• Jason Plum's avatar
    Add Debian (.deb) package signing (implementing debsig) · a02a2c95
    Jason Plum authored
    - https://gitlab.com/gitlab-org/omnibus/merge_requests/7
    - https://github.com/chef/omnibus/issues/402
    Add Debian package signing, via methodology describe in `debsigs` documentation
    Addition of a `sign_deb_file` function to `Packager::DEB`, after `create_deb_file`. The essential concepts of what is required to sign a `.deb` with with a `type: origin` signature is delineated per the link to `debsigs` above. There is no current functionailty built into `dpkg` scripting akin to `rpm --addsign`. Since the `.deb` file format is simple, we extract the contents of the archvice (`ar x`), sign the concatenated (specifically ordered) contents, and then append the created signature to the archive (`ar rc debfile _gpgorigin`).
    These steps could have been accomplished in pure Ruby with the addition of several modules (GPGME, libarchive) except for two concerns: age & maintenance, `fakeroot` requirements.
    Tests have been added to attempt to cover the behavior correctly.
    - `gpg` : This is already an existing requirement of `Packager::RPM` due to the use of `rpmsign`
    - `ar` : Most systems that attempt to build Debian packages will have the `ar` command, and it has been confirmed that MacOS also has this utility.
    - `fakeroot` : This is inline with `ar`, however it should be noted that not all systems had this program, and as such it has been added to the Omnibus cookbook.
    Adding `ar` and `fakeroot` to the required tools compiled by Omnibus for ensuring this presence was done by @kwilczynski in #217
    There is *no need* to add `debsigs`/`debsig-verify` as a requirement, as we are implmenting the login in Ruby and `Shellout`.
    Care was taken to ensure compatibility with distribution provided binary versions of `gpg2` or `gpg` for LTS versions of distributions supported by GitLab. This list can be seen at https://gitlab.com/gitlab-org/omnibus/merge_requests/7#note_35053215 . The code is written to prefer `gpg2` if present.
    GitLab experienced issues in regards to `gpg --import`, and eventually settled on `gpg --batch --no-tty --allow-secret-key-import --import` as a part of our CI job. So long as the key is present for the GPG calls (via `--homedir #{ENV['HOME']}/.gnupg`) this should not be an issue for any non-automated use. Note that this behavior is the same with RPM signing behaviors. As the GPG key import process is not a part of Omnibus itself, this should be of little concern to this code changes in this MR.
    Relates to https://gitlab.com/gitlab-org/omnibus-gitlab/issues/2537
    Relates to https://github.com/chef-cookbooks/omnibus/pull/217
    Closes https://github.com/chef/omnibus/issues/402
    Submitted with the approval of GitLab, and with great thanks for the project!
    Signed-off-by: default avatarJason Plum <jplum@gitlab.com>