SignArtifacts_Jenkinsfile.run() SignArtifacts_Jenkinsfile.pipeline(groovy.lang.Closure) SignArtifacts_Jenkinsfile.echo(Executing on agent [label:none]) SignArtifacts_Jenkinsfile.stage(sign, groovy.lang.Closure) SignArtifacts_Jenkinsfile.script(groovy.lang.Closure) SignArtifacts_Jenkinsfile.signArtifacts({artifactPath=/tmp/workspace/artifacts, sigtype=.sig, platform=linux}) signArtifacts.fileExists(/tmp/workspace/sign.sh) signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -) signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN}) signArtifacts.string({credentialsId=jenkins-signer-client-role, variable=SIGNER_CLIENT_ROLE}) signArtifacts.string({credentialsId=jenkins-signer-client-external-id, variable=SIGNER_CLIENT_EXTERNAL_ID}) signArtifacts.string({credentialsId=jenkins-signer-client-unsigned-bucket, variable=SIGNER_CLIENT_UNSIGNED_BUCKET}) signArtifacts.string({credentialsId=jenkins-signer-client-signed-bucket, variable=SIGNER_CLIENT_SIGNED_BUCKET}) signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], SIGNER_CLIENT_ROLE, SIGNER_CLIENT_EXTERNAL_ID, SIGNER_CLIENT_UNSIGNED_BUCKET, SIGNER_CLIENT_SIGNED_BUCKET], groovy.lang.Closure) signArtifacts.sh( #!/bin/bash set +x export ROLE=SIGNER_CLIENT_ROLE export EXTERNAL_ID=SIGNER_CLIENT_EXTERNAL_ID export UNSIGNED_BUCKET=SIGNER_CLIENT_UNSIGNED_BUCKET export SIGNED_BUCKET=SIGNER_CLIENT_SIGNED_BUCKET /tmp/workspace/sign.sh /tmp/workspace/artifacts --sigtype .sig --platform linux ) SignArtifacts_Jenkinsfile.signArtifacts({artifactPath=/tmp/workspace/artifacts, sigtype=.rpm, platform=linux, overwrite=false}) signArtifacts.string({credentialsId=jenkins-rpm-signing-account-number, variable=RPM_SIGNING_ACCOUNT_NUMBER}) signArtifacts.string({credentialsId=jenkins-rpm-signing-passphrase-secrets-arn, variable=RPM_SIGNING_PASSPHRASE_SECRETS_ARN}) signArtifacts.string({credentialsId=jenkins-rpm-signing-secret-key-secrets-arn, variable=RPM_SIGNING_SECRET_KEY_ID_SECRETS_ARN}) signArtifacts.string({credentialsId=jenkins-rpm-signing-key-id, variable=RPM_SIGNING_KEY_ID}) signArtifacts.withCredentials([RPM_SIGNING_ACCOUNT_NUMBER, RPM_SIGNING_PASSPHRASE_SECRETS_ARN, RPM_SIGNING_SECRET_KEY_ID_SECRETS_ARN, RPM_SIGNING_KEY_ID], groovy.lang.Closure) signArtifacts.echo(RPM Add Sign) signArtifacts.withAWS({role=jenkins-prod-rpm-signing-assume-role, roleAccount=RPM_SIGNING_ACCOUNT_NUMBER, duration=900, roleSessionName=jenkins-signing-session}, groovy.lang.Closure) signArtifacts.sh(#!/bin/bash set -e set +x ARTIFACT_PATH="/tmp/workspace/artifacts" echo "------------------------------------------------------------------------" echo "Check Utility Versions" gpg_version_requirement="2.2.0" rpm_version_requirement="4.13.0" # https://bugzilla.redhat.com/show_bug.cgi?id=227632 gpg_version_check=`gpg --version | head -n 1 | grep -oE '[0-9.]+'` gpg_version_check_final=`echo $gpg_version_check $gpg_version_requirement | tr ' ' ' ' | sort -V | head -n 1` rpm_version_check=`rpm --version | head -n 1 | grep -oE '[0-9.]+'` rpm_version_check_final=`echo $rpm_version_check $rpm_version_requirement | tr ' ' ' ' | sort -V | head -n 1` echo -e "gpg_version_requirement gpg_version_check" echo -e "$gpg_version_requirement $gpg_version_check" echo -e "rpm_version_requirement rpm_version_check" echo -e "$rpm_version_requirement $rpm_version_check" if [[ $gpg_version_requirement = $gpg_version_check_final ]] && [[ $rpm_version_requirement = $rpm_version_check_final ]]; then echo "Utility version is equal or greater than set limit, continue." else echo "Utility version is lower than set limit, exit 1" exit 1 fi export GPG_TTY=`tty` echo "------------------------------------------------------------------------" echo "Setup RPM Macros" cp -v scripts/pkg/sign_templates/rpmmacros ~/.rpmmacros sed -i "s/##key_name##/OpenSearch project/g;s/##passphrase_name##/passphrase/g" ~/.rpmmacros echo "------------------------------------------------------------------------" echo "Import OpenSearch keys" aws secretsmanager get-secret-value --region us-west-2 --secret-id "RPM_SIGNING_PASSPHRASE_SECRETS_ARN" | jq -r .SecretBinary | base64 --decode > passphrase aws secretsmanager get-secret-value --region us-west-2 --secret-id "RPM_SIGNING_SECRET_KEY_ID_SECRETS_ARN" | jq -r .SecretBinary | base64 --decode | gpg --quiet --import --pinentry-mode loopback --passphrase-file passphrase - echo "------------------------------------------------------------------------" echo "Start Signing Rpm" if file $ARTIFACT_PATH | grep -q directory; then echo "Sign directory" for rpm_file in `ls $ARTIFACT_PATH`; do if file $ARTIFACT_PATH/$rpm_file | grep -q RPM; then rpm --addsign $ARTIFACT_PATH/$rpm_file rpm -qip $ARTIFACT_PATH/$rpm_file | grep Signature fi done elif file $ARTIFACT_PATH | grep -q RPM; then echo "Sign single rpm" rpm --addsign $ARTIFACT_PATH rpm -qip $ARTIFACT_PATH | grep Signature else echo "This is neither a directory nor a RPM pkg, exit 1" exit 1 fi echo "------------------------------------------------------------------------" echo "Clean up gpg" gpg --batch --yes --delete-secret-keys RPM_SIGNING_KEY_ID gpg --batch --yes --delete-keys RPM_SIGNING_KEY_ID rm -v passphrase ) SignArtifacts_Jenkinsfile.signArtifacts({artifactPath=/tmp/workspace/file.yml, platform=linux, type=maven}) signArtifacts.fileExists(/tmp/workspace/sign.sh) signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -) signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN}) signArtifacts.string({credentialsId=jenkins-signer-client-role, variable=SIGNER_CLIENT_ROLE}) signArtifacts.string({credentialsId=jenkins-signer-client-external-id, variable=SIGNER_CLIENT_EXTERNAL_ID}) signArtifacts.string({credentialsId=jenkins-signer-client-unsigned-bucket, variable=SIGNER_CLIENT_UNSIGNED_BUCKET}) signArtifacts.string({credentialsId=jenkins-signer-client-signed-bucket, variable=SIGNER_CLIENT_SIGNED_BUCKET}) signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], SIGNER_CLIENT_ROLE, SIGNER_CLIENT_EXTERNAL_ID, SIGNER_CLIENT_UNSIGNED_BUCKET, SIGNER_CLIENT_SIGNED_BUCKET], groovy.lang.Closure) signArtifacts.sh( #!/bin/bash set +x export ROLE=SIGNER_CLIENT_ROLE export EXTERNAL_ID=SIGNER_CLIENT_EXTERNAL_ID export UNSIGNED_BUCKET=SIGNER_CLIENT_UNSIGNED_BUCKET export SIGNED_BUCKET=SIGNER_CLIENT_SIGNED_BUCKET /tmp/workspace/sign.sh /tmp/workspace/file.yml --platform linux --type maven ) SignArtifacts_Jenkinsfile.signArtifacts({artifactPath=/tmp/workspace/the_msi.msi, platform=windows, overwrite=true}) signArtifacts.fileExists(/tmp/workspace/sign.sh) signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN}) signArtifacts.string({credentialsId=jenkins-signer-windows-role, variable=SIGNER_WINDOWS_ROLE}) signArtifacts.string({credentialsId=jenkins-signer-windows-external-id, variable=SIGNER_WINDOWS_EXTERNAL_ID}) signArtifacts.string({credentialsId=jenkins-signer-windows-unsigned-bucket, variable=SIGNER_WINDOWS_UNSIGNED_BUCKET}) signArtifacts.string({credentialsId=jenkins-signer-windows-signed-bucket, variable=SIGNER_WINDOWS_SIGNED_BUCKET}) signArtifacts.string({credentialsId=jenkins-signer-windows-profile-identifier, variable=SIGNER_WINDOWS_PROFILE_IDENTIFIER}) signArtifacts.string({credentialsId=jenkins-signer-windows-platform-identifier, variable=SIGNER_WINDOWS_PLATFORM_IDENTIFIER}) signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], SIGNER_WINDOWS_ROLE, SIGNER_WINDOWS_EXTERNAL_ID, SIGNER_WINDOWS_UNSIGNED_BUCKET, SIGNER_WINDOWS_SIGNED_BUCKET, SIGNER_WINDOWS_PROFILE_IDENTIFIER, SIGNER_WINDOWS_PLATFORM_IDENTIFIER], groovy.lang.Closure) signArtifacts.sh( #!/bin/bash set +x export ROLE=SIGNER_WINDOWS_ROLE export EXTERNAL_ID=SIGNER_WINDOWS_EXTERNAL_ID export UNSIGNED_BUCKET=SIGNER_WINDOWS_UNSIGNED_BUCKET export SIGNED_BUCKET=SIGNER_WINDOWS_SIGNED_BUCKET export PROFILE_IDENTIFIER=SIGNER_WINDOWS_PROFILE_IDENTIFIER export PLATFORM_IDENTIFIER=SIGNER_WINDOWS_PLATFORM_IDENTIFIER /tmp/workspace/sign.sh /tmp/workspace/the_msi.msi --platform windows --overwrite ) SignArtifacts_Jenkinsfile.signArtifacts({artifactPath=/tmp/workspace/the_pkg.pkg, platform=mac, overwrite=true}) signArtifacts.fileExists(/tmp/workspace/sign.sh) signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN}) signArtifacts.string({credentialsId=jenkins-signer-mac-role, variable=SIGNER_MAC_ROLE}) signArtifacts.string({credentialsId=jenkins-signer-mac-external-id, variable=SIGNER_MAC_EXTERNAL_ID}) signArtifacts.string({credentialsId=jenkins-signer-mac-unsigned-bucket, variable=SIGNER_MAC_UNSIGNED_BUCKET}) signArtifacts.string({credentialsId=jenkins-signer-mac-signed-bucket, variable=SIGNER_MAC_SIGNED_BUCKET}) signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], SIGNER_MAC_ROLE, SIGNER_MAC_EXTERNAL_ID, SIGNER_MAC_UNSIGNED_BUCKET, SIGNER_MAC_SIGNED_BUCKET], groovy.lang.Closure) signArtifacts.sh( #!/bin/bash set +x export ROLE=SIGNER_MAC_ROLE export EXTERNAL_ID=SIGNER_MAC_EXTERNAL_ID export UNSIGNED_BUCKET=SIGNER_MAC_UNSIGNED_BUCKET export SIGNED_BUCKET=SIGNER_MAC_SIGNED_BUCKET /tmp/workspace/sign.sh /tmp/workspace/the_pkg.pkg --platform mac --overwrite )