Add ability to use a different GPG key identifier

Signed-off-by: Mike Dougherty <mike.dougherty@docker.com>
2022-11-09 12:21:53 -05:00 · 2015-08-25 12:27:25 -07:00 · 2015-08-25 12:27:25 -07:00 · 7ca017eb62
commit 7ca017eb62
parent b46c15e772
4 changed files with 21 additions and 17 deletions
--- a/hack/make/release-deb
+++ b/hack/make/release-deb
@ -15,6 +15,7 @@ set -e
 # ... and so on and so forth for the builds created by hack/make/build-deb

 : ${DOCKER_RELEASE_DIR:=$DEST}
+: ${GPG_KEYID:=releasedocker}
 APTDIR=$DOCKER_RELEASE_DIR/apt/repo

 # setup the apt repo (if it does not exist)
@ -63,7 +64,7 @@ for dir in contrib/builder/deb/*/; do
 	# dpkg-sign before reprepro
 	if [ ! -z "$GPG_PASSPHRASE" ]; then
 		dpkg-sig -g "--passphrase $GPG_PASSPHRASE" \
-			-k releasedocker --sign builder "${DEBFILE[@]}"
+			-k "$GPG_KEYID" --sign builder "${DEBFILE[@]}"
 	fi

 	reprepro -v $options \
--- a/hack/make/release-rpm
+++ b/hack/make/release-rpm
@ -16,6 +16,7 @@ set -e

 : ${DOCKER_RELEASE_DIR:=$DEST}
 YUMDIR=$DOCKER_RELEASE_DIR/yum/repo
+: ${GPG_KEYID:=releasedocker}

 # manage the repos for each distribution separately
 distros=( fedora centos oraclelinux )
@ -53,15 +54,15 @@ for distro in "${distros[@]}"; do
 		# sign the rpms before adding to repo
 		if [ ! -z $GPG_PASSPHRASE ]; then
 			# export our key to rpm import
-			gpg --armor --export releasedocker > /tmp/gpg
+			gpg --armor --export "$GPG_KEYID" > /tmp/gpg
 			rpm --import /tmp/gpg

 			# sign the rpms
 			echo "yes" | setsid rpm \
-				--define '_gpg_name releasedocker' \
-				--define '_signature gpg' \
-				--define '__gpg_check_password_cmd /bin/true' \
-				--define '__gpg_sign_cmd %{__gpg} gpg --batch --no-armor --passphrase '$GPG_PASSPHRASE' --no-secmem-warning -u "%{_gpg_name}" --sign --detach-sign --output %{__signature_filename} %{__plaintext_filename}' \
+				--define "_gpg_name $GPG_KEYID" \
+				--define "_signature gpg" \
+				--define "__gpg_check_password_cmd /bin/true" \
+				--define "__gpg_sign_cmd %{__gpg} gpg --batch --no-armor --passphrase '$GPG_PASSPHRASE' --no-secmem-warning -u '%{_gpg_name}' --sign --detach-sign --output %{__signature_filename} %{__plaintext_filename}" \
 				--resign "${RPMFILE[@]}"
 		fi

--- a/hack/make/sign-repos
+++ b/hack/make/sign-repos
@ -4,6 +4,7 @@
 # with a designated GPG key.

 : ${DOCKER_RELEASE_DIR:=$DEST}
+: ${GPG_KEYID:=releasedocker}
 APTDIR=$DOCKER_RELEASE_DIR/apt/repo
 YUMDIR=$DOCKER_RELEASE_DIR/yum/repo

@ -21,12 +22,12 @@ sign_packages(){
 	# sign apt repo metadata
 	if [ -d $APTDIR ]; then
 		# create file with public key
-		gpg --armor --export releasedocker > "$DOCKER_RELEASE_DIR/apt/gpg"
+		gpg --armor --export "$GPG_KEYID" > "$DOCKER_RELEASE_DIR/apt/gpg"

 		# sign the repo metadata
 		for F in $(find $APTDIR -name Release); do
 			if test "$F" -nt "$F.gpg" ; then
-				gpg -u releasedocker --passphrase "$GPG_PASSPHRASE" \
+				gpg -u "$GPG_KEYID" --passphrase "$GPG_PASSPHRASE" \
 					--armor --sign --detach-sign \
 					--batch --yes \
 					--output "$F.gpg" "$F"
@ -37,12 +38,12 @@ sign_packages(){
 	# sign yum repo metadata
 	if [ -d $YUMDIR ]; then
 		# create file with public key
-		gpg --armor --export releasedocker > "$DOCKER_RELEASE_DIR/yum/gpg"
+		gpg --armor --export "$GPG_KEYID" > "$DOCKER_RELEASE_DIR/yum/gpg"

 		# sign the repo metadata
 		for F in $(find $YUMDIR -name repomd.xml); do
 			if test "$F" -nt "$F.asc" ; then
-				gpg -u releasedocker --passphrase "$GPG_PASSPHRASE" \
+				gpg -u "$GPG_KEYID" --passphrase "$GPG_PASSPHRASE" \
 					--armor --sign --detach-sign \
 					--batch --yes \
 					--output "$F.asc" "$F"
--- a/hack/release.sh
+++ b/hack/release.sh
@ -22,8 +22,9 @@ To run, I need:
  environment variables AWS_S3_BUCKET and AWS_S3_BUCKET_PATH (default: '');
 - to be provided with AWS credentials for this S3 bucket, in environment
  variables AWS_ACCESS_KEY and AWS_SECRET_KEY;
- the passphrase to unlock the GPG key which will sign the deb packages
-  (passed as environment variable GPG_PASSPHRASE);
+- the passphrase to unlock the GPG key specified by the optional environment
+  variable GPG_KEYID (default: releasedocker) which will sign the deb
+  packages (passed as environment variable GPG_PASSPHRASE);
 - a generous amount of good will and nice manners.
 The canonical way to run me is to run the image produced by the Dockerfile: e.g.:"

@ -265,7 +266,7 @@ release_ubuntu() {
 	local debfiles=( "bundles/$VERSION/ubuntu/"*.deb )

 	# Sign our packages
-	dpkg-sig -g "--passphrase $GPG_PASSPHRASE" -k releasedocker --sign builder "${debfiles[@]}"
+	dpkg-sig -g "--passphrase $GPG_PASSPHRASE" -k "$GPG_KEYID" --sign builder "${debfiles[@]}"

 	# Setup the APT repo
 	APTDIR=bundles/$VERSION/ubuntu/apt
@ -282,14 +283,14 @@ EOF

 	# Sign
 	for F in $(find $APTDIR -name Release); do
-		gpg -u releasedocker --passphrase "$GPG_PASSPHRASE" \
+		gpg -u "$GPG_KEYID" --passphrase "$GPG_PASSPHRASE" \
 			--armor --sign --detach-sign \
 			--output "$F.gpg" "$F"
 	done

 	# Upload keys
 	s3cmd sync "$HOME/.gnupg/" "s3://$BUCKET/ubuntu/.gnupg/"
-	gpg --armor --export releasedocker > "bundles/$VERSION/ubuntu/gpg"
+	gpg --armor --export "$GPG_KEYID" > "bundles/$VERSION/ubuntu/gpg"
 	s3cmd --acl-public put "bundles/$VERSION/ubuntu/gpg" "s3://$BUCKET/gpg"

 	local gpgFingerprint=36A1D7869245C8950F966E92D8576A8BA88D21E9
@ -365,14 +366,14 @@ setup_gpg() {
 	# Make sure that we have our keys
 	mkdir -p "$HOME/.gnupg/"
 	s3cmd sync "s3://$BUCKET/ubuntu/.gnupg/" "$HOME/.gnupg/" || true
-	gpg --list-keys releasedocker >/dev/null || {
+	gpg --list-keys "$GPG_KEYID" >/dev/null || {
 		gpg --gen-key --batch <<EOF
 Key-Type: RSA
 Key-Length: 4096
 Passphrase: $GPG_PASSPHRASE
 Name-Real: Docker Release Tool
 Name-Email: docker@docker.com
-Name-Comment: releasedocker
+Name-Comment: $GPG_KEYID
 Expire-Date: 0
 %commit
 EOF