[neon/ubuntu-core/Neon/ci_build_iso] debian: add the necessary gpg infra stuff

Carlos De Maine null at kde.org
Mon Aug 12 13:08:38 BST 2024


Git commit 4f2161b8decbc7d73fef5dd676127ecf20aa787b by Carlos De Maine.
Committed on 12/08/2024 at 12:08.
Pushed by carlosdem into branch 'Neon/ci_build_iso'.

add the necessary gpg infra stuff

M  +17   -0    debian/neon-core-image-dangerous-iso.yml
M  +27   -0    debian/neon-core-image-signed-iso.yml

https://invent.kde.org/neon/ubuntu-core/-/commit/4f2161b8decbc7d73fef5dd676127ecf20aa787b

diff --git a/debian/neon-core-image-dangerous-iso.yml b/debian/neon-core-image-dangerous-iso.yml
index fa47168..4bdba83 100644
--- a/debian/neon-core-image-dangerous-iso.yml
+++ b/debian/neon-core-image-dangerous-iso.yml
@@ -17,6 +17,23 @@ neon_core_image_dangerous:
     - Snap
   interruptible: true
   script:
+  script:
+    # Prepare the Snap specific GnuPG workspace
+    - rm -rf $HOME/.snap/gnupg/
+    - mkdir -p -m 0700 $HOME/.snap/gnupg/
+    - mkdir -p -m 0700 $HOME/.snap/gnupg/private-keys-v1.d/
+    # export it as a env var so the import commands below work on it...
+    - export GNUPGHOME=$HOME/.snap/gnupg/
+    # feed snap's gpg the required key
+    - echo $SNAP_GPG_PRIVATE_KEY | base64 --decode | gpg --batch --import
+    # make sure the key is trusted
+    - gpg --import-ownertrust <(echo "$SNAP_GPG_OWNER_TRUST")
+    # test the keys
+    - gpg --list-keys
+
+    # remove the task log file from the model signing that was artifacted...
+    - rm -f task.log
+
     # get the missing plasma-desktop-session snap from the latest build...
     - mkdir workspace/ && cd workspace/
     - wget -O Snap_artifacts.zip "https://invent.kde.org/api/v4/projects/neon%2fsnap-packaging%2fplasma-desktop-session/jobs/artifacts/master/download?job=snap_snapcraft_lxd"
diff --git a/debian/neon-core-image-signed-iso.yml b/debian/neon-core-image-signed-iso.yml
index 5dfabf5..b5a8ace 100644
--- a/debian/neon-core-image-signed-iso.yml
+++ b/debian/neon-core-image-signed-iso.yml
@@ -17,6 +17,33 @@ neon_core_image_dangerous:
     - Snap
   interruptible: true
   script:
+  script:
+    # Prepare the Snap specific GnuPG workspace
+    - rm -rf $HOME/.snap/gnupg/
+    - mkdir -p -m 0700 $HOME/.snap/gnupg/
+    - mkdir -p -m 0700 $HOME/.snap/gnupg/private-keys-v1.d/
+    # export it as a env var so the import commands below work on it...
+    - export GNUPGHOME=$HOME/.snap/gnupg/
+    # feed snap's gpg the required key
+    - echo $SNAP_GPG_PRIVATE_KEY | base64 --decode | gpg --batch --import
+    # make sure the key is trusted
+    - gpg --import-ownertrust <(echo "$SNAP_GPG_OWNER_TRUST")
+    # test the keys
+    - gpg --list-keys
+
+    # remove the task log file from the model signing that was artifacted...
+    - rm -f task.log
+    # get the missing plasma-desktop-session snap from the latest build...
+    - mkdir workspace/ && cd workspace/
+    - wget -O Snap_artifacts.zip "https://invent.kde.org/api/v4/projects/neon%2fsnap-packaging%2fplasma-desktop-session/jobs/artifacts/master/download?job=snap_snapcraft_lxd"
+    - unzip -e Snap_artifacts.zip
+    - mv .kde-ci-packages/plasma-desktop-session*.snap $CI_PROJECT_DIR/local-snaps/plasma-desktop-session.snap
+    - cd $CI_PROJECT_DIR
+    # build the image with the project's tooling
+    - echo building kde-neon-core in dangerous mode ...
+    - make dangerous 2>&1 | tee task.log
+
+
     # get the missing plasma-desktop-session snap from the latest build...
     - mkdir workspace/ && cd workspace/
     - wget -O Snap_artifacts.zip "https://invent.kde.org/api/v4/projects/neon%2fsnap-packaging%2fplasma-desktop-session/jobs/artifacts/master/download?job=snap_snapcraft_lxd"


More information about the Neon-commits mailing list