Action #1949
Feature #1932: Add package build and check functionality to ctools
Sign packages
Status: | Closed | Start date: | 03/13/2017 | |
---|---|---|---|---|
Priority: | Normal | Due date: | 03/23/2017 | |
Assigned To: | Brau-Nogué Sylvie | % Done: | 100% | |
Category: | - | |||
Target version: | - | |||
Tags: | PACKAGING | |||
Duration: | 11 |
Description
Try GPG, same signature whatever the system
TODO :- generate GPG on a Linux machine,
- then copy to a MacOS platform
- finally sign a dmg package with this signature
- same sequence from MacOS to Linux
Recurrence
No recurrence.
Related issues
History
#1 Updated by Brau-Nogué Sylvie almost 8 years ago
- Status changed from New to In Progress
- % Done changed from 0 to 20
Method¶
Use Case 1: generate GPG key, and rpm on the same platform | |
generate GPG key | |
Case 1 * product an unsigned rpm package * sign rpm package with local key |
Case 2 * product a signed rpm package |
Use Case 2: the same GPG key for all platforms | |
generate key on the Remote Key Server | |
import the GPG key | |
Case 1 * product an unsigned rpm package * sign rpm package with local key (imported) |
Case 2 * product a signed rpm package |
Use Case 3: a single GPG Key Server | |
generate a GPG key on the signature server | |
on each local platform | → product an unsigned rpm package |
copy the package on the signature server | |
on the signature server | → sign the rpm packages and deploy |
#2 Updated by Brau-Nogué Sylvie almost 8 years ago
- Tags set to PACKAGING
Case 1: local only¶
gpg --export -a "turlututu (encore un test)" > RPM-GPG-KEY-example-2-signing-key
rpm -qi gpg-pubkey-0d76ea78-58c85a6a
Sign a rpm package¶
rpm --addsign -v ctools-1.2.0.dev1-1.el7.centos.x86_64.rpm
Integrate signature in pkgbuild-centos.sh¶
PROBLEM : the script stops by waiting for the pass phrase
or “How to provide password to a command that prompts for one in bash?”
use expect¶
sudo yum install expect
Declare the passphrase in an environment variable when logging in¶
- file .bashrc
GPG_PASSPHRASE="xxxxxx this my pass phase xxxxxxx" export GPG_PASSPHRASE
- Another possibility to create a specific file in .gnupg directory
at login script, extract pass phrase from this file
<<<<< see this page, or this article >>>>>
then signature, 2 options¶
case 1 : in Makefile
rpm-sign: (\ echo set timeout -1;\ echo spawn rpmsign --addsign target/rpmbuild/RPMS/*/*.rpm;\ echo expect -exact \"Enter pass phrase:\";\ echo send -- \"$(GPG_PASSPHRASE)\\r\";\ echo expect eof;\ ) | expect
case 2 : in pkgbuild-centos.sh
# ==================================================== # # Sign package with pass phrase set during login (\ echo set timeout -1;\ echo spawn rpmsign --addsign $PKGDIR/*/*.rpm;\ echo expect -re \"pass\";\ echo send -- \"$GPG_PASSPHRASE\\r\";\ echo expect eof;\ ) | expect
#3 Updated by Brau-Nogué Sylvie almost 8 years ago
- % Done changed from 20 to 100
Finally, the best choice is Use Case 3: a single GPG Key Server
- generate a GPG key on the signature server
- on each local platform → product an unsigned rpm package
- transfert the package on the signature server
- on the signature server → sign the rpm packages and deploy
Many reasons, the most important of which is to guarantee the signature of the package with the latest GPG signature
#4 Updated by Knödlseder Jürgen almost 8 years ago
On Mac OS X 10.11 I created a “S/MIME” certificat with the keychain tool. I was then able to sign the package on my Mac as follows:
$ productsign --sign 'ctools-2' ctools-1.2.0.pkg /Users/jurgen/ctools-1.2.0-signed.pkg productsign: signing product with identity "ctools-2" from keychain /Users/jurgen/Library/Keychains/login.keychain productsign: Wrote signed product archive to /Users/jurgen/ctools-1.2.0-signed.pkg
Note that I did not manage to sign the package with a “Code Signing” Certificat.
I tried the same on the Mac OS X 10.7 VM which is the machine where the OS X package is built. However on that platform the signing did not work:
$ productsign --sign 'ctools' ctools-1.3.0.dev1.pkg ctools-1.3.0.dev1-signed.pkg productsign: signing product with identity "ctools" from keychain /Users/jenkins/Library/Keychains/login.keychain Error signing data. productsign: error: Failed to sign the product.
Unfortunately there is no more information available explaining what happened.
#5 Updated by Knödlseder Jürgen almost 8 years ago
No access to the ctools private key was granted. This can be changed in the Keychain Access application by double clicking on the ctools private key. Once this is done it worked:
$ productsign --sign 'ctools' ctools-1.3.0.dev1.pkg ctools-1.3.0.dev1-signed.pkg productsign: signing product with identity "ctools" from keychain /Users/jenkins/Library/Keychains/login.keychain productsign: Wrote signed product archive to ctools-1.3.0.dev1-signed.pkg
#6 Updated by Knödlseder Jürgen almost 8 years ago
I added the signature to the Mac OS X product build step:
# Build product productbuild --distribution $DISTFILE \ --version $VERSION \ --resources $SRCDIR/$CTOOLS \ --package-path $PKGDIR \ --sign 'ctools' \ $PRODDIR/$CTOOLS.pkg
This gave
... pkgbuild: Inferring bundle components from contents of /usr/local/gamma pkgbuild: Writing new component property list to /Users/jenkins/jenkins/workspace/ctools-cr-osx/pkg_build/pkg/ctools-1.3.0.dev1-components.plist pkgbuild: Reading components from /Users/jenkins/jenkins/workspace/ctools-cr-osx/pkg_build/pkg/ctools-1.3.0.dev1-components.plist pkgbuild: Wrote package to /Users/jenkins/jenkins/workspace/ctools-cr-osx/pkg_build/pkg/ctools-1.3.0.dev1.pkg productbuild: Wrote synthesized distribution to /Users/jenkins/jenkins/workspace/ctools-cr-osx/pkg_build/prod/ctools-1.3.0.dev1.dist productbuild: Signing product with identity "ctools" from keychain /Users/jenkins/Library/Keychains/login.keychain productbuild: Wrote product to /Users/jenkins/jenkins/workspace/ctools-cr-osx/pkg_build/prod/ctools-1.3.0.dev1.pkg ......................................................................... created: /Users/jenkins/jenkins/workspace/ctools-cr-osx/pkg_build/ctools-1.3.0.dev1-macosx10.7.dmg
Looks like it worked.
#7 Updated by Knödlseder Jürgen almost 8 years ago
For some reason, implementing the signature in the continuous release did not work:
pkgbuild: Inferring bundle components from contents of /usr/local/gamma pkgbuild: Writing new component property list to /Users/jenkins/jenkins/workspace/ctools-cr-osx/pkg_build/pkg/ctools-1.3.0.dev1-components.plist pkgbuild: Reading components from /Users/jenkins/jenkins/workspace/ctools-cr-osx/pkg_build/pkg/ctools-1.3.0.dev1-components.plist pkgbuild: Wrote package to /Users/jenkins/jenkins/workspace/ctools-cr-osx/pkg_build/pkg/ctools-1.3.0.dev1.pkg productbuild: Wrote synthesized distribution to /Users/jenkins/jenkins/workspace/ctools-cr-osx/pkg_build/prod/ctools-1.3.0.dev1.dist Error signing data. productbuild: error: Could not sign product at "/Users/jenkins/jenkins/workspace/ctools-cr-osx/pkg_build/prod/ctools-1.3.0.dev1.pkg". productbuild: Signing product with identity "ctools" from keychain /Users/jenkins/Library/Keychains/login.keychain
#8 Updated by Knödlseder Jürgen almost 8 years ago
The reason was that Jenkins does not automatically unlock the local keychain. Adding
security unlock-keychain -p password login.keychain
solved the issue. However, since we don’t want to type the password visibly, another solution was moving the ctools certificate to the System.keychain.
#9 Updated by Knödlseder Jürgen almost 8 years ago
Seems to work now:
productbuild: Wrote synthesized distribution to /Users/jenkins/jenkins/workspace/ctools-cr-osx/pkg_build/prod/ctools-1.3.0.dev1.dist productbuild: Signing product with identity "ctools" from keychain /Library/Keychains/System.keychain productbuild: Wrote product to /Users/jenkins/jenkins/workspace/ctools-cr-osx/pkg_build/prod/ctools-1.3.0.dev1.pkg created: /Users/jenkins/jenkins/workspace/ctools-cr-osx/pkg_build/ctools-1.3.0.dev1-macosx10.7.dmg
#10 Updated by Knödlseder Jürgen over 7 years ago
- Target version changed from 1.3.0 to 1.4.0
#11 Updated by Knödlseder Jürgen over 7 years ago
- Target version changed from 1.4.0 to 1.5.0
#12 Updated by Knödlseder Jürgen almost 7 years ago
- Target version deleted (
1.5.0)
#13 Updated by Brau-Nogué Sylvie over 6 years ago
- Status changed from In Progress to Closed
#14 Updated by Knödlseder Jürgen about 4 years ago
- Related to Bug #3448: Installation of ctools-1.7.2 Mac OS X binary disk image failed on mac OS Catalina added