[neon/ubuntu-core/Neon/core22] /: Update to new key series and converge everything on the correct keys to use

Ben Cooksley null at kde.org
Thu Aug 8 11:45:42 BST 2024 

Git commit 40140b79d4968ffbe32b0c2b5db5b56be653b04f by Ben Cooksley.
Committed on 08/08/2024 at 10:44.
Pushed by bcooksley into branch 'Neon/core22'.

Update to new key series and converge everything on the correct keys to use

M  +2    -2    Makefile
M  +1    -1    README.md
M  +15   -1    debian/neon-core-image-dangerous.yml
M  +15   -1    debian/neon-core-image-signed.yml
M  +9    -9    debian/neon-core-models.yml

https://invent.kde.org/neon/ubuntu-core/-/commit/40140b79d4968ffbe32b0c2b5db5b56be653b04f

diff --git a/Makefile b/Makefile
index 3c5837a..9e12cd7 100644
--- a/Makefile
+++ b/Makefile
@@ -12,12 +12,12 @@ kde-neon-core-dangerous-amd64.snap-list: kde-neon-core-amd64.json
 
 kde-neon-core-signed-amd64.model: kde-neon-core-amd64.json
 	./finalize-json.sh signed kde-neon-core-amd64.json model-in.json
-	snap sign -k kde-neon-core-image-key model-in.json > $@
+	snap sign -k kde-snapcraft-key model-in.json > $@
 	rm model-in.json
 
 kde-neon-core-dangerous-amd64.model: kde-neon-core-amd64.json
 	./finalize-json.sh dangerous kde-neon-core-amd64.json model-in.json
-	snap sign -k kde-neon-core-image-key model-in.json > $@
+	snap sign -k kde-snapcraft-key model-in.json > $@
 	rm model-in.json
 
 %.img: %.model %.snap-list
diff --git a/README.md b/README.md
index 4ea3fe9..4561611 100644
--- a/README.md
+++ b/README.md
@@ -22,7 +22,7 @@ This also requires having registered keys, as described in the first two steps o
 
 https://ubuntu.com/core/docs/sign-model-assertion
 
-The Makefile assumes your key to be created with the name `kde-neon-core-image-key`. Also, no build can occur if you're not authenticated in your Ubuntu One account with `snapcraft`. To sanity check this, running `snapcraft whoami` will tell you under which account you are authenticated.
+The Makefile assumes your key to be created with the name `kde-snapcraft-key`. Also, no build can occur if you're not authenticated in your Ubuntu One account with `snapcraft`. To sanity check this, running `snapcraft whoami` will tell you under which account you are authenticated.
 
 #### Generating models with the CI
 
diff --git a/debian/neon-core-image-dangerous.yml b/debian/neon-core-image-dangerous.yml
index fd46cb9..94182fe 100644
--- a/debian/neon-core-image-dangerous.yml
+++ b/debian/neon-core-image-dangerous.yml
@@ -16,6 +16,19 @@ neon-core-image-dangerous:
     - job: 'neon-core-models'
       artifacts: true
   script:
+    # Prepare the Snap specific GnuPG workspace
+    - rm -rf $HOME/.snap/gnupg/
+    - mkdir -p -m 0700 $HOME/.snap/gnupg/
+    - mkdir -p -m 0700 $HOME/.snap/gnupg/private-keys-v1.d/
+    # export it as a env var so the import commands below work on it...
+    - export GNUPGHOME=$HOME/.snap/gnupg/
+    # feed snap's gpg the required key
+    - echo $SNAP_GPG_PRIVATE_KEY | base64 --decode | gpg --batch --import
+    # make sure the key is trusted
+    - gpg --import-ownertrust <(echo "$SNAP_GPG_OWNER_TRUST")
+    # test the keys
+    - gpg --list-keys
+
     # remove the task log file from the model signing that was artifacted...
     - rm -f task.log
     # get the missing plasma-desktop-session snap from the latest build...
@@ -28,8 +41,9 @@ neon-core-image-dangerous:
     - echo building kde-neon-core in dangerous mode ...
     - make dangerous 2>&1 | tee task.log
   after_script:
-    # cleanup local state, including the GPG workspace and the Snapcraft authentication credentials
+    # Cleanup local state
     - git clean -dfx .
+    - rm -rf ~/.snap/gnupg/
   artifacts:
     name: Signed image
     when: always
diff --git a/debian/neon-core-image-signed.yml b/debian/neon-core-image-signed.yml
index ade1fc7..f124634 100644
--- a/debian/neon-core-image-signed.yml
+++ b/debian/neon-core-image-signed.yml
@@ -16,6 +16,19 @@ neon-core-image-signed:
     - job: 'neon-core-models'
       artifacts: true
   script:
+    # Prepare the Snap specific GnuPG workspace
+    - rm -rf $HOME/.snap/gnupg/
+    - mkdir -p -m 0700 $HOME/.snap/gnupg/
+    - mkdir -p -m 0700 $HOME/.snap/gnupg/private-keys-v1.d/
+    # export it as a env var so the import commands below work on it...
+    - export GNUPGHOME=$HOME/.snap/gnupg/
+    # feed snap's gpg the required key
+    - echo $SNAP_GPG_PRIVATE_KEY | base64 --decode | gpg --batch --import
+    # make sure the key is trusted
+    - gpg --import-ownertrust <(echo "$SNAP_GPG_OWNER_TRUST")
+    # test the keys
+    - gpg --list-keys
+
     # remove the task log file from the model signing that was artifacted...
     - rm -f task.log
     # get the missing plasma-desktop-session snap from the latest build...
@@ -28,8 +41,9 @@ neon-core-image-signed:
     - echo building kde-neon-core in signed mode ...
     - make signed 2>&1 | tee task.log
   after_script:
-    # cleanup local state, including the GPG workspace and the Snapcraft authentication credentials
+    # Cleanup local state
     - git clean -dfx .
+    - rm -rf ~/.snap/gnupg/
   artifacts:
     name: Signed image
     when: always
diff --git a/debian/neon-core-models.yml b/debian/neon-core-models.yml
index 19dbac7..e8b7a3b 100644
--- a/debian/neon-core-models.yml
+++ b/debian/neon-core-models.yml
@@ -13,20 +13,19 @@ neon-core-models:
     - Snap
   interruptible: true
   script:
-    # make sure there is a snap specific GPG workspace so gpg doesn't freak out
-    - mkdir -p -m 0700 $CI_PROJECT_DIR/.snap/gnupg/
-    - mkdir -p -m 0700 $CI_PROJECT_DIR/.snap/gnupg/private-keys-v1.d/
-    # export it as a env var for convenience
-    - export GNUPGHOME=$CI_PROJECT_DIR/.snap/gnupg/
+    # Prepare the Snap specific GnuPG workspace
+    - rm -rf $HOME/.snap/gnupg/
+    - mkdir -p -m 0700 $HOME/.snap/gnupg/
+    - mkdir -p -m 0700 $HOME/.snap/gnupg/private-keys-v1.d/
+    # export it as a env var so the import commands below work on it...
+    - export GNUPGHOME=$HOME/.snap/gnupg/
     # feed snap's gpg the required key
-    - echo $PRIVATE_KEY | base64 --decode | gpg --batch --import
+    - echo $SNAP_GPG_PRIVATE_KEY | base64 --decode | gpg --batch --import
     # make sure the key is trusted
-    - gpg --import-ownertrust <(echo "$OWNER_TRUST")
+    - gpg --import-ownertrust <(echo "$SNAP_GPG_OWNER_TRUST")
     # test the keys
     - gpg --list-keys
 
-    # copy in the required exported login creds so that snapcraft whoami works
-    - echo $KDE_NEON_CORE_IMAGE_KEY > kde-neon-core-image-key
     # test the login
     - snapcraft whoami
 
@@ -42,6 +41,7 @@ neon-core-models:
   after_script:
     # cleanup local state, including the GPG workspace and the Snapcraft authentication credentials
     - git clean -dfx .
+    - rm -rf ~/.snap/gnupg/
   artifacts:
     name: Signed models
     when: always

More information about the Neon-commits mailing list