upgrade gpg and deb

keybase · Oct 12, 2023 · a154ede · a154ede
1 parent 3e5c025
commit a154ede
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 27 deletions.
diff --git a/packaging/linux/Dockerfile b/packaging/linux/Dockerfile
@@ -1,12 +1,6 @@
 FROM debian:buster
 LABEL maintainer="Keybase <admin@keybase.io>"
 
-
-# RUN sed -i -e 's/deb.debian.org/archive.debian.org/g' \
-#            -e 's|security.debian.org|archive.debian.org/|g' \
-#            -e '/stretch-updates/d' /etc/apt/sources.list
-# RUN sed -i -e 's/deb.debian.org/archive.debian.org/g' /etc/apt/sources.list.d/backports.list
-
 # Install dependencies from the standard repos.
 #   - Debian build requires 'fakeroot' and 'reprepro' (and 'dpkg-deb', but
 #     that's installed by default).
@@ -19,7 +13,7 @@ LABEL maintainer="Keybase <admin@keybase.io>"
 #   - unzip because electron6 packager requires it
 RUN apt-get update
 RUN apt-get install -y fakeroot reprepro rpm createrepo git wget \
-  build-essential curl python python-pip gnupg1 unzip rsync
+  build-essential curl python python-pip gnupg2 unzip rsync
 
 # Install s3cmd. See this issue for why we need a version newer than what's in
 # the Debian repos: https://github.com/s3tools/s3cmd/issues/437
@@ -44,6 +38,3 @@ RUN echo "$GOLANG_DOWNLOAD_SHA256 /root/go.tar.gz" | sha256sum --check --status
 RUN tar -C /usr/local -xzf /root/go.tar.gz
 RUN rm /root/go.tar.gz
 ENV PATH "$PATH:/usr/local/go/bin"
-
-# Newer Debian gnupg1 provide `gpg1` only
-RUN ln -sf /usr/bin/gpg1 /usr/bin/gpg
diff --git a/packaging/linux/docker_build.sh b/packaging/linux/docker_build.sh
@@ -1,4 +1,5 @@
 #! /usr/bin/env bash
+
 # This script is the starting point for Linux packaging builds. Here's what the
 # build does:
 #   1) create the "keybase_packaging_v*" docker image, if it doesn't exist
@@ -57,7 +58,7 @@ gpg_tempfile="$gpg_tempdir/code_signing_key"
 gpg --export-secret-key --armor "$code_signing_fingerprint" > "$gpg_tempfile"
 
 # Make sure the Docker image is built.
-image=keybase_packaging_v47
+image=keybase_packaging_v48
 if [ -z "$(sudo docker images -q "$image")" ] ; then
   echo "Docker image '$image' not yet built. Building..."
   sudo docker build -t "$image" "$clientdir/packaging/linux"

diff --git a/packaging/linux/inside_docker_main.sh b/packaging/linux/inside_docker_main.sh
@@ -31,7 +31,7 @@ code_signing_fingerprint="$(/CLIENT/packaging/linux/fingerprint.sh)"
 # Specifically use GnuPG v1 for the import, because modern versions need the
 # decryption password here, for some stupid reason, totally duplicative of the
 # password they'll need again below when we load the key into the agent.
-gpg1 --import < /GPG/code_signing_key
+gpg --import < /GPG/code_signing_key
 true > /GPG/code_signing_key  # truncate it, just in case
 # Use very long lifetimes for the key in memory, so that we don't forget it in
 # the middle of a nightly loop.

diff --git a/packaging/linux/rpm/layout_repo.sh b/packaging/linux/rpm/layout_repo.sh
@@ -66,25 +66,17 @@ for arch in x86_64 ; do
   # hashes in a text file at the root of the Debian repo, RPM puts a separate
   # signature in each package file. Command copied from:
   # https://ask.fedoraproject.org/en/question/56107/can-gpg-agent-be-used-when-signing-rpm-packages/
-  #
-  # The `setsid` and `/dev/null` bits are both required to suppress the no-op
-  # password prompt that appears despite the agent configs.
-  echo "Signing '$rpmcopy'..."
-  echo "Signing '$rpmcopy'...1.. $(which gpg) $(which gpg1)"
-  # setsid -w rpm \
   rpm \
    --define "_gpg_name $code_signing_fingerprint"  \
    --define '_signature gpg' \
-   --define '_gpgbin /usr/bin/gpg1' \
+   --define '_gpgbin /usr/bin/gpg' \
    --define '__gpg_check_password_cmd /bin/true' \
-   --define '__gpg_sign_cmd %{__gpg} /usr/bin/gpg1 --batch --no-verbose --no-armor --use-agent --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} %{__plaintext_filename}' \
+   --define '__gpg_sign_cmd %{__gpg} gpg --batch --no-verbose --no-armor --use-agent --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} %{__plaintext_filename}' \
    --addsign "$rpmcopy"
-   # --addsign "$rpmcopy" < /dev/null
 
-  echo "Signing '$rpmcopy'...2"
   # Add a standalone signature file, for user convenience. Other packaging
   # steps will pick this up and copy it around.
-  /usr/bin/gpg --detach-sign --armor --use-agent --local-user "$code_signing_fingerprint" \
+  gpg --detach-sign --armor --use-agent --local-user "$code_signing_fingerprint" \
       -o "$rpmcopy.sig" "$rpmcopy"
 
   # Update the latest pointer. Even though the RPM repo is split by
@@ -93,15 +85,12 @@ for arch in x86_64 ; do
   ln -sf "repo/$arch/$rpmname" "$repo_root/$binary_name-latest-$arch.rpm"
   ln -sf "repo/$arch/$rpmname.sig" "$repo_root/$binary_name-latest-$arch.rpm.sig"
 
-  echo "Signing '$rpmcopy'...3"
   # Run createrepo to update the database files.
   "$CREATEREPO" "$repo_root/repo/$arch"
 
-  /usr/bin/gpg --detach-sign --armor --use-agent --local-user "$code_signing_fingerprint" \
+  gpg --detach-sign --armor --use-agent --local-user "$code_signing_fingerprint" \
       -o "$repo_root/repo/$arch/repodata/repomd.xml.asc" "$repo_root/repo/$arch/repodata/repomd.xml"
 
-  echo "Signing '$rpmcopy'...4"
   # Add updateinfo.xml changelog to the repo
   "$MODIFYREPO" "$here/updateinfo.xml" "$repo_root/repo/$arch/repodata"
-  echo "Signing '$rpmcopy'...5"
 done