From 56653bf08c87fad66396d3b01bdcf9c1b01567b3 Mon Sep 17 00:00:00 2001 From: Vincent Demeester Date: Fri, 28 Feb 2020 11:25:45 +0100 Subject: [PATCH] =?UTF-8?q?Add=20support=20for=20yubikey=20in=20debbuild?= =?UTF-8?q?=20=F0=9F=A6=8C?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If the release captain passes `YUBIKEY` environment variable with the `/dev/…` as value, it will add the correct flag to let the container being able to see and use it. Example: `YUBIKEY=/dev/hidraw11 ./run.sh` Signed-off-by: Vincent Demeester --- tekton/debbuild/container/Dockerfile | 28 ++++++++++++----------- tekton/debbuild/container/buildpackage.sh | 2 ++ tekton/debbuild/run.sh | 26 ++++++++++++++------- 3 files changed, 35 insertions(+), 21 deletions(-) diff --git a/tekton/debbuild/container/Dockerfile b/tekton/debbuild/container/Dockerfile index 2e8ad86cd..fd79d7e3b 100644 --- a/tekton/debbuild/container/Dockerfile +++ b/tekton/debbuild/container/Dockerfile @@ -5,19 +5,21 @@ RUN set -ex \ && sed -i -- 's/# deb-src/deb-src/g' /etc/apt/sources.list \ && apt-get update \ && apt-get install -y --no-install-recommends \ - build-essential \ - dput \ - cdbs \ - git \ - curl \ - equivs \ - vim \ - libdistro-info-perl \ - golang-any \ - devscripts \ - debhelper \ - dh-golang \ - fakeroot \ + build-essential \ + dput \ + cdbs \ + git \ + curl \ + equivs \ + vim \ + libdistro-info-perl \ + golang-any \ + devscripts \ + debhelper \ + dh-golang \ + fakeroot \ + pcscd \ + scdaemon \ && apt-get clean \ && rm -rf /tmp/* /var/tmp/* diff --git a/tekton/debbuild/container/buildpackage.sh b/tekton/debbuild/container/buildpackage.sh index c5cab2a94..536dbd2a2 100755 --- a/tekton/debbuild/container/buildpackage.sh +++ b/tekton/debbuild/container/buildpackage.sh @@ -38,7 +38,9 @@ cd cli-${version} dch -M -v ${version}-${RELEASE} -D $(sed -n '/DISTRIB_CODENAME/ { s/.*=//;p;;}' /etc/lsb-release) "new update" +pcscd gpgconf --kill gpg-agent && gpg-agent --pinentry-program /usr/bin/pinentry-curses --verbose --daemon +gpg --card-status || true debuild -S --force-sign -k${GPG_KEY} cd .. diff --git a/tekton/debbuild/run.sh b/tekton/debbuild/run.sh index 39553c241..24af26544 100755 --- a/tekton/debbuild/run.sh +++ b/tekton/debbuild/run.sh @@ -7,12 +7,21 @@ set -eux # and have your gpg setup in your profile PPATARGET=tektoncd/cli GPG_KEY=${GPG_KEY} +YUBIKEY=${YUBIKEY:-} +ADDITIONAL_ARGS=${ADDITIONAL_ARGS:-} [[ -n ${GPG_KEY} ]] || { - echo "You need to setup your GPG_KEY" - exit 1 + echo "You need to setup your GPG_KEY" + exit 1 } +[[ -n ${YUBIKEY} ]] && { + ADDITIONAL_ARGS="${ADDITIONAL_ARGS} -v /dev/bus/usb:/dev/bus/usb \ + -v /sys/bus/usb:/sys/bus/usb \ + -v /sys/devices:/sys/devices \ + -v ${YUBIKEY}:${YUBIKEY} \ + --privileged" +} gpg --list-secret-keys >/dev/null || { echo "You need to have a secret GPG key"; exit 1 ;} @@ -22,9 +31,10 @@ docker build -t ubuntu-build-deb . cd .. fpath=$(readlink -f control) docker run --rm \ - -v ~/.gnupg:/root/.gnupg \ - -v ${fpath}:/debian --name ubuntu-build-deb \ - --env PPATARGET=${PPATARGET} \ - --env GPG_KEY=${GPG_KEY} \ - -it ubuntu-build-deb \ - /run.sh + -v ~/.gnupg:/root/.gnupg \ + $ADDITIONAL_ARGS \ + -v ${fpath}:/debian --name ubuntu-build-deb \ + --env PPATARGET=${PPATARGET} \ + --env GPG_KEY=${GPG_KEY} \ + -it ubuntu-build-deb \ + /run.sh