AssembleManifest_rpm_Jenkinsfile.run() AssembleManifest_rpm_Jenkinsfile.pipeline(groovy.lang.Closure) AssembleManifest_rpm_Jenkinsfile.echo(Executing on agent [label:none]) AssembleManifest_rpm_Jenkinsfile.stage(assembleManifest rpm, groovy.lang.Closure) AssembleManifest_rpm_Jenkinsfile.script(groovy.lang.Closure) AssembleManifest_rpm_Jenkinsfile.assembleManifest({buildManifest=tests/data/opensearch-build-1.3.0-rpm.yml}) assembleManifest.legacySCM(groovy.lang.Closure) assembleManifest.library({identifier=jenkins@main, retriever=null}) assembleManifest.readYaml({file=tests/data/opensearch-build-1.3.0-rpm.yml}) BuildManifest.asBoolean() BuildManifest.getArtifactRootUrlWithoutDistribution(https://ci.opensearch.org/dbc, vars-build, 123) assembleManifest.sh(./assemble.sh "tests/data/opensearch-build-1.3.0-rpm.yml" --base-url https://ci.opensearch.org/dbc/vars-build/1.3.0/123/linux/x64) assembleManifest.signArtifacts({artifactPath=rpm/dist/opensearch, sigtype=.rpm, platform=linux}) signArtifacts.string({credentialsId=jenkins-rpm-signing-account-number, variable=RPM_SIGNING_ACCOUNT_NUMBER}) signArtifacts.string({credentialsId=jenkins-rpm-signing-passphrase-secrets-arn, variable=RPM_SIGNING_PASSPHRASE_SECRETS_ARN}) signArtifacts.string({credentialsId=jenkins-rpm-signing-secret-key-secrets-arn, variable=RPM_SIGNING_SECRET_KEY_ID_SECRETS_ARN}) signArtifacts.string({credentialsId=jenkins-rpm-signing-key-id, variable=RPM_SIGNING_KEY_ID}) signArtifacts.withCredentials([RPM_SIGNING_ACCOUNT_NUMBER, RPM_SIGNING_PASSPHRASE_SECRETS_ARN, RPM_SIGNING_SECRET_KEY_ID_SECRETS_ARN, RPM_SIGNING_KEY_ID], groovy.lang.Closure) signArtifacts.echo(RPM Add Sign) signArtifacts.withAWS({role=jenkins-prod-rpm-signing-assume-role, roleAccount=RPM_SIGNING_ACCOUNT_NUMBER, duration=900, roleSessionName=jenkins-signing-session}, groovy.lang.Closure) signArtifacts.sh(#!/bin/bash set -e set +x ARTIFACT_PATH="rpm/dist/opensearch" echo "------------------------------------------------------------------------" echo "Check Utility Versions" gpg_version_requirement="2.2.0" rpm_version_requirement="4.13.0" # https://bugzilla.redhat.com/show_bug.cgi?id=227632 gpg_version_check=`gpg --version | head -n 1 | grep -oE '[0-9.]+'` gpg_version_check_final=`echo $gpg_version_check $gpg_version_requirement | tr ' ' ' ' | sort -V | head -n 1` rpm_version_check=`rpm --version | head -n 1 | grep -oE '[0-9.]+'` rpm_version_check_final=`echo $rpm_version_check $rpm_version_requirement | tr ' ' ' ' | sort -V | head -n 1` echo -e "gpg_version_requirement gpg_version_check" echo -e "$gpg_version_requirement $gpg_version_check" echo -e "rpm_version_requirement rpm_version_check" echo -e "$rpm_version_requirement $rpm_version_check" if [[ $gpg_version_requirement = $gpg_version_check_final ]] && [[ $rpm_version_requirement = $rpm_version_check_final ]]; then echo "Utility version is equal or greater than set limit, continue." else echo "Utility version is lower than set limit, exit 1" exit 1 fi export GPG_TTY=`tty` echo "------------------------------------------------------------------------" echo "Setup RPM Macros" cp -v scripts/pkg/sign_templates/rpmmacros ~/.rpmmacros sed -i "s/##key_name##/OpenSearch project/g;s/##passphrase_name##/passphrase/g" ~/.rpmmacros echo "------------------------------------------------------------------------" echo "Import OpenSearch keys" aws secretsmanager get-secret-value --region us-west-2 --secret-id "RPM_SIGNING_PASSPHRASE_SECRETS_ARN" | jq -r .SecretBinary | base64 --decode > passphrase aws secretsmanager get-secret-value --region us-west-2 --secret-id "RPM_SIGNING_SECRET_KEY_ID_SECRETS_ARN" | jq -r .SecretBinary | base64 --decode | gpg --quiet --import --pinentry-mode loopback --passphrase-file passphrase - echo "------------------------------------------------------------------------" echo "Start Signing Rpm" if file $ARTIFACT_PATH | grep -q directory; then echo "Sign directory" for rpm_file in `ls $ARTIFACT_PATH`; do if file $ARTIFACT_PATH/$rpm_file | grep -q RPM; then rpm --addsign $ARTIFACT_PATH/$rpm_file rpm -qip $ARTIFACT_PATH/$rpm_file | grep Signature fi done elif file $ARTIFACT_PATH | grep -q RPM; then echo "Sign single rpm" rpm --addsign $ARTIFACT_PATH rpm -qip $ARTIFACT_PATH | grep Signature else echo "This is neither a directory nor a RPM pkg, exit 1" exit 1 fi echo "------------------------------------------------------------------------" echo "Clean up gpg" gpg --batch --yes --delete-secret-keys RPM_SIGNING_KEY_ID gpg --batch --yes --delete-keys RPM_SIGNING_KEY_ID rm -v passphrase ) assembleManifest.buildYumRepo({baseUrl=https://ci.opensearch.org/dbc/vars-build/1.3.0/123/linux/x64, buildManifest=tests/data/opensearch-build-1.3.0-rpm.yml}) buildYumRepo.legacySCM(groovy.lang.Closure) buildYumRepo.library({identifier=jenkins@main, retriever=null}) buildYumRepo.readYaml({file=tests/data/opensearch-build-1.3.0-rpm.yml}) BuildManifest.asBoolean() buildYumRepo.echo(Create yum repo metadata and repo file tests/data/opensearch-build-1.3.0-rpm.yml) buildYumRepo.sh(createrepo "rpm/dist/opensearch") buildYumRepo.writeFile({file=rpm/dist/opensearch/opensearch-1.3.0.staging.repo, text=[opensearch-1.3.0-123-staging] name=OpenSearch 1.3.0 123 Staging baseurl=https://ci.opensearch.org/dbc/vars-build/1.3.0/123/linux/x64/rpm/dist/opensearch/ enabled=1 gpgcheck=0 autorefresh=1 type=rpm-md})