Browse code
Implement apt-secure repository signing.
Jérôme Petazzoni authored on 2013/08/15 09:02:55Showing 3 changed files
| ... | ... |
@@ -17,7 +17,7 @@ run cd /tmp && echo 'package main' > t.go && go test -a -i -v |
| 17 | 17 |
# Ubuntu stuff |
| 18 | 18 |
run apt-get install -y -q ruby1.9.3 rubygems |
| 19 | 19 |
run gem install fpm |
| 20 |
-run apt-get install -y -q reprepro |
|
| 20 |
+run apt-get install -y -q reprepro dpkg-sig |
|
| 21 | 21 |
# Install s3cmd 1.0.1 (earlier versions don't support env variables in the config) |
| 22 | 22 |
run apt-get install -y -q python-pip |
| 23 | 23 |
run pip install s3cmd |
| ... | ... |
@@ -106,7 +106,9 @@ EOF |
| 106 | 106 |
--description "$PACKAGE_DESCRIPTION" \ |
| 107 | 107 |
--maintainer "$PACKAGE_MAINTAINER" \ |
| 108 | 108 |
--conflicts lxc-docker-virtual-package \ |
| 109 |
+ --provides lxc-docker \ |
|
| 109 | 110 |
--provides lxc-docker-virtual-package \ |
| 111 |
+ --replaces lxc-docker \ |
|
| 110 | 112 |
--replaces lxc-docker-virtual-package \ |
| 111 | 113 |
--url "$PACKAGE_URL" \ |
| 112 | 114 |
--vendor "$PACKAGE_VENDOR" \ |
| ... | ... |
@@ -147,6 +149,7 @@ AWS_ACCESS_KEY, and AWS_SECRET_KEY environment variables: |
| 147 | 147 |
docker run -e AWS_S3_BUCKET=get-staging.docker.io \\ |
| 148 | 148 |
AWS_ACCESS_KEY=AKI1234... \\ |
| 149 | 149 |
AWS_SECRET_KEY=sEs3mE... \\ |
| 150 |
+ GPG_PASSPHRASE=sesame... \\ |
|
| 150 | 151 |
image_id_or_name |
| 151 | 152 |
############################################################################### |
| 152 | 153 |
EOF |
| ... | ... |
@@ -22,12 +22,15 @@ To run, I need: |
| 22 | 22 |
AWS_S3_BUCKET; |
| 23 | 23 |
- to be provided with AWS credentials for this S3 bucket, in environment |
| 24 | 24 |
variables AWS_ACCESS_KEY and AWS_SECRET_KEY; |
| 25 |
+- the passphrase to unlock the GPG key which will sign the deb packages |
|
| 26 |
+ (passed as environment variable GPG_PASSPHRASE); |
|
| 25 | 27 |
- a generous amount of good will and nice manners. |
| 26 | 28 |
The canonical way to run me is to run the image produced by the Dockerfile: e.g.:" |
| 27 | 29 |
|
| 28 | 30 |
docker run -e AWS_S3_BUCKET=get-staging.docker.io \\ |
| 29 | 31 |
AWS_ACCESS_KEY=AKI1234... \\ |
| 30 |
- AWS_SECRET_KEY=sEs3mE... \\ |
|
| 32 |
+ AWS_SECRET_KEY=sEs4mE... \\ |
|
| 33 |
+ GPG_PASSPHRASE=m0resEs4mE... \\ |
|
| 31 | 34 |
f0058411 |
| 32 | 35 |
EOF |
| 33 | 36 |
exit 1 |
| ... | ... |
@@ -36,6 +39,7 @@ EOF |
| 36 | 36 |
[ "$AWS_S3_BUCKET" ] || usage |
| 37 | 37 |
[ "$AWS_ACCESS_KEY" ] || usage |
| 38 | 38 |
[ "$AWS_SECRET_KEY" ] || usage |
| 39 |
+[ "$GPG_PASSPHRASE" ] || usage |
|
| 39 | 40 |
[ -d /go/src/github.com/dotcloud/docker/ ] || usage |
| 40 | 41 |
cd /go/src/github.com/dotcloud/docker/ |
| 41 | 42 |
|
| ... | ... |
@@ -69,6 +73,26 @@ s3_url() {
|
| 69 | 69 |
# 1. A full APT repository is published at $BUCKET/ubuntu/ |
| 70 | 70 |
# 2. Instructions for using the APT repository are uploaded at $BUCKET/ubuntu/info |
| 71 | 71 |
release_ubuntu() {
|
| 72 |
+ # Make sure that we have our keys |
|
| 73 |
+ mkdir -p /.gnupg/ |
|
| 74 |
+ s3cmd sync s3://$BUCKET/ubuntu/.gnupg/ /.gnupg/ || true |
|
| 75 |
+ gpg --list-keys releasedocker >/dev/null || {
|
|
| 76 |
+ gpg --gen-key --batch <<EOF |
|
| 77 |
+Key-Type: RSA |
|
| 78 |
+Key-Length: 2048 |
|
| 79 |
+Passphrase: $GPG_PASSPHRASE |
|
| 80 |
+Name-Real: Docker Release Tool |
|
| 81 |
+Name-Email: docker@dotcloud.com |
|
| 82 |
+Name-Comment: releasedocker |
|
| 83 |
+Expire-Date: 0 |
|
| 84 |
+%commit |
|
| 85 |
+EOF |
|
| 86 |
+ } |
|
| 87 |
+ |
|
| 88 |
+ # Sign our packages |
|
| 89 |
+ dpkg-sig -g "--passphrase $GPG_PASSPHRASE" -k releasedocker \ |
|
| 90 |
+ --sign builder bundles/$VERSION/ubuntu/*.deb |
|
| 91 |
+ |
|
| 72 | 92 |
# Setup the APT repo |
| 73 | 93 |
APTDIR=bundles/$VERSION/ubuntu/apt |
| 74 | 94 |
mkdir -p $APTDIR/conf $APTDIR/db |
| ... | ... |
@@ -83,11 +107,28 @@ EOF |
| 83 | 83 |
DEBFILE=bundles/$VERSION/ubuntu/lxc-docker*.deb |
| 84 | 84 |
reprepro -b $APTDIR includedeb docker $DEBFILE |
| 85 | 85 |
|
| 86 |
- # Upload |
|
| 87 |
- s3cmd --acl-public --verbose --follow-symlinks sync bundles/$VERSION/ubuntu/apt/ s3://$BUCKET/ubuntu/ |
|
| 86 |
+ # Sign |
|
| 87 |
+ for F in $(find $APTDIR -name Release) |
|
| 88 |
+ do |
|
| 89 |
+ gpg -u releasedocker --passphrase $GPG_PASSPHRASE \ |
|
| 90 |
+ --armor --sign --detach-sign \ |
|
| 91 |
+ --output $F.gpg $F |
|
| 92 |
+ done |
|
| 93 |
+ |
|
| 94 |
+ # Upload keys |
|
| 95 |
+ s3cmd sync /.gnupg/ s3://$BUCKET/ubuntu/.gnupg/ |
|
| 96 |
+ gpg --armor --export releasedocker > bundles/$VERSION/ubuntu/gpg |
|
| 97 |
+ s3cmd --acl-public put bundles/$VERSION/ubuntu/gpg s3://$BUCKET/gpg |
|
| 98 |
+ |
|
| 99 |
+ # Upload repo |
|
| 100 |
+ s3cmd --acl-public sync $APTDIR/ s3://$BUCKET/ubuntu/ |
|
| 88 | 101 |
cat <<EOF | write_to_s3 s3://$BUCKET/ubuntu/info |
| 89 |
-# Add the following to /etc/apt/sources.list |
|
| 90 |
-deb $(s3_url $BUCKET)/ubuntu docker main |
|
| 102 |
+# Add the repository to your APT sources |
|
| 103 |
+echo deb $(s3_url $BUCKET)/ubuntu docker main > /etc/apt/sources.list.d/docker.list |
|
| 104 |
+# Then import the repository key |
|
| 105 |
+curl $(s3_url $BUCKET)/gpg | apt-key add - |
|
| 106 |
+# Install docker |
|
| 107 |
+apt-get update ; apt-get install lxc-docker |
|
| 91 | 108 |
EOF |
| 92 | 109 |
echo "APT repository uploaded. Instructions available at $(s3_url $BUCKET)/ubuntu/info" |
| 93 | 110 |
} |