clean up signing script and install debsigs in Debian based Linux

docker/jenkins/Dockerfile.debian9-x86_64

@@ -15,6 +15,7 @@ RUN apt-get install -y \
     libboost-all-dev \
     bzip2 \
     cmake \
+    debsigs \
     dpkg-sig \
     expect \
     fakeroot \

docker/jenkins/Dockerfile.precise-amd64

@@ -23,6 +23,7 @@ RUN apt-get update \
     apparmor-utils \
     build-essential \
     cmake \
+    debsigs \
     dpkg-sig \
     expect \
     fakeroot \

docker/jenkins/Dockerfile.xenial-amd64

@@ -16,6 +16,7 @@ RUN apt-get update \
     apparmor-utils \
     build-essential \
     cmake \
+    debsigs \
     dpkg-sig \
     expect \
     fakeroot \

docker/jenkins/sign-release.sh

@@ -1,4 +1,21 @@
 #!/usr/bin/env bash
+#
+# RStudio Release Signing (sign-release.sh)
+#
+# This script signs an RStudio release using GnuPG and a private RStudio
+# release signing key. The command-line parameters are as follows:
+#
+# 1. The release binary. This can be an RPM, which will be signed with rpmsign,
+#    or a DEB, which will be signed with dpkg-sig.
+#
+# 2. The encrypted private release signing key. This should be an ASCII armored
+#    GnuPG private key, via e.g. gpg --export-secret-keys. 
+# 
+# 3. A file containing the passphrase for the release signing key.
+#
+# The script will not modify the GnuPG keyring of the calling user; it imports
+# the signing key into a private, temporary keyring, uses it to sign the
+# release, and then destroys the keyring.
 
 if [[ "$#" -lt 2 ]]; then
     echo "Usage: sign-release.sh [installer-file] [key-file] [passphrase-file]"
@@ -11,15 +28,15 @@ KEYFILE=$2
 PASSFILE=$3
 
 # to avoid cluttering the user's keyring with the signing key, we use a
-# temporary secret keyring
+# temporary keyring directory
 TMP_KEYRING_DIR=$(mktemp -d)
 TMP_SEC_KEYRING="$TMP_KEYRING_DIR/secring.gpg"
 TMP_PUB_KEYRING="$TMP_KEYRING_DIR/pubring.gpg"
 
 # make sure to clean up the temporary keyring when finished
 function cleanup {
-    if [ -f "$TMP_SEC_KEYRING_DIR" ]; then 
-        rm -rf $TMP_SEC_KEYRING_DIR
+    if [ -d "$TMP_KEYRING_DIR" ]; then 
+        rm -rf $TMP_KEYRING_DIR
     fi
 }
 trap cleanup EXIT
@@ -40,17 +57,33 @@ FILENAME=$(basename "$INSTALLER")
 EXT=${FILENAME##*.}
 
 if [ "$EXT" == "deb" ]; then
-    echo "Signing with debsigs..."
-    /usr/bin/expect << EOD
-spawn bash -c "debsigs -v --sign=origin --default-key=$KEY_ID --secret-keyring=$TMP_SEC_KEYRING $INSTALLER"
-expect "Enter passphrase:"
-send "$PASSPHRASE\r"
-expect eof
-EOD
+    # ------------------------------------------------------------------------
+    # Debian packages (.deb)
+    # ------------------------------------------------------------------------
+
+    # Signing with debsigs is currently disabled because it doesn't provide a
+    # way to pass the *public* keyring to GPG. Even when passing the correct *secret*
+    # keyring, GPG doesn't sign:
+    # 
+    # secret key without public key - skipped
+    # gpg: no default secret key: secret key not available
+    #
+    # This seems to be a problem primarily with older GPG installations.
+
+    # echo "Signing with debsigs..."
+    # /usr/bin/expect << EOD
+    # spawn bash -c "debsigs -v --sign=origin --default-key=$KEY_ID --secret-keyring=$TMP_SEC_KEYRING $INSTALLER"
+    # expect "Enter passphrase:"
+    # send "$PASSPHRASE\r"
+    # expect eof
+    # EOD
 
     echo "Signing with dpkg-sig..."
-    dpkg-sig -k $KEY_ID --verbose --sign builder $INSTALLER --gpg-options="--no-default-keyring --secret-keyring=$TMP_SEC_KEYRING --passphrase-file $PASSFILE"
+    dpkg-sig -k $KEY_ID --verbose --sign builder $INSTALLER --gpg-options="--no-default-keyring --keyring=$TMP_PUB_KEYRING --secret-keyring=$TMP_SEC_KEYRING --no-use-agent --passphrase-file $PASSFILE"
 elif [ "$EXT" == "rpm" ]; then
+    # ------------------------------------------------------------------------
+    # Redhat packages (.rpm)
+    # ------------------------------------------------------------------------
     echo "Signing with rpmsign..."
 
     # set up the rpm macros file to point to our temporary key
@@ -78,6 +111,7 @@ EOD
         mv $RPM_MACROS.bak $RPM_MACROS
     fi
 else
+    # not a deb or rpm; we don't know how to sign this
     echo "Unknown installer extension $EXT."
 fi