fix(release): sign repomd.xml (#1820)

sysdig-CLA-1.0-signed-off-by: Luca Guerra <[email protected]>
draios · Dec 16, 2021 · 8b53079 · 8b53079
1 parent 21e3f41
commit 8b53079
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 0 deletions.
diff --git a/.github/workflows/release-final.yaml b/.github/workflows/release-final.yaml
@@ -45,6 +45,7 @@ jobs:
       PACKAGES_DIR: packages
       S3_BUCKET: download.draios.com
       RELEASE: ${{ github.event.release.name }}
+      KEY_ID: EC51E8C4
 
     # These permissions are needed to interact with GitHub's OIDC Token endpoint.
     permissions:
@@ -87,6 +88,11 @@ jobs:
           role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
           aws-region: us-east-1
 
+      - name: Import private key
+        env:
+          PRIVATE_KEY: ${{ secrets.SYSDIG_REPO_SIGNING_KEY }}
+        run: printenv PRIVATE_KEY | gpg --import -
+
       - name: Release RPMs
         env:
           SCRIPTS_DIR: sysdig/scripts/release

diff --git a/scripts/release/release_rpm.sh b/scripts/release/release_rpm.sh
@@ -18,6 +18,9 @@ aws s3 sync s3://$S3_BUCKET/$REPOSITORY_NAME/rpm/$RPM_BASEARCH/ $REPOSITORY_DIR/
 cp $PACKAGES_DIR/*rpm $REPOSITORY_DIR/rpm/$RPM_BASEARCH
 createrepo $REPOSITORY_DIR/rpm/$RPM_BASEARCH
 
+# create repomd.xml.asc
+gpg --local-user $KEY_ID --batch --no-tty --yes --detach-sign --armor $REPOSITORY_DIR/rpm/$RPM_BASEARCH/repodata/repomd.xml
+
 cp $SCRIPTS_DIR/draios.repo $REPOSITORY_DIR/rpm
 sed -i s/_REPOSITORY_/$REPOSITORY_NAME/g $REPOSITORY_DIR/rpm/draios.repo