docker/drone-detach-sign
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Initial commit
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse source
This commit is contained in:
Davide Depau 2020-04-25 03:17:21 +02:00
commit 3000374b7a
No known key found for this signature in database
GPG key ID: F7F589B2907FBD24
5 changed files with 109 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

47
.drone.yml Normal file
View file

@ -0,0 +1,47 @@
---
kind: pipeline
type: docker
name: alarm-aarch64
platform:
os: linux
arch: arm64
steps:
- name: build-image
image: plugins/docker
environment:
TZ: Europe/Rome
settings:
dockerfile: Dockerfile.aarch64
purge: true
username: depau
password:
from_secret: docker_password
repo: depau/drone-detach-sign
tags:
- aarch64
---
kind: pipeline
type: docker
name: archlinux-x86_64
platform:
os: linux
arch: amd64
steps:
- name: build-image
image: plugins/docker
environment:
TZ: Europe/Rome
settings:
dockerfile: Dockerfile.x86_64
purge: true
username: depau
password:
from_secret: docker_password
repo: depau/drone-detach-sign
tags:
- x86_64

7
Dockerfile.aarch64 Normal file
View file

@ -0,0 +1,7 @@
FROM depau/archlinux-daily:aarch64
RUN pacman -Syu --noconfirm expect grep awk
COPY ./gpg.expect /usr/bin/gpg.expect
COPY ./entrypoint.sh /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]

7
Dockerfile.x86_64 Normal file
View file

@ -0,0 +1,7 @@
FROM depau/archlinux-daily:x86_64
RUN pacman -Syu --noconfirm expect grep awk
COPY ./gpg.expect /usr/bin/gpg.expect
COPY ./entrypoint.sh /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]

39
entrypoint.sh Executable file
View file

@ -0,0 +1,39 @@
#!/bin/bash
set -e
# Setup agent to read password from TTY (so we can use Expect)
gpg-agent --daemon --pinentry-program /usr/bin/pinentry-tty
# Import GPG key (passphrase set with $PLUGIN_GPG_PASSPHRASE)
echo "Importing GPG secret key"
tmpkey="$(mktemp /tmp/privkey-XXXXXXX)"
echo "$PLUGIN_GPG_SECRET_KEY" > "$tmpkey"
gpg.expect --import "$tmpkey" > /tmp/gpg.out || ret=$?
rm "$tmpkey"
if (( ! ret )); then
echo "Failed to import secret key."
echo "gpg output:"
cat /tmp/gpg.out >&2
exit 1
fi
# Retrieve key ID
keyid="$(cat /tmp/gpg.out | grep 'secret key imported' | awk '{ print $3 }' | tr -d ':')"
# Detach-sign all files
cd "$PLUGIN_SIGN_DIR"
find -mindepth 1 -maxdepth 1 -type f | while read -r filename; do
gpg.expect --detach-sign --use-agent "${keyid}" --no-armor "$filename" > /tmp/gpg.out || ret=$?
if (( ! ret )); then
printf "Created signature file %s." "${filename##*/}.sig"
else
printf "Failed to sign file %s." "${filename##*/}"
echo "gpg output:"
cat /tmp/gpg.out >&2
exit 1
fi
done

9
gpg.expect Executable file
View file

@ -0,0 +1,9 @@
#!/usr/bin/expect -f
spawn gpg {*}$argv
expect -timeout 10 "Passphrase:"
send_user "*** passphrase sent ***"
send $::env(PLUGIN_GPG_PASSPHRASE)
send "\r"
expec -timeout -1 eof