From b8e61a4a327a93edae21cb55fee0e0d83bf90130 Mon Sep 17 00:00:00 2001
From: Frank Brehm <frank.brehm@pixelpark.com>
Date: Mon, 20 Dec 2021 16:14:01 +0100
Subject: [PATCH] Adding jobs for signing built packages

---
 .gitlab-ci.yml | 78 +++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 77 insertions(+), 1 deletion(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 1b227b5..cbb115c 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -4,7 +4,9 @@ stages:
   - test
   - linter
   - build
+  - sign
   - deploy
+  - notify
 
 variables:
   DEBFULLNAME: 'Frank Brehm'
@@ -25,7 +27,6 @@ variables:
   YUM_REPO_USER: 'rpm-repo'
   YUM_REPO_DIR_HTTP: '/Linux/yum/pixelpark'
   YUM_REPO_DIR: "/srv/www/repo${YUM_REPO_DIR_HTTP}"
-  YUM_REPO_ADDSIGN_SCRIPT: '/home/rpm-repo/bin/rpm-addsign-wrapper.expect'
   YUM_REPO_GPG_KEY_PUB: 'nada'
   YUM_REPO_GPG_KEY_SEC: 'nada'
 
@@ -272,3 +273,78 @@ build CentOS 8 with Python 3.8:
     - '.pkg-build-rules'
   image: centos:8
 
+.pkg-sign-rules:
+  rules:
+    - if: '$CI_COMMIT_TAG'
+    - if: $CI_COMMIT_BRANCH == "master"
+    - if: $CI_COMMIT_BRANCH == "main"
+    - if: $CI_COMMIT_BRANCH == "develop"
+  stage: sign
+  tags:
+    - docker
+  image: centos:7
+  before_script:
+    - |
+      echo "All locales"
+      locale -a
+    - |
+      echo "Installing locales ..."
+      for l in de_AT de_CH de_DE en_CA en_GB en_IE en_IN en_US; do
+        echo "${l}.utf8"
+        localedef --charmap UTF-8 --inputfile "${l}" "${l}.utf8"
+      done
+    - |
+      echo "All locales"
+      locale -a
+      echo
+      echo "locales:"
+      locale
+    - |
+      echo "Exporting LC_ALL ..."
+      export LC_ALL="${USED_LC}"
+      echo
+      echo "locales:"
+      locale
+    - yum makecache
+    - yum --assumeyes upgrade
+    - yum --assumeyes install rpm-sign expect
+  script:
+    - ls -lA rpmdir/RPMS/*/* rpmdir/SRPMS/*
+    - echo -e "%_signature gpg\n%_gpg_name ${YUM_REPO_GPG_ID}" >$HOME/.rpmmacros
+    - echo "$YUM_REPO_GPG_KEY_PUB" | gpg --import
+    - gpg --list-public-keys
+    - echo "$YUM_REPO_GPG_KEY_SEC" | gpg --import
+    - gpg --list-secret-keys
+    - 'for f in $( find rpmdir -type f -iname "*.rpm" ) ; do echo "Signing ${f} ..."; ./rpm-addsign-wrapper.expect "${f}" "${YUM_REPO_GPG_PASSWD}"; done'
+    - |
+      echo "Signing packages ..."
+      for f in $( find rpmdir -type f -iname "*.rpm" ) ; do
+          echo "  * ${f} ..."
+          ./rpm-addsign-wrapper.expect "${f}" "${YUM_REPO_GPG_PASSWD}"
+      done
+    - |
+      echo "Results:"
+      find rpmdir/*RPMS -type f -print0 | xargs --null --no-run-if-empty ls -l -d --color=always
+  artifacts:
+    name: "$CI_JOB_NAME-$CI_COMMIT_REF_NAME"
+    paths:
+      - rpmdir/RPMS/*/*.rpm
+      - rpmdir/SRPMS/*.src.rpm
+    expire_in: '1 week'
+
+Sign EL 7 packages:
+  extends:
+    - '.pkg-sign-rules'
+  needs:
+    - 'build CentOS 7 with Python 3.6'
+  dependencies:
+    - 'build CentOS 7 with Python 3.6'
+
+Sign EL 8 packages:
+  extends:
+    - '.pkg-sign-rules'
+  needs:
+    - 'build CentOS 8 with Python 3.8'
+  dependencies:
+    - 'build CentOS 8 with Python 3.8'
+
-- 
2.39.5