forked from aws/amazon-ecs-agent
-
Notifications
You must be signed in to change notification settings - Fork 0
/
signing.yml
158 lines (148 loc) · 8.35 KB
/
signing.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
version: 0.2
# About this buildspec
# It derives the region from AWS_REGION which the AWS CLI is automatically programmed
# to do so we don't set a region specifically.
# $PASSPHRASE gets pulled from secretsmanager because codebuild can pull secrets from secretsmanager
# as an integration point. This does require the codebuild role to have proper permissions.
# $PRIVATE_KEY_ARN is pulled from the environment as well. This is something that will probably
# be specified by the CloudFormation template that this becomes a part of.
# $ECS_AGENT_AMD_TAR and $ECS_AGENT_ARM_TAR get fed into this codebuild by codepipeline
env:
exported-variables:
- CODEBUILD_BUILD_ID
phases:
pre_build:
on-failure: ABORT
commands:
# create functions for signing files and deleting the whole keyring
# NOTE: you have to source /tmp/functions.sh before every command that requires the
# functions defined here because each command is run in isolation so it doesn't
# carry over the command environment from command to command
- |
cat <<- 'EOF' > /tmp/functions.sh
function sign_file() {
local file_to_sign="$1"
echo "Signing $file_to_sign"
gpg --detach-sign --batch --passphrase $PASSPHRASE --armor --output "$file_to_sign.asc" $file_to_sign
echo "Signed $file_to_sign"
}
function delete_all_secret_keys() {
for i in $(gpg --with-colons --fingerprint | grep "^fpr" | cut -d: -f10); do
gpg --batch --delete-secret-keys "$i"
done
}
EOF
build:
on-failure: ABORT
commands:
# Generate file names for signing from agent version and git short sha
- ECS_AGENT_AMD_TAR="ecs-agent-v${AGENT_VERSION}.tar"
- ECS_AGENT_AMD_LATEST_TAR="ecs-agent-latest.tar"
- ECS_AGENT_AMD_GITSHORTSHA_TAR="ecs-agent-${GIT_COMMIT_SHORT_SHA}.tar"
- ECS_AGENT_AMD_RPM="amazon-ecs-init-${INIT_VERSION}.x86_64.rpm"
- ECS_AGENT_UBUNTU_AMD_DEB="amazon-ecs-init-${INIT_VERSION}.amd64.deb"
- ECS_AGENT_ARM_TAR="ecs-agent-arm64-v${AGENT_VERSION}.tar"
- ECS_AGENT_ARM_LATEST_TAR="ecs-agent-arm64-latest.tar"
- ECS_AGENT_ARM_GITSHORTSHA_TAR="ecs-agent-arm64-${GIT_COMMIT_SHORT_SHA}.tar"
- ECS_AGENT_ARM_RPM="amazon-ecs-init-${INIT_VERSION}.aarch64.rpm"
- ECS_AGENT_UBUNTU_ARM_DEB="amazon-ecs-init-${INIT_VERSION}.arm64.deb"
# EBS csi driver image tar files
- CSI_DRIVER_AMD_TAR="ebs-csi-driver-v${AGENT_VERSION}.tar"
- CSI_DRIVER_AMD_LATEST_TAR="ebs-csi-driver-latest.tar"
- CSI_DRIVER_AMD_GITSHORTSHA_TAR="ebs-csi-driver-${GIT_COMMIT_SHORT_SHA}.tar"
- CSI_DRIVER_ARM_TAR="ebs-csi-driver-arm64-v${AGENT_VERSION}.tar"
- CSI_DRIVER_ARM_LATEST_TAR="ebs-csi-driver-arm64-latest.tar"
- CSI_DRIVER_ARM_GITSHORTSHA_TAR="ebs-csi-driver-arm64-${GIT_COMMIT_SHORT_SHA}.tar"
- ECS_ANYWHERE_SCRIPT="ecs-anywhere-install-${INIT_VERSION}.sh"
- ECS_ANYWHERE_LATEST_SCRIPT="ecs-anywhere-install-latest.sh"
# Get the private key from secrets manager, jq parse it, turn it into raw output, pipe to file
- aws secretsmanager get-secret-value --secret-id $PRIVATE_KEY_ARN | jq -r '.SecretString' > private.gpg
# import the key into the keychain, the private key comes with the public key built in
- gpg --allow-secret-key-import --import private.gpg
# remove the private key file because we don't want it to be packaged with the artifacts
- rm private.gpg
# Sign the amd tar and rpm (this is a secondary source so we have to do some copying)
- cp "$CODEBUILD_SRC_DIR_AmdBuildArtifact/$ECS_AGENT_AMD_TAR" $ECS_AGENT_AMD_TAR
- source /tmp/functions.sh && sign_file $ECS_AGENT_AMD_TAR
- cp "$CODEBUILD_SRC_DIR_AmdBuildArtifact/$ECS_AGENT_AMD_LATEST_TAR" $ECS_AGENT_AMD_LATEST_TAR
- source /tmp/functions.sh && sign_file $ECS_AGENT_AMD_LATEST_TAR
- cp "$CODEBUILD_SRC_DIR_AmdBuildArtifact/$ECS_AGENT_AMD_GITSHORTSHA_TAR" $ECS_AGENT_AMD_GITSHORTSHA_TAR
- source /tmp/functions.sh && sign_file $ECS_AGENT_AMD_GITSHORTSHA_TAR
- cp "$CODEBUILD_SRC_DIR_AmdBuildArtifact/$ECS_AGENT_AMD_RPM" $ECS_AGENT_AMD_RPM
- source /tmp/functions.sh && sign_file $ECS_AGENT_AMD_RPM
# Sign the amd csi driver tar (this is a secondary source so we have to do some copying)
- cp "$CODEBUILD_SRC_DIR_AmdBuildArtifact/$CSI_DRIVER_AMD_TAR" $CSI_DRIVER_AMD_TAR
- source /tmp/functions.sh && sign_file $CSI_DRIVER_AMD_TAR
- cp "$CODEBUILD_SRC_DIR_AmdBuildArtifact/$CSI_DRIVER_AMD_LATEST_TAR" $CSI_DRIVER_AMD_LATEST_TAR
- source /tmp/functions.sh && sign_file $CSI_DRIVER_AMD_LATEST_TAR
- cp "$CODEBUILD_SRC_DIR_AmdBuildArtifact/$CSI_DRIVER_AMD_GITSHORTSHA_TAR" $CSI_DRIVER_AMD_GITSHORTSHA_TAR
- source /tmp/functions.sh && sign_file $CSI_DRIVER_AMD_GITSHORTSHA_TAR
# Sign ECS Anywhere Script
- cp "$CODEBUILD_SRC_DIR_AmdBuildArtifact/scripts/ecs-anywhere-install.sh" $ECS_ANYWHERE_SCRIPT
- source /tmp/functions.sh && sign_file $ECS_ANYWHERE_SCRIPT
- cp $ECS_ANYWHERE_SCRIPT $ECS_ANYWHERE_LATEST_SCRIPT
- source /tmp/functions.sh && sign_file $ECS_ANYWHERE_LATEST_SCRIPT
# Sign the arm tar and rpm (this is a secondary source so we have to do some copying)
- cp "$CODEBUILD_SRC_DIR_ArmBuildArtifact/$ECS_AGENT_ARM_TAR" $ECS_AGENT_ARM_TAR
- source /tmp/functions.sh && sign_file $ECS_AGENT_ARM_TAR
- cp "$CODEBUILD_SRC_DIR_ArmBuildArtifact/$ECS_AGENT_ARM_LATEST_TAR" $ECS_AGENT_ARM_LATEST_TAR
- source /tmp/functions.sh && sign_file $ECS_AGENT_ARM_LATEST_TAR
- cp "$CODEBUILD_SRC_DIR_ArmBuildArtifact/$ECS_AGENT_ARM_GITSHORTSHA_TAR" $ECS_AGENT_ARM_GITSHORTSHA_TAR
- source /tmp/functions.sh && sign_file $ECS_AGENT_ARM_GITSHORTSHA_TAR
- cp "$CODEBUILD_SRC_DIR_ArmBuildArtifact/$ECS_AGENT_ARM_RPM" $ECS_AGENT_ARM_RPM
- source /tmp/functions.sh && sign_file $ECS_AGENT_ARM_RPM
# Sign the arm csi driver tar (this is a secondary source so we have to do some copying)
- cp "$CODEBUILD_SRC_DIR_ArmBuildArtifact/$CSI_DRIVER_ARM_TAR" $CSI_DRIVER_ARM_TAR
- source /tmp/functions.sh && sign_file $CSI_DRIVER_ARM_TAR
- cp "$CODEBUILD_SRC_DIR_ArmBuildArtifact/$CSI_DRIVER_ARM_LATEST_TAR" $CSI_DRIVER_ARM_LATEST_TAR
- source /tmp/functions.sh && sign_file $CSI_DRIVER_ARM_LATEST_TAR
- cp "$CODEBUILD_SRC_DIR_ArmBuildArtifact/$CSI_DRIVER_ARM_GITSHORTSHA_TAR" $CSI_DRIVER_ARM_GITSHORTSHA_TAR
- source /tmp/functions.sh && sign_file $CSI_DRIVER_ARM_GITSHORTSHA_TAR
# Sign the amd deb (this is a secondary source so we have to do some copying)
- cp "$CODEBUILD_SRC_DIR_UbuntuAmdBuildArtifact/$ECS_AGENT_UBUNTU_AMD_DEB" $ECS_AGENT_UBUNTU_AMD_DEB
- source /tmp/functions.sh && sign_file $ECS_AGENT_UBUNTU_AMD_DEB
# Sign the arm deb (this is a secondary source so we have to do some copying)
- cp "$CODEBUILD_SRC_DIR_UbuntuArmBuildArtifact/$ECS_AGENT_UBUNTU_ARM_DEB" $ECS_AGENT_UBUNTU_ARM_DEB
- source /tmp/functions.sh && sign_file $ECS_AGENT_UBUNTU_ARM_DEB
# Clean up the key just in case
- source /tmp/functions.sh && delete_all_secret_keys
# validate that the keychain is empty
- gpg --list-secret-keys --verbose
artifacts:
files:
- $ECS_AGENT_AMD_TAR
- '$ECS_AGENT_AMD_TAR.asc'
- $ECS_AGENT_AMD_LATEST_TAR
- '$ECS_AGENT_AMD_LATEST_TAR.asc'
- $ECS_AGENT_AMD_GITSHORTSHA_TAR
- '$ECS_AGENT_AMD_GITSHORTSHA_TAR.asc'
- $ECS_AGENT_AMD_RPM
- '$ECS_AGENT_AMD_RPM.asc'
- $ECS_AGENT_ARM_TAR
- '$ECS_AGENT_ARM_TAR.asc'
- $ECS_AGENT_ARM_LATEST_TAR
- '$ECS_AGENT_ARM_LATEST_TAR.asc'
- $ECS_AGENT_ARM_GITSHORTSHA_TAR
- '$ECS_AGENT_ARM_GITSHORTSHA_TAR.asc'
- $ECS_AGENT_ARM_RPM
- '$ECS_AGENT_ARM_RPM.asc'
- $ECS_AGENT_UBUNTU_AMD_DEB
- '$ECS_AGENT_UBUNTU_AMD_DEB.asc'
- $ECS_AGENT_UBUNTU_ARM_DEB
- '$ECS_AGENT_UBUNTU_ARM_DEB.asc'
- $ECS_ANYWHERE_SCRIPT
- '$ECS_ANYWHERE_SCRIPT.asc'
- $ECS_ANYWHERE_LATEST_SCRIPT
- '$ECS_ANYWHERE_LATEST_SCRIPT.asc'
- $CSI_DRIVER_AMD_TAR
- '$CSI_DRIVER_AMD_TAR.asc'
- $CSI_DRIVER_AMD_LATEST_TAR
- '$CSI_DRIVER_AMD_LATEST_TAR.asc'
- $CSI_DRIVER_AMD_GITSHORTSHA_TAR
- '$CSI_DRIVER_AMD_GITSHORTSHA_TAR.asc'
- $CSI_DRIVER_ARM_TAR
- '$CSI_DRIVER_ARM_TAR.asc'
- $CSI_DRIVER_ARM_LATEST_TAR
- '$CSI_DRIVER_ARM_LATEST_TAR.asc'
- $CSI_DRIVER_ARM_GITSHORTSHA_TAR
- '$CSI_DRIVER_ARM_GITSHORTSHA_TAR.asc'