Skip to content

WIP: Sign packages (with Rake task added)

Jason Plum requested to merge sign-packages-rake into master

This is intended to rebase and replace !922 (closed).

Stemming from https://gitlab.com/gitlab-org/omnibus-gitlab/issues/2537, we decided that it would be cleaner and faster to implement full package signing than creating, transfering, and posting hashes of packages to a server outside of PackageCloud.

Problem

  • Packages need signed.
  • Omnibus supports signing .rpm files
  • Omnibus does not support signing .deb files.

Path forward

RPM

For RPM files, the answer is simple. Enable it in Omnibus, and make necessary infrastructure and information available to dev in order to sign the packages. @marin had conveniently already done the work, but PackageCloud didn't support it at the time. Pull the changes from @marin's !922 (closed), rebase onto master, and try again.

DEB

For DEB files, we're on the short end of the stick. Currently, support is not present in Omnibus itself. A community member had done a significant source of the work, but had not submitted an MR as it was reliant on debsigs and they had a drawback in that they did not have a clean way to pass the signing key's passphrase to the called program. As a result of the issues, the omnibus community decided that revisiting the efforts with a mind to replace the debsigs calls with pure Ruby implementation was in order. Nothing progressed from that point.

For the time being, I have implemented a Rake task (repository:sign) that will take the packages and sign them prior to the upload to AWS. This is done by injecting a step in the Makefile prior to the sync step that uploads them to S3.

Thankfully, the .deb format is relatively simple in how it adds the signatures of the package, and we can use a simple series of calls to ar mixed with the GPGME Gem in order to sign.

Future

The work done by the Rake tasks should not be in the Rake task.

  • We should get this logic moved into Omnibus, and allow the greater community to also have this capability.
  • The added fact is that it will also reduce the complexity of our codebase here, which is always wanted.

cc @briann

Merge request reports