Docs: update package signing to `scripts/gitlab-debsigs.sh`
Move `gitlab-debsigs.sh` content to this repository, and update documentation to point to it. Documentation points to `master` branch on purpose, so that the customer is always using the latest configuration for `debsigs` as that may change in the future, and is outside a versioned copy of GitLab itself.
This commit is contained in:
parent
7ef510a7bf
commit
5f7d8b4ae3
|
@ -106,12 +106,12 @@ Primary key fingerprint: DBEF 8977 4DDB 9EB3 7D9F C3A0 3CFC F9BA F27E AB47
|
|||
|
||||
#### Configuring debsigs
|
||||
|
||||
Configuring a policy and keyring for `debsigs` can be complicated, so GitLab provides [gitlab-debsigs][debsigs] as a scripted method of configuration.
|
||||
Configuring a policy and keyring for `debsigs` can be complicated, so GitLab provides `gitlab-debsigs.sh` as a scripted method of configuration.
|
||||
|
||||
To use this script, you will need to download the public key and the script.
|
||||
```
|
||||
curl -JLO https://packages.gitlab.com/gitlab/gitlab-ce/gpgkey/gitlab-gitlab-ce-3D645A26AB9FBD22.pub.gpg
|
||||
curl -JLO https://gitlab.com/gitlab-org/gitlab-debsigs/raw/master/gitlab-debsigs.sh
|
||||
curl -JLO https://gitlab.com/gitlab-org/omnibus-gitlab/raw/master/scripts/gitlab-debsigs.sh
|
||||
chmod +x gitlab-debsigs.sh
|
||||
sudo ./gitlab-debsigs.sh gitlab-gitlab-ce-3D645A26AB9FBD22.pub.gpg
|
||||
```
|
||||
|
@ -125,4 +125,3 @@ To make use of `debsig-verify`, perform the steps in [Configuring debsigs](#conf
|
|||
|
||||
|
||||
[install]: https://about.gitlab.com/installation/
|
||||
[debsigs]: https://gitlab.com/gitlab-org/gitlab-debsigs
|
||||
|
|
|
@ -0,0 +1,88 @@
|
|||
#!/bin/bash
|
||||
# gitlab-debsigs: Scripted configuration of `debsigs` for GitLab packages
|
||||
# Usage: gitlab-debsigs KEYFILE
|
||||
# This script will configure the policy and keyring for GitLab packages to be
|
||||
# checked by the `debsig-verify` program.
|
||||
|
||||
KEYRINGS=/usr/share/debsig/keyrings
|
||||
POLICIES=/etc/debsig/policies
|
||||
PROTOCOL=https
|
||||
KEYFILE=$1
|
||||
|
||||
# checkInputs
|
||||
# Verify the input (`$1`) is provided, a file, and understood by GnuPG
|
||||
function checkInputs() {
|
||||
if [ -z "$KEYFILE" -o ! -f $KEYFILE ]; then
|
||||
echo "Please provide the key file as the argument to this script."
|
||||
exit 1
|
||||
else
|
||||
echo "Supplied key file: $KEYFILE"
|
||||
fi
|
||||
|
||||
echo "Checking key file validity with GnuPG ..."
|
||||
gpg --no-options --no-default-keyring --batch \
|
||||
--no-secmem-warning --no-permission-warning \
|
||||
$KEYFILE 2>/dev/null 1>/dev/null
|
||||
gpg=$?
|
||||
if [ $gpg -ne 0 ]; then
|
||||
echo "Provided key does not appear valid according to GnuPG. Please confirm '$KEYFILE' is correct."
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
# fetchProgramInfo
|
||||
# Detect `debsig-verify` version and configured directories. Handle quirks of DTD
|
||||
function fetchProgramInfo() {
|
||||
# detect version of debsig-verify, as any version > 0.15 uses HTTPS in the DTD
|
||||
version=`debsig-verify --version 2>&1 | grep 'Debsig Program' | cut -d '-' -f 2`
|
||||
versionMajor=`echo $version | cut -d '.' -f 1`
|
||||
versionMinor=`echo $version | cut -d '.' -f 2`
|
||||
echo "debsig-verify - version: $versionMajor,$versionMinor"
|
||||
if [ $versionMajor -eq 0 -a $versionMinor -lt 15 ]; then
|
||||
PROTOCOL=http
|
||||
fi
|
||||
echo "debsig-verify - DTD Protocol: $PROTOCOL"
|
||||
|
||||
# check the configuration values for paths
|
||||
policies=`debsig-verify --version 2>&1 | grep 'Policies Directory' | cut -d '-' -f 2`
|
||||
POLICIES=`echo $policies`
|
||||
echo "debsig-verify - Polcies: $POLICIES"
|
||||
|
||||
keyrings=`debsig-verify --version 2>&1 | grep 'Keyrings Directory' | cut -d '-' -f 2`
|
||||
KEYRINGS=`echo $keyrings`
|
||||
echo "debsig-verify - Keyrings: $KEYRINGS"
|
||||
}
|
||||
|
||||
checkInputs
|
||||
fetchProgramInfo
|
||||
|
||||
# find the key id
|
||||
KEYID=$(gpg --no-options --no-permission-warning --no-default-keyring --list-packets $KEYFILE | grep -A2 'user ID packet' | grep signature)
|
||||
KEYID=${KEYID/*keyid /}
|
||||
echo "Found KeyID: $KEYID"
|
||||
|
||||
# import the key into the keyring
|
||||
mkdir -p "$KEYRINGS/$KEYID"
|
||||
gpg --no-default-keyring --batch --no-permission-warning --no-options \
|
||||
--keyring "$KEYRINGS/$KEYID/gitlab.gpg" \
|
||||
--import $KEYFILE
|
||||
|
||||
# create the policies based on the key id
|
||||
mkdir -p "$POLICIES/$KEYID"
|
||||
cat <<EOB > "$POLICIES/$KEYID/gitlab.pol"
|
||||
<?xml version="1.0"?>
|
||||
<!DOCTYPE Policy SYSTEM "https://www.debian.org/debsig/1.0/policy.dtd">
|
||||
<Policy xmlns="$PROTOCOL://www.debian.org/debsig/1.0/">
|
||||
|
||||
<Origin Name="GitLab, Inc." id="$KEYID" Description="GitLab"/>
|
||||
|
||||
<Selection>
|
||||
<Required Type="origin" File="gitlab.gpg" id="$KEYID"/>
|
||||
</Selection>
|
||||
|
||||
<Verification MinOptional="0">
|
||||
<Required Type="origin" File="gitlab.gpg" id="$KEYID"/>
|
||||
</Verification>
|
||||
|
||||
</Policy>
|
||||
EOB
|
Loading…
Reference in New Issue