Allow signing of artifacts with key provided by GPG agent

In our case the GPG agent serves 0x1D53D1877742E911 key stored on
Nitrokey3 USB dongle. GPG key is bind mounted from the host.

References: https://lists.openwrt.org/pipermail/openwrt-devel/2023-May/041044.html
Signed-off-by: Petr Štetiar <[email protected]>

docker/buildmaster/Dockerfile

@@ -95,6 +95,12 @@ RUN \
     chown buildbot:buildbot /master && \
     chmod 0755 /entry.sh /start.sh
 
+RUN \
+	mkdir -p /home/buildbot && \
+	chmod u=rwx,go= /home/buildbot && \
+	chown --recursive buildbot:buildbot /home/buildbot && \
+	gosu buildbot sh -c "gpg --homedir /home/buildbot/.gnupg --recv-keys 0x1D53D1877742E911"
+
 VOLUME [ "/master" ]
 ENTRYPOINT [ "/entry.sh" ]
 CMD [ "start" ]

docker/buildmaster/files/entry.sh

@@ -1,10 +1,15 @@
 #!/usr/bin/env bash
 
-for dir in /master /config /certs; do
+for dir in /master /config /certs /home/buildbot; do
   [ -d "$dir" ] || continue 
 
   chown --recursive buildbot:buildbot "$dir"
   chmod 0700 "$dir"
 done
 
+if [ -S "/home/buildbot/.gnupg/S.gpg-agent" ]; then
+	chown buildbot:buildbot /home/buildbot/.gnupg/S.gpg-agent
+	chmod 0600 /home/buildbot/.gnupg/S.gpg-agent
+fi
+
 /usr/sbin/gosu buildbot /start.sh "$@"

scripts/signall.sh

@@ -53,6 +53,7 @@ esac
 
 if [ -z "$branch" ]; then
 GPGKEY="$(iniget "${CONFIG_INI:-config.ini}" gpg key)"
+GPGKEYID="$(iniget "${CONFIG_INI:-config.ini}" gpg keyid)"
 GPGPASS="$(iniget "${CONFIG_INI:-config.ini}" gpg passphrase)"
 GPGCOMMENT="$(iniget "${CONFIG_INI:-config.ini}" gpg comment)"
 
@@ -62,6 +63,7 @@ USIGNCOMMENT="$(iniget "${CONFIG_INI:-config.ini}" usign comment)"
 APKSIGNKEY="$(iniget "${CONFIG_INI:-config.ini}" apk key)"
 else
 GPGKEY="$(iniget "${CONFIG_INI:-config.ini}" "branch $branch" "gpg_key")"
+GPGKEYID="$(iniget "${CONFIG_INI:-config.ini}" "branch $branch" "gpg_keyid")"
 GPGPASS="$(iniget "${CONFIG_INI:-config.ini}" "branch $branch" "gpg_passphrase")"
 GPGCOMMENT="$(iniget "${CONFIG_INI:-config.ini}" "branch $branch" "gpg_comment")"
 
@@ -99,7 +101,7 @@ if [ -n "$APKSIGNKEY" ]; then
 	done
 fi
 
-if echo "$GPGKEY" | grep -q "BEGIN PGP PRIVATE KEY BLOCK"; then
+if echo "$GPGKEY" | grep -q "BEGIN PGP PRIVATE KEY BLOCK" && [ -z "$GPGKEYID" ]; then
 	umask 077
 	echo "$GPGPASS" > "$tmpdir/gpg.pass"
 	echo "$GPGKEY" | gpg --batch --homedir "$tmpdir/gpg" \
@@ -117,6 +119,17 @@ if echo "$GPGKEY" | grep -q "BEGIN PGP PRIVATE KEY BLOCK"; then
 			-o "{}.asc" "{}" \; || finish 4
 fi
 
+if [ -n "$GPGKEYID" ]; then
+	find "$tmpdir/tar/" -type f -not -name "*.asc" -and -not -name "*.sig" -print0 | while IFS= read -r -d '' file; do
+		if ! gpg --no-version --batch --detach-sign --armor \
+			--local-user "${GPGKEYID}" \
+			${GPGCOMMENT:+--comment="$GPGCOMMENT"} \
+			--homedir /home/buildbot/.gnupg "${file}.asc" "$file"; then
+			finish 4
+		fi
+	done
+fi
+
 if [ -n "$USIGNKEY" ]; then
 	USIGNID="$(echo "$USIGNKEY" | base64 -d -i | dd bs=1 skip=32 count=8 2>/dev/null | od -v -t x1 | sed -rne 's/^0+ //p' | tr -d ' ')"