Action #1949

Feature #1932: Add package build and check functionality to ctools

Sign packages

Added by Brau-Nogué Sylvie about 7 years ago. Updated almost 6 years ago.

Status:ClosedStart date:03/13/2017
Priority:NormalDue date:03/23/2017
Assigned To:Brau-Nogué Sylvie% Done:

100%

Category:-
Target version:-
Tags: PACKAGING
Duration: 11

Description

Try GPG, same signature whatever the system

TODO :
  • generate GPG on a Linux machine,
  • then copy to a MacOS platform
  • finally sign a dmg package with this signature
  • same sequence from MacOS to Linux

Recurrence

No recurrence.


Related issues

Related to ctools - Bug #3448: Installation of ctools-1.7.2 Mac OS X binary disk image f... Closed 11/13/2020

History

#1 Updated by Brau-Nogué Sylvie about 7 years ago

  • Status changed from New to In Progress
  • % Done changed from 0 to 20

Method

Use Case 1: generate GPG key, and rpm on the same platform
generate GPG key
Case 1
* product an unsigned rpm package
* sign rpm package with local key
Case 2
* product a signed rpm package
Use Case 2: the same GPG key for all platforms
generate key on the Remote Key Server
import the GPG key
Case 1
* product an unsigned rpm package
* sign rpm package with local key (imported)
Case 2
* product a signed rpm package
Use Case 3: a single GPG Key Server
generate a GPG key on the signature server
on each local platform → product an unsigned rpm package
copy the package on the signature server
on the signature server → sign the rpm packages and deploy

#2 Updated by Brau-Nogué Sylvie about 7 years ago

  • Tags set to PACKAGING

Case 1: local only

Sign a rpm package

Integrate signature in pkgbuild-centos.sh

PROBLEM : the script stops by waiting for the pass phrase
or “How to provide password to a command that prompts for one in bash?”

use expect
sudo yum install expect
Declare the passphrase in an environment variable when logging in
  1. file .bashrc
    GPG_PASSPHRASE="xxxxxx this my pass phase xxxxxxx" 
    export GPG_PASSPHRASE
    
  2. Another possibility to create a specific file in .gnupg directory

at login script, extract pass phrase from this file

<<<<< see this page, or this article >>>>>

then signature, 2 options

case 1 : in Makefile

rpm-sign:
    (\
      echo set timeout -1;\
      echo spawn rpmsign --addsign target/rpmbuild/RPMS/*/*.rpm;\
      echo expect -exact \"Enter pass phrase:\";\
      echo send -- \"$(GPG_PASSPHRASE)\\r\";\
      echo expect eof;\
    ) | expect

case 2 : in pkgbuild-centos.sh
# ==================================================== #
# Sign package with pass phrase set during login
 (\
    echo set timeout -1;\
    echo spawn rpmsign --addsign $PKGDIR/*/*.rpm;\
    echo expect -re \"pass\";\
    echo send -- \"$GPG_PASSPHRASE\\r\";\
    echo expect eof;\
) | expect

#3 Updated by Brau-Nogué Sylvie about 7 years ago

  • % Done changed from 20 to 100

Finally, the best choice is Use Case 3: a single GPG Key Server

  1. generate a GPG key on the signature server
  2. on each local platform → product an unsigned rpm package
  3. transfert the package on the signature server
  4. on the signature server → sign the rpm packages and deploy

Many reasons, the most important of which is to guarantee the signature of the package with the latest GPG signature

#4 Updated by Knödlseder Jürgen about 7 years ago

On Mac OS X 10.11 I created a “S/MIME” certificat with the keychain tool. I was then able to sign the package on my Mac as follows:

$ productsign --sign 'ctools-2' ctools-1.2.0.pkg /Users/jurgen/ctools-1.2.0-signed.pkg
productsign: signing product with identity "ctools-2" from keychain /Users/jurgen/Library/Keychains/login.keychain
productsign: Wrote signed product archive to /Users/jurgen/ctools-1.2.0-signed.pkg

Note that I did not manage to sign the package with a “Code Signing” Certificat.

I tried the same on the Mac OS X 10.7 VM which is the machine where the OS X package is built. However on that platform the signing did not work:

$ productsign --sign 'ctools' ctools-1.3.0.dev1.pkg ctools-1.3.0.dev1-signed.pkg
productsign: signing product with identity "ctools" from keychain /Users/jenkins/Library/Keychains/login.keychain
Error signing data.
productsign: error: Failed to sign the product.

Unfortunately there is no more information available explaining what happened.

#5 Updated by Knödlseder Jürgen about 7 years ago

No access to the ctools private key was granted. This can be changed in the Keychain Access application by double clicking on the ctools private key. Once this is done it worked:

$ productsign --sign 'ctools' ctools-1.3.0.dev1.pkg ctools-1.3.0.dev1-signed.pkg
productsign: signing product with identity "ctools" from keychain /Users/jenkins/Library/Keychains/login.keychain
productsign: Wrote signed product archive to ctools-1.3.0.dev1-signed.pkg

#6 Updated by Knödlseder Jürgen about 7 years ago

I added the signature to the Mac OS X product build step:

# Build product
productbuild --distribution $DISTFILE \
             --version $VERSION \
             --resources $SRCDIR/$CTOOLS \
             --package-path $PKGDIR \
             --sign 'ctools' \
             $PRODDIR/$CTOOLS.pkg

This gave
...
pkgbuild: Inferring bundle components from contents of /usr/local/gamma
pkgbuild: Writing new component property list to /Users/jenkins/jenkins/workspace/ctools-cr-osx/pkg_build/pkg/ctools-1.3.0.dev1-components.plist
pkgbuild: Reading components from /Users/jenkins/jenkins/workspace/ctools-cr-osx/pkg_build/pkg/ctools-1.3.0.dev1-components.plist
pkgbuild: Wrote package to /Users/jenkins/jenkins/workspace/ctools-cr-osx/pkg_build/pkg/ctools-1.3.0.dev1.pkg
productbuild: Wrote synthesized distribution to /Users/jenkins/jenkins/workspace/ctools-cr-osx/pkg_build/prod/ctools-1.3.0.dev1.dist
productbuild: Signing product with identity "ctools" from keychain /Users/jenkins/Library/Keychains/login.keychain
productbuild: Wrote product to /Users/jenkins/jenkins/workspace/ctools-cr-osx/pkg_build/prod/ctools-1.3.0.dev1.pkg
.........................................................................
created: /Users/jenkins/jenkins/workspace/ctools-cr-osx/pkg_build/ctools-1.3.0.dev1-macosx10.7.dmg

Looks like it worked.

#7 Updated by Knödlseder Jürgen about 7 years ago

For some reason, implementing the signature in the continuous release did not work:

pkgbuild: Inferring bundle components from contents of /usr/local/gamma
pkgbuild: Writing new component property list to /Users/jenkins/jenkins/workspace/ctools-cr-osx/pkg_build/pkg/ctools-1.3.0.dev1-components.plist
pkgbuild: Reading components from /Users/jenkins/jenkins/workspace/ctools-cr-osx/pkg_build/pkg/ctools-1.3.0.dev1-components.plist
pkgbuild: Wrote package to /Users/jenkins/jenkins/workspace/ctools-cr-osx/pkg_build/pkg/ctools-1.3.0.dev1.pkg
productbuild: Wrote synthesized distribution to /Users/jenkins/jenkins/workspace/ctools-cr-osx/pkg_build/prod/ctools-1.3.0.dev1.dist
Error signing data.
productbuild: error: Could not sign product at "/Users/jenkins/jenkins/workspace/ctools-cr-osx/pkg_build/prod/ctools-1.3.0.dev1.pkg".
productbuild: Signing product with identity "ctools" from keychain /Users/jenkins/Library/Keychains/login.keychain

#8 Updated by Knödlseder Jürgen about 7 years ago

The reason was that Jenkins does not automatically unlock the local keychain. Adding

security unlock-keychain -p password login.keychain

solved the issue. However, since we don’t want to type the password visibly, another solution was moving the ctools certificate to the System.keychain.

#9 Updated by Knödlseder Jürgen about 7 years ago

Seems to work now:

productbuild: Wrote synthesized distribution to /Users/jenkins/jenkins/workspace/ctools-cr-osx/pkg_build/prod/ctools-1.3.0.dev1.dist
productbuild: Signing product with identity "ctools" from keychain /Library/Keychains/System.keychain
productbuild: Wrote product to /Users/jenkins/jenkins/workspace/ctools-cr-osx/pkg_build/prod/ctools-1.3.0.dev1.pkg
created: /Users/jenkins/jenkins/workspace/ctools-cr-osx/pkg_build/ctools-1.3.0.dev1-macosx10.7.dmg

#10 Updated by Knödlseder Jürgen almost 7 years ago

  • Target version changed from 1.3.0 to 1.4.0

#11 Updated by Knödlseder Jürgen over 6 years ago

  • Target version changed from 1.4.0 to 1.5.0

#12 Updated by Knödlseder Jürgen about 6 years ago

  • Target version deleted (1.5.0)

#13 Updated by Brau-Nogué Sylvie almost 6 years ago

  • Status changed from In Progress to Closed

#14 Updated by Knödlseder Jürgen over 3 years ago

  • Related to Bug #3448: Installation of ctools-1.7.2 Mac OS X binary disk image failed on mac OS Catalina added

Also available in: Atom PDF