From 44b5675f0ec4395f47e55103d3440278e8bad33c Mon Sep 17 00:00:00 2001 From: Thomas Orozco Date: Tue, 26 Jan 2016 21:35:24 -0500 Subject: [PATCH] Sign `tini` and `tini-static` binaries The GPG signing subkey and passphrase are respectively provided through a Travis encrypted file and a Travis encrypted environment variable. Signing is only done if there is a signing key present when the build is complete (so as to not fail when e.g. building a PR that doesn't have encrypted files available). --- .gitignore | 2 ++ .travis.yml | 11 +++++++++++ Dockerfile | 2 +- ci/run_build.sh | 21 ++++++++++++++++++++- ddist.sh | 1 + sign.key.enc | Bin 0 -> 4096 bytes tpl/travis.yml.tpl | 11 +++++++++++ 7 files changed, 46 insertions(+), 2 deletions(-) create mode 100644 sign.key.enc diff --git a/.gitignore b/.gitignore index 1521c8b..fe84e5d 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,3 @@ dist +sign.key +.env diff --git a/.travis.yml b/.travis.yml index 27157df..42977c6 100644 --- a/.travis.yml +++ b/.travis.yml @@ -23,6 +23,15 @@ addons: - python-pip - python-virtualenv - hardening-includes + - gnupg + +env: + global: + - SIGN_BINARIES=1 + - secure: "RKF9Z9gLxp6k/xITqn7ma1E9HfpYcDXuJFf4862WeH9EMnK9lDq+TWnGsQfkIlqh8h9goe7U+BvRiTibj9MiD5u7eluLo3dlwsLxPpYtyswYeLeC1wKKdT5LPGAXbRKomvBalRYMI+dDnGIM4w96mHgGGvx2zZXGkiAQhm6fJ3k=" + +before_install: + - openssl aes-256-cbc -K $encrypted_2893fd5649e7_key -iv $encrypted_2893fd5649e7_iv -in sign.key.enc -out sign.key -d || echo "Encrypted signing key unavailable" script: ./ci/run_build.sh @@ -34,7 +43,9 @@ deploy: secure: Yk90ANpSPv1iJy8QDXCPwfaSmEr/WIJ3bzhQ6X8JvZjfrwTosbh0HrUzQyeac3nyvNwj7YJRssolOFc21IBKPpCFTZqYxSkuLPU6ysG4HGHgN6YJhOMm4mG4KKJ6741q3DJendhZpalBhCEi+NcZK/PCSD97Vl4OqRjBUged0fs= file: - "./dist/tini" + - "./dist/tini.asc" - "./dist/tini-static" + - "./dist/tini-static.asc" - "./dist/tini_0.8.4.deb" - "./dist/tini_0.8.4.rpm" on: diff --git a/Dockerfile b/Dockerfile index a93ca89..e92ce24 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ FROM ubuntu:precise RUN apt-get update \ - && apt-get install --no-install-recommends --yes build-essential git gdb valgrind cmake rpm python-dev libcap-dev python-pip python-virtualenv hardening-includes \ + && apt-get install --no-install-recommends --yes build-essential git gdb valgrind cmake rpm python-dev libcap-dev python-pip python-virtualenv hardening-includes gnupg \ && rm -rf /var/lib/apt/lists/* # Pre-install those here for faster local builds. diff --git a/ci/run_build.sh b/ci/run_build.sh index 2145aa9..44a4982 100755 --- a/ci/run_build.sh +++ b/ci/run_build.sh @@ -11,6 +11,9 @@ set -o nounset : ${DIST_DIR:="${SOURCE_DIR}/dist"} : ${BUILD_DIR:="/tmp/build"} +# GPG Configuration +: ${GPG_PASSPHRASE:=""} + # Make those paths absolute, and export them for the Python tests to consume. export SOURCE_DIR="$(readlink -f "${SOURCE_DIR}")" @@ -44,7 +47,6 @@ pushd "${BUILD_DIR}" make clean make make package - popd # Smoke tests (actual tests need Docker to run; they don't run within the CI environment) @@ -104,3 +106,20 @@ pip install psutil python-prctl bitmap # Run tests python "${SOURCE_DIR}/test/run_inner_tests.py" + +# If a signing key is made available, then use it to sign the binaries +if [[ -f "${SOURCE_DIR}/sign.key" ]]; then + echo "Signing binaries" + GPG_SIGN_HOMEDIR="${BUILD_DIR}/gpg-sign" + GPG_VERIFY_HOMEDIR="${BUILD_DIR}/gpg-verify" + mkdir "${GPG_SIGN_HOMEDIR}" "${GPG_VERIFY_HOMEDIR}" + chmod 700 "${GPG_SIGN_HOMEDIR}" "${GPG_VERIFY_HOMEDIR}" + + gpg --homedir "${GPG_SIGN_HOMEDIR}" --import "${SOURCE_DIR}/sign.key" + gpg --homedir "${GPG_VERIFY_HOMEDIR}" --keyserver ha.pool.sks-keyservers.net --recv-keys 0527A9B7 + + for tini in "${DIST_DIR}/tini" "${DIST_DIR}/tini-static"; do + echo "${GPG_PASSPHRASE}" | gpg --homedir "${GPG_SIGN_HOMEDIR}" --passphrase-fd 0 --armor --detach-sign "${tini}" + gpg --homedir "${GPG_VERIFY_HOMEDIR}" --verify "${tini}.asc" + done +fi diff --git a/ddist.sh b/ddist.sh index f2b6fb7..80dee92 100755 --- a/ddist.sh +++ b/ddist.sh @@ -22,4 +22,5 @@ docker run -it --rm \ -e BUILD_DIR=/tmp/tini-build \ -e SOURCE_DIR="${SRC}" \ -e FORCE_SUBREAPER="${FORCE_SUBREAPER}" \ + -e GPG_PASSPHRASE="${GPG_PASSPHRASE}" \ "${IMG}" "${SRC}/ci/run_build.sh" diff --git a/sign.key.enc b/sign.key.enc new file mode 100644 index 0000000000000000000000000000000000000000..9803d8f8195f911722ad309f732b19d1b9eea2df GIT binary patch literal 4096 zcmV+b5dZJlD2hGjMk&Xorfc(a0lSl`aO;|vYhaYknpB`jllB3adJ7VJsf^(*@it79 z`O$NA4x&gZab9r9$RRqs!9kT$k=J^ zWy}A-Fp$O~8{URwO2;48n!Dk+^H{5)@QwuG9lMrj0K*p_tVAO`U0A0d(iQIcG<0*) z(dDLQNv=}!PD5Ra%O`3^#i(8%NSBPuWu-!Rn%!L(s-&%xHMsmY8Yg@$IBLnps|--% z){bfbZDFEn$&(T)576AoKqhLz9A!Fsc*g!nGGZt@hXJ?s{WA(P{ET?>F{oTs!mq~- z%UQ`x$|TT)ybHeR1wLRj{Nk~R)n|iM z2E@MofDApToP)StFoKndnMnJujY6O+lc@1?Y;>?*&Rgmcd-Tk7;-HL~+yS>cYW>V| z=u{#9j~CX+JZ_gUcsiJzrL`mB0V+Yg-que%p{Kc{i*ZcfMGrqou{ik%ycdJwp7Yyp z5mCW!7~h1|$=`1sefPz}a2|yc(Ll(TWc{(8S<)V4(NVLtOsptdP~n?$>rkOeJJ!)>k-{=a_xS z8TS_)BrPfa&M#-^Y-i}!qsX5HtcQW$?7JXFW_17){oYJzTpk1Gwlj=Ok_qmfQ*L%n z&u8{|-?H=p3=flsLbjXOMnAan>{WtD z?+9j=6s#K*Okn%Wd-AVbmW-e|pb27if^pqwQBrtrOPlYoX$>mUyDi-}F-I}W-rGXF zeu2&fUW)4lxG~RO%3*^Gbgb_l#*M`=w+oaej(E=>NDY5F;o>m*q#smX24X6S2`wPh zqYj=sYJ~S7!^ybDHW!W#5mQy?K!{2hJy@=PUj)b zunJTFi=sVd6GGy*<8dcS;|GyxYIm2il*1j)q2Sy%=nhbkeHQHP7F|RGcN1|DMEm@F z<7lH1YZkvp9OB4(m`8IOkR%SH1_aI-2cAVYlsKoL7w2+^UOOq95|bB7)T_Z_-P~vu z(Jcqxm?M#UczdnxVdPmfWij)|QluI=omZ`@nM-%57}N6I4u~*=gG?>L-~zFyH}DuG^i25PDgQJfZDofH^2vU(m?A} zLXNTy(P&ErmDTsVbL3~je$c_@-}wc3zi>P(F7EEW$Q8_PaDtS=1xnQ4mqhL}MDHcn z<96bI00lcl*@gya90u~A>ST8{hmy#_eBvtV;`3)2Zi&!8G9Cdy^pY#zcV_NJ?vB!? zP|=GnMx~wv)z8x7Qmm@~V+{P59&4W=XAh3fBLV)fP^cq_@YoreseTRH?c#Wpb(tqc)xa0q#dgd4$vx*s!_`G46e|tc zi}K9a7)A}`K-_q(fztXDt~4^nbUTN$MwE3lNxhMC|21#C&q{*PX$Mg61|`y#y!(&u zBQJcT-4tW3WF_{qgK8X)M-2Rk<2$gLPV-V|zjD}x@m*V8OLl<*E6_ur*|tyI;vrz! zF!K2hmo5!6|-7_zoNVp-zQhSGt_bW7; zZUV~y{2K@r*m`B5pWH0AhqO4z0P^^@%}9^qi)x_WC7;_k^~oI-YIcI=&Gr7*>Rzsk+>@9 zW%ZlfoAMe1Q3gUcah$dV@uTV0eCdz3^f9|IqEm8F>O|RV+m^U?m;}XB?kT#V)B$}n zoBE)!w3>P0YH~Ek^kUB;9eRH3qM>L+iriSOa7H$wng+Co_1&k`tNug1_2>0hxjn~o zjpf<3mvCZ!mO8S!E@xWdq=F5vt>HyAG|EqGC(ejJ&VplhlOUG2<3~ge+Vh*N*1o$% zV#aaGqg8YuDXn3>QN?JMh&c|=kdD(B?Q>xUVVU&8K(Wy+8}okK-j%JB2~da^{R+AO zb_g5s4_^Gb;o%q-%a>zPPKt{}N*tBKQt>__pC++TOC#MXgu>8?=-^u0-1IJ*MJ=Mg z5MrH0+%!=-W0g^kSN_Mqa1>M7-pqs>mV{tEq)p1^*rP7al+B!XK{RW}DXe;(*xXi?d(EKW(&w zsRL{GEQ=Q&2dSO;-Y$mNaIg50av8%FU{C7!;IuAZ`ULdw>lvpXGJ!U{T%B?Cx#*kE z8)@1udYR=8oUM}cg8aVx`F3+16z#VgH4cPwhe(oJt?WHR@58pJI!aC$M4%^lnq5q@ zAnw-1nyuR|lWp_zc!0pGCD5@-wvbmv0X856#ftowfS@bi2Y60nO~Y^Ru~SCE=J*`7+urcZ}N200<8>_VbAlY-eVZtG$m< z#yIW)IK-+h6$PEWd`6qfZ4-ge{vj|&-{K*o(yrkiF;JS|a2o->i=-;HkT_?MO8pP6 zRI5(cwd|qEC)#9N_0X=1n29d=WWK}tahBo@x$|~1Cb(~#fzAC)6S?litr;ce8+iEH@oSFpHVBlm9@Jd}vQKW1OVoU?W%SCEl3 zn+yIc{d&&L@|Zovm<1&O2~cg7uYMaRjv_{{RR@GL5(fKw?cR zrqb576YL}vE`6b=Zk{t2sm|f$#oys~PPk5&qDX!U*hw%4Hm-rIdha2<+B_#w5N_YM>%7c|K|IYxRj?bdhhOv4J^2g?({-MB#+TZdOh8=|x zjK1Z`lmuzP-W`;o?{Wc1Fn!7vDOFBFfhp-qJR#vwAs*~@ScOt?SEn;AWY-0a=^;D< zm;-kl(jBxlh&#Tx`p$WQGbt6A{DtH86fD}=bkeZaXrVb2HFVOw#5l+$U2+xMB5cMr zPImqZP2a8i^*eG~*Xdv!cD3pYYygnaNeVwa&$hH$yK}CjTke4A%e!gj-F3IpmN$-+ z$Gr6C{<<12>J4kJ?;!R3x$>3ywN+>6z;`gLA~jMC4Z(YR+~C4d^y2S$>13-@>V)-1 zFS4nXRtLr;FZ?si@7P8Uts4q9sH_#Xobfz#35sj*E9*gg-qd!Z zmvhbH|KwM@a}Zr!k;RO{37zgwz*zNq zF%gW+KscUBsjzH9N-Nbt+b^vq&(4C8{`u{^<5XG5Vd@-is=Zr463Gj+{WbT$PEA6^ zK?A{2pNO7}d$&XHMQkOae;!TIgQxSJM#VSYjrXCf=G1;%J!cJFvR;=j1%~>(^qEZPa~nkK<3dT19-|5k40n;YKu? z&f5YTK2Wn|*){b*KNbd6tdXvI*?OS)w;<8voUTYK=mTr&v{5vBrwqF^VPWKIH!qS= z)HR<#ac2JGYtt3;Yj&1Hl%=c1GUk@c#Dll3a641ngOkExQ|+M zzt~#J(;HvGziVb0US@(+Q`}?FAp&g1({T?k=NTgH6SPTKE=#