Ship gbp-buildpackage keyring in /usr/share/keyrings instead of inline

This replaces the mess that forces us to split keyrings into a bunch of separate files, and should avoid import issues in sbuild as well.

Ship gbp-buildpackage keyring in /usr/share/keyrings instead of inline
This replaces the mess that forces us to split keyrings into a bunch of separate files, and should avoid import issues in sbuild as well.
909c6762 · Nicolas Dandrimont · 50f9e430 · 909c6762 · 909c6762 · 50f9e430
Commit 909c6762 authored 4 years ago by Nicolas Dandrimont
--- a/jobs/debian/update-scripts.yaml
+++ b/jobs/debian/update-scripts.yaml
@@ -16,3 +16,4 @@
    builders:
      - shell: chmod go+rX -R scripts/debian/
      - shell: rsync -az --delete scripts/debian/ /usr/share/jenkins/debian-scripts/
+      - shell: rsync -az --delete keyrings/ /usr/share/keyrings/extra-repositories/
--- a/jobs/templates/debian/gbp-buildpackage.groovy.j2
+++ b/jobs/templates/debian/gbp-buildpackage.groovy.j2
@@ -73,40 +73,6 @@ pipeline {
        }
      }
    }
-    stage('Write extra keys') {
-      when {
-        beforeAgent true
-        expression { changelog_distribution != 'UNRELEASED' }
-      }
-      steps {
-        dir('keys') {
-          writeFile(
-            file: 'ceph.asc',
-            text: '''{%- include 'keys/ceph.asc' -%}'''
-          )
-          // wget https://www.postgresql.org/media/keys/ACCC4CF8.asc
-          writeFile(
-            file: 'postgres.asc',
-            text: '''{%- include 'keys/postgres.asc' -%}'''
-          )
-          // wget https://artifacts.elastic.co/GPG-KEY-elasticsearch
-          writeFile(
-            file: 'elasticsearch.asc',
-            text: '''{%- include 'keys/elasticsearch.asc' -%}'''
-          )
-          // wget https://www.apache.org/dist/cassandra/KEYS
-          // splitted in 4 files as there is a limit of 65k for a string...
-          // (also, only runtime complains, not tox)
-          writeFile(
-            file: 'cassandra.asc',
-            text: '''{%- include 'keys/cassandra.1.asc' -%}''' +
-                  '''{%- include 'keys/cassandra.2.asc' -%}''' +
-                  '''{%- include 'keys/cassandra.3.asc' -%}''' +
-                  '''{%- include 'keys/cassandra.4.asc' -%}'''
-          )
-        }
-      }
-    }
    stage('Build package') {
      when {
        beforeAgent true
@@ -162,22 +128,22 @@ pipeline {
              else
                ceph_distribution = base_distribution
              extra_repositories.add("deb https://download.ceph.com/debian-luminous/ ${ceph_distribution} main")
-              extra_repository_keys.add('../keys/ceph.asc')
+              extra_repository_keys.add('ceph.asc')
            }

            if ('pgdg' in wanted_extra_repositories && !(base_distribution in ['unstable', 'experimental'])) {
              extra_repositories.add("deb http://apt.postgresql.org/pub/repos/apt/ ${base_distribution}-pgdg main")
-              extra_repository_keys.add('../keys/postgres.asc')
+              extra_repository_keys.add('postgres.asc')
            }

            if ('elasticsearch' in wanted_extra_repositories) {
              extra_repositories.add("deb https://artifacts.elastic.co/packages/7.x/apt stable main")
-              extra_repository_keys.add('../keys/elasticsearch.asc')
+              extra_repository_keys.add('elasticsearch.asc')
            }

            if ('cassandra' in wanted_extra_repositories) {
              extra_repositories.add("deb http://www.apache.org/dist/cassandra/debian 40x main")
-              extra_repository_keys.add('../keys/cassandra.asc')
+              extra_repository_keys.add('cassandra.asc')
            }

            if (params.BUILD_DEP_RESOLVER) {
@@ -215,7 +181,7 @@ pipeline {
            }

            extra_repository_keys.each { key ->
-              gbp_buildpackage.add("--extra-repository-key='${key}'")
+              gbp_buildpackage.add("--extra-repository-key=/usr/share/keyrings/extra-repositories/${key}")
            }

            def gbp_buildpackage_cmd = gbp_buildpackage.join(' ')

--- a/jobs/templates/debian/keys/cassandra.1.asc
+++ b/jobs/templates/debian/keys/cassandra.1.asc
--- a/jobs/templates/debian/keys/cassandra.2.asc
+++ b/jobs/templates/debian/keys/cassandra.2.asc
--- a/jobs/templates/debian/keys/cassandra.3.asc
+++ b/jobs/templates/debian/keys/cassandra.3.asc
--- a/jobs/templates/debian/keys/cassandra.4.asc
+++ b/jobs/templates/debian/keys/cassandra.4.asc
--- a/keyrings/README.md
+++ b/keyrings/README.md
+These keyrings are installed in /usr/share/keyrings/extra-repositories, and used
+by the gbp-buildpackage jobs.
+
+To generate an asc file that sbuild understands from an upstream keyring:
+
+  rm -r temp.kbx
+  gpg --no-default-keyring --keyring temp.kbx --import < upstream_keyring.asc
+  gpg --no-default-keyring --keyring temp.kbx --export > new_keyring.asc
+
--- a/keyrings/cassandra.asc
+++ b/keyrings/cassandra.asc
--- a/jobs/templates/debian/keys/ceph.asc
+++ b/jobs/templates/debian/keys/ceph.asc
 -----BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v1

 mQINBFX4hgkBEADLqn6O+UFp+ZuwccNldwvh5PzEwKUPlXKPLjQfXlQRig1flpCH
 E0HJ5wgGlCtYd3Ol9f9+qU24kDNzfbs5bud58BeE7zFaZ4s0JMOMuVm7p8JhsvkU

--- a/jobs/templates/debian/keys/elasticsearch.asc
+++ b/jobs/templates/debian/keys/elasticsearch.asc
 -----BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v2.0.14 (GNU/Linux)

 mQENBFI3HsoBCADXDtbNJnxbPqB1vDNtCsqhe49vFYsZN9IOZsZXgp7aHjh6CJBD
 A+bGFOwyhbd7at35jQjWAw1O3cfYsKAmFy+Ar3LHCMkV3oZspJACTIgCrwnkic/9

--- a/jobs/templates/debian/keys/postgres.asc
+++ b/jobs/templates/debian/keys/postgres.asc