From e39d2b5d8bd03681a42f17315594b3f30f8253e9 Mon Sep 17 00:00:00 2001 From: MyroTk Date: Tue, 6 May 2025 10:42:11 -0400 Subject: [PATCH 1/4] add gpg pubkey upload for verification --- tests/ci/sign_release.py | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/tests/ci/sign_release.py b/tests/ci/sign_release.py index 8a5827097c8b..7b0c2d3d6989 100644 --- a/tests/ci/sign_release.py +++ b/tests/ci/sign_release.py @@ -8,6 +8,7 @@ from build_download_helper import download_builds_filter import hashlib from pathlib import Path +import subprocess GPG_BINARY_SIGNING_KEY = os.getenv("GPG_BINARY_SIGNING_KEY") GPG_BINARY_SIGNING_PASSPHRASE = os.getenv("GPG_BINARY_SIGNING_PASSPHRASE") @@ -33,19 +34,22 @@ def hash_file(file_path): return hash_file_path def sign_file(file_path): - priv_key_file_path = 'priv.key' - with open(priv_key_file_path, 'x') as f: - f.write(GPG_BINARY_SIGNING_KEY) - out_file_path = f'{file_path}.gpg' - - os.system(f'echo {GPG_BINARY_SIGNING_PASSPHRASE} | gpg --batch --import {priv_key_file_path}') os.system(f'gpg -o {out_file_path} --pinentry-mode=loopback --batch --yes --passphrase {GPG_BINARY_SIGNING_PASSPHRASE} --sign {file_path}') print(f"Signed {file_path}") - os.remove(priv_key_file_path) - return out_file_path +def extract_public_key(): + # Import private key directly from environment variable + import_cmd = f'echo {GPG_BINARY_SIGNING_PASSPHRASE} | gpg --batch --import' + subprocess.run(import_cmd, shell=True, input=GPG_BINARY_SIGNING_KEY.encode()) + + # Export public key + pub_key_file_path = 'pub.key' + os.system(f'gpg --export --armor > {pub_key_file_path}') + print(f"Extracted public key to {pub_key_file_path}") + return pub_key_file_path + def main(): reports_path = Path(REPORT_PATH) @@ -65,6 +69,13 @@ def main(): # downloads `package_release` artifacts generated download_builds_filter(CHECK_NAME, reports_path, Path(TEMP_PATH)) + # Extract and upload public key first + pub_key_file_path = extract_public_key() + s3_pubkey_path = s3_path_prefix / "public.gpg" + s3_helper.upload_build_file_to_s3(Path(pub_key_file_path), str(s3_pubkey_path)) + print(f'Uploaded public key to {s3_pubkey_path}') + os.remove(pub_key_file_path) + for f in os.listdir(TEMP_PATH): full_path = os.path.join(TEMP_PATH, f) if os.path.isdir(full_path): From 53e9bbf2164dc15f3c4f51d4ecb7c2c6db24c34b Mon Sep 17 00:00:00 2001 From: MyroTk <44327070+MyroTk@users.noreply.github.com> Date: Wed, 7 May 2025 12:24:42 -0400 Subject: [PATCH 2/4] Update sign_release.py --- tests/ci/sign_release.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tests/ci/sign_release.py b/tests/ci/sign_release.py index 7b0c2d3d6989..333152c2b5bd 100644 --- a/tests/ci/sign_release.py +++ b/tests/ci/sign_release.py @@ -34,9 +34,17 @@ def hash_file(file_path): return hash_file_path def sign_file(file_path): + priv_key_file_path = 'priv.key' + with open(priv_key_file_path, 'x') as f: + f.write(GPG_BINARY_SIGNING_KEY) + out_file_path = f'{file_path}.gpg' + + os.system(f'echo {GPG_BINARY_SIGNING_PASSPHRASE} | gpg --batch --import {priv_key_file_path}') os.system(f'gpg -o {out_file_path} --pinentry-mode=loopback --batch --yes --passphrase {GPG_BINARY_SIGNING_PASSPHRASE} --sign {file_path}') print(f"Signed {file_path}") + os.remove(priv_key_file_path) + return out_file_path def extract_public_key(): From 29f7a63e4a4bf1bd0fb9e779e4ac7a9e6ddad8e5 Mon Sep 17 00:00:00 2001 From: MyroTk <44327070+MyroTk@users.noreply.github.com> Date: Tue, 13 May 2025 19:26:34 -0400 Subject: [PATCH 3/4] Update sign_release.py --- tests/ci/sign_release.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tests/ci/sign_release.py b/tests/ci/sign_release.py index 333152c2b5bd..d84f4a8003c6 100644 --- a/tests/ci/sign_release.py +++ b/tests/ci/sign_release.py @@ -84,6 +84,11 @@ def main(): print(f'Uploaded public key to {s3_pubkey_path}') os.remove(pub_key_file_path) + # Copy public key to TEMP_PATH for artifact upload + artifact_pubkey_path = os.path.join(TEMP_PATH, 'public.gpg') + os.rename(pub_key_file_path, artifact_pubkey_path) + print(f'Copied public key to {artifact_pubkey_path} for artifact upload') + for f in os.listdir(TEMP_PATH): full_path = os.path.join(TEMP_PATH, f) if os.path.isdir(full_path): From bb6fea4fefb7ef1c8f5fd5a7a97ee89b1e289570 Mon Sep 17 00:00:00 2001 From: MyroTk <44327070+MyroTk@users.noreply.github.com> Date: Mon, 2 Jun 2025 14:58:26 -0400 Subject: [PATCH 4/4] Update sign_release.py --- tests/ci/sign_release.py | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/tests/ci/sign_release.py b/tests/ci/sign_release.py index d84f4a8003c6..c2033fe18a65 100644 --- a/tests/ci/sign_release.py +++ b/tests/ci/sign_release.py @@ -48,14 +48,17 @@ def sign_file(file_path): return out_file_path def extract_public_key(): - # Import private key directly from environment variable - import_cmd = f'echo {GPG_BINARY_SIGNING_PASSPHRASE} | gpg --batch --import' - subprocess.run(import_cmd, shell=True, input=GPG_BINARY_SIGNING_KEY.encode()) + priv_key_file_path = 'priv.key' + with open(priv_key_file_path, 'x') as f: + f.write(GPG_BINARY_SIGNING_KEY) + + os.system(f'echo {GPG_BINARY_SIGNING_PASSPHRASE} | gpg --batch --import {priv_key_file_path}') # Export public key pub_key_file_path = 'pub.key' - os.system(f'gpg --export --armor > {pub_key_file_path}') + os.system(f'gpg --output {pub_key_file_path} --export {priv_key_file_path}') print(f"Extracted public key to {pub_key_file_path}") + os.remove(priv_key_file_path) return pub_key_file_path def main(): @@ -82,7 +85,6 @@ def main(): s3_pubkey_path = s3_path_prefix / "public.gpg" s3_helper.upload_build_file_to_s3(Path(pub_key_file_path), str(s3_pubkey_path)) print(f'Uploaded public key to {s3_pubkey_path}') - os.remove(pub_key_file_path) # Copy public key to TEMP_PATH for artifact upload artifact_pubkey_path = os.path.join(TEMP_PATH, 'public.gpg')