buildspecs/signing.yml

version: 0.2

# About this buildspec
# It derives the region from AWS_REGION which the AWS CLI is automatically programmed
# to do so we don't set a region specifically.
# $PASSPHRASE gets pulled from secretsmanager because codebuild can pull secrets from secretsmanager
# as an integration point. This does require the codebuild role to have proper permissions.
# $PRIVATE_KEY_ARN is pulled from the environment as well. This is something that will probably
# be specified by the CloudFormation template that this becomes a part of.
# $ECS_AGENT_AMD_TAR and $ECS_AGENT_ARM_TAR get fed into this codebuild by codepipeline

env:
  exported-variables:
    - CODEBUILD_BUILD_ID

phases:
  pre_build:
    on-failure: ABORT
    commands:
      # create functions for signing files and deleting the whole keyring
      # NOTE: you have to source /tmp/functions.sh before every command that requires the
      # functions defined here because each command is run in isolation so it doesn't
      # carry over the command environment from command to command
      - |
        cat <<- 'EOF' > /tmp/functions.sh
        function sign_file() {
          local file_to_sign="$1"

          echo "Signing $file_to_sign"
          gpg --detach-sign --batch --passphrase $PASSPHRASE --armor --output "$file_to_sign.asc" $file_to_sign
          echo "Signed $file_to_sign"
        }

        function delete_all_secret_keys() {
          for i in $(gpg --with-colons --fingerprint | grep "^fpr" | cut -d: -f10); do
            gpg --batch --delete-secret-keys "$i"
          done
        }
        EOF

  build:
    on-failure: ABORT
    commands:
      # Generate file names for signing from agent version and git short sha
      - ECS_AGENT_AMD_TAR="ecs-agent-v${AGENT_VERSION}.tar"
      - ECS_AGENT_AMD_LATEST_TAR="ecs-agent-latest.tar"
      - ECS_AGENT_AMD_GITSHORTSHA_TAR="ecs-agent-${GIT_COMMIT_SHORT_SHA}.tar"
      - ECS_AGENT_AMD_RPM="amazon-ecs-init-${INIT_VERSION}.x86_64.rpm"
      - ECS_AGENT_UBUNTU_AMD_DEB="amazon-ecs-init-${INIT_VERSION}.amd64.deb"

      - ECS_AGENT_ARM_TAR="ecs-agent-arm64-v${AGENT_VERSION}.tar"
      - ECS_AGENT_ARM_LATEST_TAR="ecs-agent-arm64-latest.tar"
      - ECS_AGENT_ARM_GITSHORTSHA_TAR="ecs-agent-arm64-${GIT_COMMIT_SHORT_SHA}.tar"
      - ECS_AGENT_ARM_RPM="amazon-ecs-init-${INIT_VERSION}.aarch64.rpm"
      - ECS_AGENT_UBUNTU_ARM_DEB="amazon-ecs-init-${INIT_VERSION}.arm64.deb"

      # EBS csi driver image tar files
      - CSI_DRIVER_AMD_TAR="ebs-csi-driver-v${AGENT_VERSION}.tar"
      - CSI_DRIVER_AMD_LATEST_TAR="ebs-csi-driver-latest.tar"
      - CSI_DRIVER_AMD_GITSHORTSHA_TAR="ebs-csi-driver-${GIT_COMMIT_SHORT_SHA}.tar"
      - CSI_DRIVER_ARM_TAR="ebs-csi-driver-arm64-v${AGENT_VERSION}.tar"
      - CSI_DRIVER_ARM_LATEST_TAR="ebs-csi-driver-arm64-latest.tar"
      - CSI_DRIVER_ARM_GITSHORTSHA_TAR="ebs-csi-driver-arm64-${GIT_COMMIT_SHORT_SHA}.tar"

      - ECS_ANYWHERE_SCRIPT="ecs-anywhere-install-${INIT_VERSION}.sh"
      - ECS_ANYWHERE_LATEST_SCRIPT="ecs-anywhere-install-latest.sh"
      # Get the private key from secrets manager, jq parse it, turn it into raw output, pipe to file
      - aws secretsmanager get-secret-value --secret-id $PRIVATE_KEY_ARN | jq -r '.SecretString' > private.gpg
      # import the key into the keychain, the private key comes with the public key built in
      - gpg --allow-secret-key-import --import private.gpg
      # remove the private key file because we don't want it to be packaged with the artifacts
      - rm private.gpg
      # Sign the amd tar and rpm (this is a secondary source so we have to do some copying)
      - cp "$CODEBUILD_SRC_DIR_AmdBuildArtifact/$ECS_AGENT_AMD_TAR" $ECS_AGENT_AMD_TAR
      - source /tmp/functions.sh && sign_file $ECS_AGENT_AMD_TAR
      - cp "$CODEBUILD_SRC_DIR_AmdBuildArtifact/$ECS_AGENT_AMD_LATEST_TAR" $ECS_AGENT_AMD_LATEST_TAR
      - source /tmp/functions.sh && sign_file $ECS_AGENT_AMD_LATEST_TAR
      - cp "$CODEBUILD_SRC_DIR_AmdBuildArtifact/$ECS_AGENT_AMD_GITSHORTSHA_TAR" $ECS_AGENT_AMD_GITSHORTSHA_TAR
      - source /tmp/functions.sh && sign_file $ECS_AGENT_AMD_GITSHORTSHA_TAR
      - cp "$CODEBUILD_SRC_DIR_AmdBuildArtifact/$ECS_AGENT_AMD_RPM" $ECS_AGENT_AMD_RPM
      - source /tmp/functions.sh && sign_file $ECS_AGENT_AMD_RPM
      # Sign the amd csi driver tar (this is a secondary source so we have to do some copying)
      - cp "$CODEBUILD_SRC_DIR_AmdBuildArtifact/$CSI_DRIVER_AMD_TAR" $CSI_DRIVER_AMD_TAR
      - source /tmp/functions.sh && sign_file $CSI_DRIVER_AMD_TAR
      - cp "$CODEBUILD_SRC_DIR_AmdBuildArtifact/$CSI_DRIVER_AMD_LATEST_TAR" $CSI_DRIVER_AMD_LATEST_TAR
      - source /tmp/functions.sh && sign_file $CSI_DRIVER_AMD_LATEST_TAR
      - cp "$CODEBUILD_SRC_DIR_AmdBuildArtifact/$CSI_DRIVER_AMD_GITSHORTSHA_TAR" $CSI_DRIVER_AMD_GITSHORTSHA_TAR
      - source /tmp/functions.sh && sign_file $CSI_DRIVER_AMD_GITSHORTSHA_TAR
      # Sign ECS Anywhere Script
      - cp "$CODEBUILD_SRC_DIR_AmdBuildArtifact/scripts/ecs-anywhere-install.sh" $ECS_ANYWHERE_SCRIPT
      - source /tmp/functions.sh && sign_file $ECS_ANYWHERE_SCRIPT
      - cp $ECS_ANYWHERE_SCRIPT $ECS_ANYWHERE_LATEST_SCRIPT
      - source /tmp/functions.sh && sign_file $ECS_ANYWHERE_LATEST_SCRIPT
      # Sign the arm tar and rpm (this is a secondary source so we have to do some copying)
      - cp "$CODEBUILD_SRC_DIR_ArmBuildArtifact/$ECS_AGENT_ARM_TAR" $ECS_AGENT_ARM_TAR
      - source /tmp/functions.sh && sign_file $ECS_AGENT_ARM_TAR
      - cp "$CODEBUILD_SRC_DIR_ArmBuildArtifact/$ECS_AGENT_ARM_LATEST_TAR" $ECS_AGENT_ARM_LATEST_TAR
      - source /tmp/functions.sh && sign_file $ECS_AGENT_ARM_LATEST_TAR
      - cp "$CODEBUILD_SRC_DIR_ArmBuildArtifact/$ECS_AGENT_ARM_GITSHORTSHA_TAR" $ECS_AGENT_ARM_GITSHORTSHA_TAR
      - source /tmp/functions.sh && sign_file $ECS_AGENT_ARM_GITSHORTSHA_TAR
      - cp "$CODEBUILD_SRC_DIR_ArmBuildArtifact/$ECS_AGENT_ARM_RPM" $ECS_AGENT_ARM_RPM
      - source /tmp/functions.sh && sign_file $ECS_AGENT_ARM_RPM
      # Sign the arm csi driver tar (this is a secondary source so we have to do some copying)
      - cp "$CODEBUILD_SRC_DIR_ArmBuildArtifact/$CSI_DRIVER_ARM_TAR" $CSI_DRIVER_ARM_TAR
      - source /tmp/functions.sh && sign_file $CSI_DRIVER_ARM_TAR
      - cp "$CODEBUILD_SRC_DIR_ArmBuildArtifact/$CSI_DRIVER_ARM_LATEST_TAR" $CSI_DRIVER_ARM_LATEST_TAR
      - source /tmp/functions.sh && sign_file $CSI_DRIVER_ARM_LATEST_TAR
      - cp "$CODEBUILD_SRC_DIR_ArmBuildArtifact/$CSI_DRIVER_ARM_GITSHORTSHA_TAR" $CSI_DRIVER_ARM_GITSHORTSHA_TAR
      - source /tmp/functions.sh && sign_file $CSI_DRIVER_ARM_GITSHORTSHA_TAR
      # Sign the amd deb (this is a secondary source so we have to do some copying)
      - cp "$CODEBUILD_SRC_DIR_UbuntuAmdBuildArtifact/$ECS_AGENT_UBUNTU_AMD_DEB" $ECS_AGENT_UBUNTU_AMD_DEB
      - source /tmp/functions.sh && sign_file $ECS_AGENT_UBUNTU_AMD_DEB
      # Sign the arm deb (this is a secondary source so we have to do some copying)
      - cp "$CODEBUILD_SRC_DIR_UbuntuArmBuildArtifact/$ECS_AGENT_UBUNTU_ARM_DEB" $ECS_AGENT_UBUNTU_ARM_DEB
      - source /tmp/functions.sh && sign_file $ECS_AGENT_UBUNTU_ARM_DEB
      # Clean up the key just in case
      - source /tmp/functions.sh && delete_all_secret_keys
      # validate that the keychain is empty
      - gpg --list-secret-keys --verbose

artifacts:
  files:
    - $ECS_AGENT_AMD_TAR
    - '$ECS_AGENT_AMD_TAR.asc'
    - $ECS_AGENT_AMD_LATEST_TAR
    - '$ECS_AGENT_AMD_LATEST_TAR.asc'
    - $ECS_AGENT_AMD_GITSHORTSHA_TAR
    - '$ECS_AGENT_AMD_GITSHORTSHA_TAR.asc'
    - $ECS_AGENT_AMD_RPM
    - '$ECS_AGENT_AMD_RPM.asc'
    - $ECS_AGENT_ARM_TAR
    - '$ECS_AGENT_ARM_TAR.asc'
    - $ECS_AGENT_ARM_LATEST_TAR
    - '$ECS_AGENT_ARM_LATEST_TAR.asc'
    - $ECS_AGENT_ARM_GITSHORTSHA_TAR
    - '$ECS_AGENT_ARM_GITSHORTSHA_TAR.asc'
    - $ECS_AGENT_ARM_RPM
    - '$ECS_AGENT_ARM_RPM.asc'
    - $ECS_AGENT_UBUNTU_AMD_DEB
    - '$ECS_AGENT_UBUNTU_AMD_DEB.asc'
    - $ECS_AGENT_UBUNTU_ARM_DEB
    - '$ECS_AGENT_UBUNTU_ARM_DEB.asc'
    - $ECS_ANYWHERE_SCRIPT
    - '$ECS_ANYWHERE_SCRIPT.asc'
    - $ECS_ANYWHERE_LATEST_SCRIPT
    - '$ECS_ANYWHERE_LATEST_SCRIPT.asc'
    - $CSI_DRIVER_AMD_TAR
    - '$CSI_DRIVER_AMD_TAR.asc'
    - $CSI_DRIVER_AMD_LATEST_TAR
    - '$CSI_DRIVER_AMD_LATEST_TAR.asc'
    - $CSI_DRIVER_AMD_GITSHORTSHA_TAR
    - '$CSI_DRIVER_AMD_GITSHORTSHA_TAR.asc'
    - $CSI_DRIVER_ARM_TAR
    - '$CSI_DRIVER_ARM_TAR.asc'
    - $CSI_DRIVER_ARM_LATEST_TAR
    - '$CSI_DRIVER_ARM_LATEST_TAR.asc'
    - $CSI_DRIVER_ARM_GITSHORTSHA_TAR
    - '$CSI_DRIVER_ARM_GITSHORTSHA_TAR.asc'