[pontos-release] [sign] Headless signing.

.github/workflows/release-pontos.yml

@@ -10,6 +10,9 @@ jobs:
       GITHUB_USER: ${{ secrets.GREENBONE_BOT }}
       GITHUB_MAIL: ${{ secrets.GREENBONE_BOT_MAIL }}
       GITHUB_TOKEN: ${{ secrets.GREENBONE_BOT_TOKEN }}
+      GPG_KEY: ${{ secrets.GPG_KEY }}
+      GPG_FINGERPRINT: ${{ secrets.FINGERPRINT }}
+      GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
     name: Build and release with pontos
     # If the label 'make release' is set. If PR is closed because of an merge
     if: contains( github.event.pull_request.labels.*.name, 'make release') && github.event.pull_request.merged == true
@@ -32,6 +35,16 @@ jobs:
     - name: Prepare release with pontos
       run: |
         poetry run pontos-release prepare --calendar
+        echo "VERSION=$(poetry run pontos-version show)" >> $GITHUB_ENV
     - name: Release with pontos
       run: |
         poetry run pontos-release release
+    - name: Sign assets with pontos
+      run: |
+        echo "Signing assets for ${{env.VERSION}}"
+        echo -e "${{ env.GPG_PASSPHRASE }}" >> tmp.file
+        gpg --import tmp.file && rm tmp.file
+        poetry run pontos-release sign \
+          --signing-key ${{ env.GPG_FINGERPRINT }} \
+          --passphrase ${{ env.GPG_PASSPHRASE }} \
+          --release-version ${{ env.VERSION }}

CHANGELOG.md

@@ -7,6 +7,8 @@ and this project adheres to [Calendar Versioning](https://calver.org).
 
 ## [Unreleased]
 ### Added
+* `pontos-release`: You can use `sign` now headless (without passphrase prompt) by passing it per arugment. [#148](https://github.com/greenbone/pontos/pull/148)
+
 ### Changed
 ### Deprecated
 ### Removed

pontos/release/helper.py

@@ -30,7 +30,7 @@
 import requests
 
 from pontos import version
-from pontos.terminal import error, warning, info, ok, out, out_flush
+from pontos.terminal import error, warning, info, ok, out, overwrite
 from pontos.terminal.terminal import Signs
 from pontos.version.helper import VersionError
 from pontos.version import (
@@ -191,7 +191,7 @@ def download(
                 dl += len(content)
                 download_file.write(content)
                 done = int(50 * dl / total_length)
-                out_flush(f"[{'=' * done}{' ' * (50-done)}]")
+                overwrite(f"[{'=' * done}{' ' * (50-done)}]")
     else:
         with file_path.open(mode='wb') as download_file:
             spinner = ['-', '\\', '|', '/']
@@ -201,9 +201,8 @@ def download(
                 if i == 4:
                     i = 0
                 download_file.write(content)
-                out_flush(f"[{spinner[i]}]")
-    out_flush(f"[{Signs.OK}]{' ' * 50}")
-    out('')
+                overwrite(f"[{spinner[i]}]")
+    overwrite(f"[{Signs.OK}]{' ' * 50}", new_line=True)
 
     return file_path
 

pontos/release/release.py

@@ -162,6 +162,15 @@ def initialize_default_parser() -> argparse.ArgumentParser:
         default='greenbone',
         help='user/team name in github',
     )
+
+    sign_parser.add_argument(
+        '--passphrase',
+        default='greenbone',
+        help=(
+            'Use gpg in a headless mode e.g. for '
+            'the CI and use this passphrase for signing.'
+        ),
+    )
     return parser
 
 
@@ -448,10 +457,17 @@ def sign(
     for file_path in file_paths:
         info(f"Signing {file_path}")
 
-        shell_cmd_runner(
-            f"gpg --default-key {signing_key} --yes --detach-sign --armor "
-            f"{file_path}"
-        )
+        if args.passphrase:
+            shell_cmd_runner(
+                f"gpg --pinentry-mode loopback --default-key {signing_key}"
+                f" --yes --detach-sign --passphrase {args.passphrase}"
+                f" --armor {file_path}"
+            )
+        else:
+            shell_cmd_runner(
+                f"gpg --default-key {signing_key} --yes --detach-sign --armor "
+                f"{file_path}"
+            )
 
     return upload_assets(
         username,
@@ -499,7 +515,8 @@ def main(
             ):
                 return sys.exit(1) if leave else False
         except subprocess.CalledProcessError as e:
-            error(f'Could not run command "{e.cmd}". Error was:\n\n{e.stderr}')
+            error(f'Could not run command "{e.cmd}".')
+            out(f'Error was: {e.stderr}')
             sys.exit(1)
 
     return sys.exit(0) if leave else True

pontos/terminal/__init__.py

@@ -58,8 +58,8 @@ def out(message: str):
     __term.print(message)
 
 
-def out_flush(message: str):
-    __term.print_without_newline(message)
+def overwrite(message: str, new_line: bool = False):
+    __term.print_overwrite(message, new_line=new_line)
 
 
 def _set_terminal(term: Terminal):

pontos/terminal/terminal.py

@@ -61,10 +61,10 @@ def _print_status(
         style: Callable,
         *,
         new_line: bool = True,
-        flush: bool = False,
+        overwrite: bool = False,
     ) -> None:
         first_line = ''
-        if not new_line:
+        if overwrite:
             first_line = '\r'
         output = ''
         width = self.get_width()
@@ -84,7 +84,7 @@ def _print_status(
         if new_line:
             print(style(output))
         else:
-            print(style(output), end='', flush=flush)
+            print(style(output), end='', flush=True)
 
     @contextmanager
     def indent(self, indentation: int = 4) -> Generator:
@@ -105,12 +105,17 @@ def print(self, *messages: str, style: Callable = cf.reset) -> None:
         message = ''.join(messages)
         self._print_status(message, Signs.NONE, cf.white, style)
 
-    def print_without_newline(
-        self, *messages: str, style: Callable = cf.reset
+    def print_overwrite(
+        self, *messages: str, style: Callable = cf.reset, new_line: bool = False
     ) -> None:
         message = ''.join(messages)
         self._print_status(
-            message, Signs.NONE, cf.white, style, new_line=False, flush=True
+            message,
+            Signs.NONE,
+            cf.white,
+            style,
+            new_line=new_line,
+            overwrite=True,
         )
 
     def ok(self, message: str, style: Callable = cf.reset) -> None: