WIP: Sign packages (with Rake task added)
This is intended to rebase and replace !922 (closed).
Stemming from https://gitlab.com/gitlab-org/omnibus-gitlab/issues/2537, we decided that it would be cleaner and faster to implement full package signing than creating, transfering, and posting hashes of packages to a server outside of PackageCloud.
Problem
- Packages need signed.
- Omnibus supports signing
.rpm
files - Omnibus does not support signing
.deb
files.
Path forward
RPM
For RPM files, the answer is simple. Enable it in Omnibus, and make necessary infrastructure and information available to dev
in order to sign the packages. @marin had conveniently already done the work, but PackageCloud didn't support it at the time. Pull the changes from @marin's !922 (closed), rebase onto master
, and try again.
DEB
For DEB files, we're on the short end of the stick. Currently, support is not present in Omnibus itself. A community member had done a significant source of the work, but had not submitted an MR as it was reliant on debsigs
and they had a drawback in that they did not have a clean way to pass the signing key's passphrase to the called program. As a result of the issues, the omnibus community decided that revisiting the efforts with a mind to replace the debsigs
calls with pure Ruby implementation was in order. Nothing progressed from that point.
For the time being, I have implemented a Rake task (repository:sign
) that will take the packages and sign them prior to the upload to AWS. This is done by injecting a step in the Makefile
prior to the sync
step that uploads them to S3.
Thankfully, the .deb
format is relatively simple in how it adds the signatures of the package, and we can use a simple series of calls to ar
mixed with the GPGME
Gem in order to sign.
Future
The work done by the Rake tasks should not be in the Rake task.
- We should get this logic moved into Omnibus, and allow the greater community to also have this capability.
- The added fact is that it will also reduce the complexity of our codebase here, which is always wanted.
cc @briann