG] Producing GPG signatures starting." # We make double use of the "client". One to simplify signing script. Second to identify times in timefile. # remember, this "WORKSPACE" is for genie.releng for production builds. -key_passphrase_file=${key_passphrase_file:-${WORKSPACE}/${client}-dev.passphrase} -if [[ -r $key_passphrase_file ]] +if [ ! -z "${KEYRING_PASSPHRASE}" ] then - signer=${signer:-${client}-dev@eclipse.org} - signature_file512=${allCheckSumsSHA512}.asc - fileToSign512=${allCheckSumsSHA512} - - cat ${key_passphrase_file} | gpg --local-user ${signer} --sign --armor --output ${signature_file512} --batch --yes --passphrase-fd 0 --detach-sig ${fileToSign512} + signature_file512=${allCheckSumsSHA512}.asc + gpg --detach-sign --armor --output ${signature_file512} --batch --yes --passphrase-fd 0 ${allCheckSumsSHA512} <<< "${KEYRING_PASSPHRASE}" else - # We don't treat as ERROR since would be normal in a "local build". - # But, would be an ERROR in production build so could be improved. - echo -e "\n\t[WARNING] The key_passphrase_file did not exist or was not readable.\n" + # We don't treat as ERROR since would be normal in a "local build". + # But, would be an ERROR in production build so could be improved. + echo -e "\n\t[WARNING] The key_passphrase_file did not exist or was not readable.\n" fi # if SCRIPT_PATH not defined, we can not call elapsed time if [[ -n "${SCRIPT_PATH}" ]] |