From 9c06420b1876a58d2cd6ea38e5c5139ca42061fe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Petazzoni?= <jp@enix.org>
Date: Wed, 14 Aug 2013 17:02:55 -0700
Subject: [PATCH] Implement apt-secure repository signing.

---
 Dockerfile |  2 +-
 make.sh    |  3 +++
 release.sh | 51 ++++++++++++++++++++++++++++++++++++++++++++++-----
 3 files changed, 50 insertions(+), 6 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 218a187c39..1dcadc45f4 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -17,7 +17,7 @@ run	cd /tmp && echo 'package main' > t.go && go test -a -i -v
 # Ubuntu stuff
 run	apt-get install -y -q ruby1.9.3 rubygems
 run	gem install fpm
-run	apt-get install -y -q reprepro
+run	apt-get install -y -q reprepro dpkg-sig
 # Install s3cmd 1.0.1 (earlier versions don't support env variables in the config)
 run	apt-get install -y -q python-pip
 run	pip install s3cmd
diff --git a/make.sh b/make.sh
index 572170ed36..78ea004d00 100755
--- a/make.sh
+++ b/make.sh
@@ -106,7 +106,9 @@ EOF
 		    --description "$PACKAGE_DESCRIPTION" \
 		    --maintainer "$PACKAGE_MAINTAINER" \
 		    --conflicts lxc-docker-virtual-package \
+		    --provides lxc-docker \
 		    --provides lxc-docker-virtual-package \
+		    --replaces lxc-docker \
 		    --replaces lxc-docker-virtual-package \
 		    --url "$PACKAGE_URL" \
 		    --vendor "$PACKAGE_VENDOR" \
@@ -147,6 +149,7 @@ AWS_ACCESS_KEY, and AWS_SECRET_KEY environment variables:
 docker run -e AWS_S3_BUCKET=get-staging.docker.io \\
               AWS_ACCESS_KEY=AKI1234... \\
               AWS_SECRET_KEY=sEs3mE... \\
+              GPG_PASSPHRASE=sesame... \\
               image_id_or_name
 ###############################################################################
 EOF
diff --git a/release.sh b/release.sh
index dacde5d3fe..f4047cc172 100755
--- a/release.sh
+++ b/release.sh
@@ -22,12 +22,15 @@ To run, I need:
   AWS_S3_BUCKET;
 - to be provided with AWS credentials for this S3 bucket, in environment
   variables AWS_ACCESS_KEY and AWS_SECRET_KEY;
+- the passphrase to unlock the GPG key which will sign the deb packages
+  (passed as environment variable GPG_PASSPHRASE);
 - a generous amount of good will and nice manners.
 The canonical way to run me is to run the image produced by the Dockerfile: e.g.:"
 
 docker run -e AWS_S3_BUCKET=get-staging.docker.io \\
               AWS_ACCESS_KEY=AKI1234... \\
-              AWS_SECRET_KEY=sEs3mE... \\
+              AWS_SECRET_KEY=sEs4mE... \\
+              GPG_PASSPHRASE=m0resEs4mE... \\
               f0058411
 EOF
 	exit 1
@@ -36,6 +39,7 @@ EOF
 [ "$AWS_S3_BUCKET" ] || usage
 [ "$AWS_ACCESS_KEY" ] || usage
 [ "$AWS_SECRET_KEY" ] || usage
+[ "$GPG_PASSPHRASE" ] || usage
 [ -d /go/src/github.com/dotcloud/docker/ ] || usage
 cd /go/src/github.com/dotcloud/docker/ 
 
@@ -69,6 +73,26 @@ s3_url() {
 # 1. A full APT repository is published at $BUCKET/ubuntu/
 # 2. Instructions for using the APT repository are uploaded at $BUCKET/ubuntu/info
 release_ubuntu() {
+	# Make sure that we have our keys
+	mkdir -p /.gnupg/
+	s3cmd sync s3://$BUCKET/ubuntu/.gnupg/ /.gnupg/ || true
+	gpg --list-keys releasedocker >/dev/null || {
+		gpg --gen-key --batch <<EOF   
+Key-Type: RSA
+Key-Length: 2048
+Passphrase: $GPG_PASSPHRASE
+Name-Real: Docker Release Tool
+Name-Email: docker@dotcloud.com
+Name-Comment: releasedocker
+Expire-Date: 0
+%commit
+EOF
+	}
+
+	# Sign our packages
+	dpkg-sig -g "--passphrase $GPG_PASSPHRASE" -k releasedocker \
+		 --sign builder bundles/$VERSION/ubuntu/*.deb
+
 	# Setup the APT repo
 	APTDIR=bundles/$VERSION/ubuntu/apt
 	mkdir -p $APTDIR/conf $APTDIR/db
@@ -83,11 +107,28 @@ EOF
 	DEBFILE=bundles/$VERSION/ubuntu/lxc-docker*.deb
 	reprepro -b $APTDIR includedeb docker $DEBFILE
 
-	# Upload
-	s3cmd --acl-public --verbose --follow-symlinks sync bundles/$VERSION/ubuntu/apt/ s3://$BUCKET/ubuntu/
+	# Sign
+	for F in $(find $APTDIR -name Release)
+	do
+		gpg -u releasedocker --passphrase $GPG_PASSPHRASE \
+			--armor --sign --detach-sign \
+			--output $F.gpg $F
+	done
+
+	# Upload keys
+	s3cmd sync /.gnupg/ s3://$BUCKET/ubuntu/.gnupg/
+	gpg --armor --export releasedocker > bundles/$VERSION/ubuntu/gpg
+	s3cmd --acl-public put bundles/$VERSION/ubuntu/gpg s3://$BUCKET/gpg
+
+	# Upload repo
+	s3cmd --acl-public sync $APTDIR/ s3://$BUCKET/ubuntu/
 	cat <<EOF | write_to_s3 s3://$BUCKET/ubuntu/info
-# Add the following to /etc/apt/sources.list
-deb $(s3_url $BUCKET)/ubuntu docker main
+# Add the repository to your APT sources
+echo deb $(s3_url $BUCKET)/ubuntu docker main > /etc/apt/sources.list.d/docker.list
+# Then import the repository key
+curl $(s3_url $BUCKET)/gpg | apt-key add -
+# Install docker
+apt-get update ; apt-get install lxc-docker
 EOF
 	echo "APT repository uploaded. Instructions available at $(s3_url $BUCKET)/ubuntu/info"
 }