From fdc2b77025c42e04759cb307239a3c639d9ab68d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Palet?= Date: Thu, 29 Aug 2024 15:29:34 +0100 Subject: [PATCH 1/3] Publish pre-releases to APT during GPG key rotation (#465) --- .github/workflows/release.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 0344e3995..cabd272c6 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -69,7 +69,6 @@ jobs: GITHUB_TOKEN: ${{ secrets.CLI_RELEASE }} GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} - name: Publish packages to APT repo - if: contains(github.ref_name, '-') == false env: GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} GPG_PRIVATE_KEY_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} From da287857574beb9114ce24ccdef0852c1a4e6c62 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Palet?= Date: Thu, 29 Aug 2024 16:41:11 +0100 Subject: [PATCH 2/3] Revert "Adjust APT release script during GPG key rotation (#464)" (#466) This reverts commit 2a98589920f7898c8d2f12e667f6c1c15a94ebbf. --- scripts/new-public-key.gpg | 14 -------------- scripts/publish-apt-packages.sh | 3 --- 2 files changed, 17 deletions(-) delete mode 100644 scripts/new-public-key.gpg diff --git a/scripts/new-public-key.gpg b/scripts/new-public-key.gpg deleted file mode 100644 index da8ce8fb9..000000000 --- a/scripts/new-public-key.gpg +++ /dev/null @@ -1,14 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- - -mDMEZs7fYxYJKwYBBAHaRw8BAQdAyoFCfBmwdPB3c7pVsQw+lYSuJzXZO3VkQlZs -mFteW5q0NVNUQUNLSVQgR1BHIFNJR05FUiA8c3RhY2tpdC1ncGctc2lnbmVyQHN0 -YWNraXQuY2xvdWQ+iJkEExYKAEEWIQS4bpVrR+qLfEWw7biJ8pBDfqyyqwUCZs7f -YwIbAwUJAO1OAAULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgAAKCRCJ8pBDfqyy -q9RbAPsF3c+JkyXkOpHlIRzy0dfFwNO0H75ev95TuAhZlk6+5wEAl/WOogYvlUbD -x8Uko7PbY1cN3S1N8ZAruOabxSvjPAG4OARmzt9jEgorBgEEAZdVAQUBAQdAI62z -jCQW8MI6f9SFsaMHDOkhLTcQ5dGfngybmHTWgy4DAQgHiH4EGBYKACYWIQS4bpVr -R+qLfEWw7biJ8pBDfqyyqwUCZs7fYwIbDAUJAO1OAAAKCRCJ8pBDfqyyqwBxAP96 -6oW1eQLAeTkZTshfQOHU1JTEe5kNPqKg4j2QrnCyYwD/SI0yqHeHYSV+LQ1XYngY -dGSb94FNr07033VwWlokFg4= -=f80Z ------END PGP PUBLIC KEY BLOCK----- \ No newline at end of file diff --git a/scripts/publish-apt-packages.sh b/scripts/publish-apt-packages.sh index 3447b84b7..6f71243de 100755 --- a/scripts/publish-apt-packages.sh +++ b/scripts/publish-apt-packages.sh @@ -50,9 +50,6 @@ aptly snapshot create new-snapshot from repo new-repo printf "\n>>> Merging snapshots \n" aptly snapshot pull -no-remove -architectures="amd64,i386,arm64" current-snapshot new-snapshot updated-snapshot ${DISTRIBUTION} -# Import new public key (temporary) -gpg --no-default-keyring --keyring=${CUSTOM_KEYRING_FILE} --import new-public-key.gpg - # Publish the new snapshot to the remote repo printf "\n>>> Publishing updated snapshot \n" aptly publish snapshot -keyring="${CUSTOM_KEYRING_FILE}" -gpg-key="${GPG_PRIVATE_KEY_FINGERPRINT}" -passphrase "${GPG_PASSPHRASE}" -config "${APTLY_CONFIG_FILE_PATH}" updated-snapshot "s3:${APT_BUCKET_NAME}:${APT_REPO_FOLDER}" From d3948186140f2439627780d4574e6da37e4b6ce4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Palet?= Date: Thu, 29 Aug 2024 17:23:37 +0100 Subject: [PATCH 3/3] Update URL of APT packages and key bucket (#467) --- scripts/publish-apt-packages.sh | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/scripts/publish-apt-packages.sh b/scripts/publish-apt-packages.sh index 6f71243de..f6ec84174 100755 --- a/scripts/publish-apt-packages.sh +++ b/scripts/publish-apt-packages.sh @@ -6,11 +6,10 @@ set -eo pipefail ROOT_DIR=$(git rev-parse --show-toplevel) -OBJECT_STORAGE_ENDPOINT="https://object.storage.eu01.onstackit.cloud" +PACKAGES_BUCKET_URL="https://packages.stackit.cloud" +PUBLIC_KEY_FILE_PATH="keys/key.gpg" +APT_REPO_PATH="apt/cli" APT_BUCKET_NAME="distribution" -APT_REPO_FOLDER="apt/cli" -PUBLIC_KEY_BUCKET_NAME="stackit-public-key" -PUBLIC_KEY_FILE="key.gpg" CUSTOM_KEYRING_FILE="aptly-keyring.gpg" DISTRIBUTION="stackit" APTLY_CONFIG_FILE_PATH="./.aptly.conf" @@ -22,9 +21,9 @@ echo -n >~/.gnupg/common.conf # Create a local mirror of the current state of the remote APT repository printf ">>> Creating mirror \n" -curl ${OBJECT_STORAGE_ENDPOINT}/${PUBLIC_KEY_BUCKET_NAME}/${PUBLIC_KEY_FILE} >public.asc +curl ${PACKAGES_BUCKET_URL}/${PUBLIC_KEY_FILE_PATH} >public.asc gpg --no-default-keyring --keyring=${CUSTOM_KEYRING_FILE} --import public.asc -aptly mirror create -config "${APTLY_CONFIG_FILE_PATH}" -keyring="${CUSTOM_KEYRING_FILE}" current "${OBJECT_STORAGE_ENDPOINT}/${APT_BUCKET_NAME}/${APT_REPO_FOLDER}" ${DISTRIBUTION} +aptly mirror create -config "${APTLY_CONFIG_FILE_PATH}" -keyring="${CUSTOM_KEYRING_FILE}" current "${PACKAGES_BUCKET_URL}/${APT_REPO_PATH}" ${DISTRIBUTION} # Update the mirror to the latest state printf "\n>>> Updating mirror \n" @@ -52,4 +51,4 @@ aptly snapshot pull -no-remove -architectures="amd64,i386,arm64" current-snapsho # Publish the new snapshot to the remote repo printf "\n>>> Publishing updated snapshot \n" -aptly publish snapshot -keyring="${CUSTOM_KEYRING_FILE}" -gpg-key="${GPG_PRIVATE_KEY_FINGERPRINT}" -passphrase "${GPG_PASSPHRASE}" -config "${APTLY_CONFIG_FILE_PATH}" updated-snapshot "s3:${APT_BUCKET_NAME}:${APT_REPO_FOLDER}" +aptly publish snapshot -keyring="${CUSTOM_KEYRING_FILE}" -gpg-key="${GPG_PRIVATE_KEY_FINGERPRINT}" -passphrase "${GPG_PASSPHRASE}" -config "${APTLY_CONFIG_FILE_PATH}" updated-snapshot "s3:${APT_BUCKET_NAME}:${APT_REPO_PATH}"