Sign `tini` and `tini-static` binaries

The GPG signing subkey and passphrase are respectively provided through a Travis encrypted file and a Travis encrypted environment variable. Signing is only done if there is a signing key present when the build is complete (so as to not fail when e.g. building a PR that doesn't have encrypted files available).
2016-01-26 21:35:24 -05:00 · 2016-01-26 21:35:24 -05:00 · 44b5675f0e
parent 428d960140
commit 44b5675f0e
7 changed files with 46 additions and 2 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,3 @@
 dist
+sign.key
+.env
--- a/.travis.yml
+++ b/.travis.yml
@ -23,6 +23,15 @@ addons:
    - python-pip
    - python-virtualenv
    - hardening-includes
+    - gnupg
+
+env:
+  global:
+    - SIGN_BINARIES=1
+    - secure: "RKF9Z9gLxp6k/xITqn7ma1E9HfpYcDXuJFf4862WeH9EMnK9lDq+TWnGsQfkIlqh8h9goe7U+BvRiTibj9MiD5u7eluLo3dlwsLxPpYtyswYeLeC1wKKdT5LPGAXbRKomvBalRYMI+dDnGIM4w96mHgGGvx2zZXGkiAQhm6fJ3k="
+
+before_install:
+  - openssl aes-256-cbc -K $encrypted_2893fd5649e7_key -iv $encrypted_2893fd5649e7_iv -in sign.key.enc -out sign.key -d || echo "Encrypted signing key unavailable"

 script: ./ci/run_build.sh

@ -34,7 +43,9 @@ deploy:
    secure: Yk90ANpSPv1iJy8QDXCPwfaSmEr/WIJ3bzhQ6X8JvZjfrwTosbh0HrUzQyeac3nyvNwj7YJRssolOFc21IBKPpCFTZqYxSkuLPU6ysG4HGHgN6YJhOMm4mG4KKJ6741q3DJendhZpalBhCEi+NcZK/PCSD97Vl4OqRjBUged0fs=
  file:
    - "./dist/tini"
+    - "./dist/tini.asc"
    - "./dist/tini-static"
+    - "./dist/tini-static.asc"
    - "./dist/tini_0.8.4.deb"
    - "./dist/tini_0.8.4.rpm"
  on:
--- a/2
+++ b/2
@ -1,7 +1,7 @@
 FROM ubuntu:precise

 RUN apt-get update \
- && apt-get install --no-install-recommends --yes build-essential git gdb valgrind cmake rpm python-dev libcap-dev python-pip python-virtualenv hardening-includes \
+ && apt-get install --no-install-recommends --yes build-essential git gdb valgrind cmake rpm python-dev libcap-dev python-pip python-virtualenv hardening-includes gnupg \
 && rm -rf /var/lib/apt/lists/*

 # Pre-install those here for faster local builds.
--- a/ci/run_build.sh
+++ b/ci/run_build.sh
@ -11,6 +11,9 @@ set -o nounset
 : ${DIST_DIR:="${SOURCE_DIR}/dist"}
 : ${BUILD_DIR:="/tmp/build"}

+# GPG Configuration
+: ${GPG_PASSPHRASE:=""}
+

 # Make those paths absolute, and export them for the Python tests to consume.
 export SOURCE_DIR="$(readlink -f "${SOURCE_DIR}")"
@ -44,7 +47,6 @@ pushd "${BUILD_DIR}"
 make clean
 make
 make package
-
 popd

 # Smoke tests (actual tests need Docker to run; they don't run within the CI environment)
@ -104,3 +106,20 @@ pip install psutil python-prctl bitmap

 # Run tests
 python "${SOURCE_DIR}/test/run_inner_tests.py"
+
+# If a signing key is made available, then use it to sign the binaries
+if [[ -f "${SOURCE_DIR}/sign.key" ]]; then
+  echo "Signing binaries"
+  GPG_SIGN_HOMEDIR="${BUILD_DIR}/gpg-sign"
+  GPG_VERIFY_HOMEDIR="${BUILD_DIR}/gpg-verify"
+  mkdir "${GPG_SIGN_HOMEDIR}" "${GPG_VERIFY_HOMEDIR}"
+  chmod 700 "${GPG_SIGN_HOMEDIR}" "${GPG_VERIFY_HOMEDIR}"
+
+  gpg --homedir "${GPG_SIGN_HOMEDIR}" --import "${SOURCE_DIR}/sign.key"
+  gpg --homedir "${GPG_VERIFY_HOMEDIR}" --keyserver ha.pool.sks-keyservers.net --recv-keys 0527A9B7
+
+  for tini in "${DIST_DIR}/tini" "${DIST_DIR}/tini-static"; do
+    echo "${GPG_PASSPHRASE}" | gpg --homedir "${GPG_SIGN_HOMEDIR}" --passphrase-fd 0 --armor --detach-sign "${tini}"
+    gpg --homedir "${GPG_VERIFY_HOMEDIR}" --verify "${tini}.asc"
+  done
+fi
--- a/ddist.sh
+++ b/ddist.sh
@ -22,4 +22,5 @@ docker run -it --rm \
  -e BUILD_DIR=/tmp/tini-build \
  -e SOURCE_DIR="${SRC}" \
  -e FORCE_SUBREAPER="${FORCE_SUBREAPER}" \
+  -e GPG_PASSPHRASE="${GPG_PASSPHRASE}" \
  "${IMG}" "${SRC}/ci/run_build.sh"
--- a/sign.key.enc
+++ b/sign.key.enc
--- a/tpl/travis.yml.tpl
+++ b/tpl/travis.yml.tpl
@ -23,6 +23,15 @@ addons:
    - python-pip
    - python-virtualenv
    - hardening-includes
+    - gnupg
+
+env:
+  global:
+    - SIGN_BINARIES=1
+    - secure: "RKF9Z9gLxp6k/xITqn7ma1E9HfpYcDXuJFf4862WeH9EMnK9lDq+TWnGsQfkIlqh8h9goe7U+BvRiTibj9MiD5u7eluLo3dlwsLxPpYtyswYeLeC1wKKdT5LPGAXbRKomvBalRYMI+dDnGIM4w96mHgGGvx2zZXGkiAQhm6fJ3k="
+
+before_install:
+  - openssl aes-256-cbc -K $encrypted_2893fd5649e7_key -iv $encrypted_2893fd5649e7_iv -in sign.key.enc -out sign.key -d || echo "Encrypted signing key unavailable"

 script: ./ci/run_build.sh

@ -34,7 +43,9 @@ deploy:
    secure: Yk90ANpSPv1iJy8QDXCPwfaSmEr/WIJ3bzhQ6X8JvZjfrwTosbh0HrUzQyeac3nyvNwj7YJRssolOFc21IBKPpCFTZqYxSkuLPU6ysG4HGHgN6YJhOMm4mG4KKJ6741q3DJendhZpalBhCEi+NcZK/PCSD97Vl4OqRjBUged0fs=
  file:
    - "./dist/tini"
+    - "./dist/tini.asc"
    - "./dist/tini-static"
+    - "./dist/tini-static.asc"
    - "./dist/tini_@tini_VERSION_MAJOR@.@tini_VERSION_MINOR@.@tini_VERSION_PATCH@.deb"
    - "./dist/tini_@tini_VERSION_MAJOR@.@tini_VERSION_MINOR@.@tini_VERSION_PATCH@.rpm"
  on: