packer-cn/scripts/codesign_example.sh

150 lines
4.9 KiB
Bash
Executable File

#! /usr/bin/env bash
set -euo pipefail
# first makes some assertions about the environment and set some shared
# variables before starting the script.
if ! command -v jq > /dev/null 2>&1; then
echo "This script requires jq to work properly."
exit 1
fi
PRODUCT_NAME="${PRODUCT_NAME:-""}"
if [ -z "$PRODUCT_NAME" ]; then
echo "Missing required product name: ${PRODUCT_NAME}"
exit 1
fi
TARGET_ZIP="${TARGET_ZIP:-""}"
if [ -z "$TARGET_ZIP" ]; then
echo "Missing required target path"
exit 1
fi
# Artifactory configuration
ARTIFACTORY_ENDPOINT="${ARTIFACTORY_ENDPOINT:-"https://artifactory.hashicorp.engineering/artifactory"}"
ARTIFACTORY_INPUT_REPO="${ARTIFACTORY_INPUT_REPO:-"hc-signing-input"}"
ARTIFACTORY_OUTPUT_REPO="${ARTIFACTORY_OUTPUT_REPO:-"hc-signing-output"}"
ARTIFACTORY_TOKEN="${ARTIFACTORY_TOKEN:-""}"
ARTIFACTORY_USER="${ARTIFACTORY_USER:-""}"
if [[ -z "$ARTIFACTORY_TOKEN" || -z "$ARTIFACTORY_USER" ]]; then
echo "Missing required Artifactory credentials"
exit 1
fi
# Create the sign/notarize ID "SN_ID"
if command -v uuidgen > /dev/null 2>&1; then
uuid="$(uuidgen)"
elif [ -f /proc/sys/kernel/random/uuid ]; then
uuid="$(cat /proc/sys/kernel/random/uuid)"
else
echo "This script needs some way to generate a uuid."
exit 1
fi
SN_ID="$uuid"
# CircleCI configuration
CIRCLE_ENDPOINT="${CIRCLE_ENDPOINT:-"https://circleci.com/api/v2"}"
CIRCLE_PROJECT="${CIRCLE_PROJECT:-"project/github/hashicorp/circle-codesign"}"
CIRCLE_TOKEN="${CIRCLE_TOKEN:-""}"
if [ -z "$CIRCLE_TOKEN" ]; then
echo "Missing required CircleCI credentials"
exit 1
fi
# Next, upload an unsigned zip file to the Artifactory at
# https://artifactory.hashicorp.engineering/artifactory/hc-signing-input/{PRODUCT}/{ID}.zip
echo "Uploading unsigned zip to ${ARTIFACTORY_ENDPOINT}/${ARTIFACTORY_INPUT_REPO}/${PRODUCT_NAME}/${SN_ID}.zip"
curl --show-error --silent --fail \
--user "${ARTIFACTORY_USER}:${ARTIFACTORY_TOKEN}" \
--request PUT \
"${ARTIFACTORY_ENDPOINT}/${ARTIFACTORY_INPUT_REPO}/${PRODUCT_NAME}/${SN_ID}.zip" \
--upload-file "$TARGET_ZIP" > /dev/null
# Next, start the CircleCI Pipeline, then wait for a Workflow
# to start.
echo "Executing CircleCI job"
res="$(curl --show-error --silent --fail --user "${CIRCLE_TOKEN}:" \
--request POST \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--data "{ \"branch\": \"master\" ,\"parameters\": { \"PRODUCT\": \"${PRODUCT_NAME}\", \"PKG_NAME\": \"${SN_ID}.zip\" } }" \
"${CIRCLE_ENDPOINT}/${CIRCLE_PROJECT}/pipeline")"
pipeline_id="$(echo "$res" | jq -r '.id')"
echo "CircleCI Pipeline $pipeline_id started"
echo -n "Retrieving CircleCI Workflow ID"
# 24 * 5 seconds = 2 minutes
counter=12
workflow_id=""
# wait until a Workflow ID is found
until [ "$workflow_id" != "" ]; do
echo -n "."
workflow_id=$(curl --silent --fail --user "${CIRCLE_TOKEN}:" \
--request GET \
--header 'Accept: application/json' \
"${CIRCLE_ENDPOINT}/pipeline/${pipeline_id}/workflow" \
| jq -r '.items[].id'
)
if [ "$counter" -eq "0" ]; then
echo "Tried too many times, but Pipeline ${pipeline_id} still has no Workflows"
exit 1
fi
counter=$((counter - 1))
sleep 5
done
echo ""
echo "CircleCI Workflow $workflow_id started"
# Next, wait for the Workflow to reach a terminal state, then fails if it isn't
# "success"
echo -n "Waiting for CircleCI Workflow ID: ${workflow_id}"
# 360 * 5 seconds = 30 minutes
counter=360
finished="not_run"
# wait for one of the terminal states: ["success", "failed", "error", "canceled"]
until [[ "$finished" == "success" || "$finished" == "failed" || "$finished" == "error" || "$finished" == "canceled" ]]; do
echo -n "."
finished=$(curl --silent --fail --user "${CIRCLE_TOKEN}:" \
--header 'Accept: application/json' \
"${CIRCLE_ENDPOINT}/workflow/${workflow_id}" \
| jq -r '.status'
)
if [ "$counter" -eq "0" ]; then
echo "Tried too many times, but workflow is still in state ${finished}"
exit 1
fi
counter=$((counter - 1))
sleep 5
done
echo ""
if [ "$finished" != "success" ]; then
echo "Workflow ID ${workflow_id} ${finished}"
exit 1
fi
# Next, download the signed zip from Artifactory at
# https://artifactory.hashicorp.engineering/artifactory/hc-signing-output/{PRODUCT}/{ID}.zip
echo "Retrieving signed zip from ${ARTIFACTORY_ENDPOINT}/${ARTIFACTORY_OUTPUT_REPO}/${PRODUCT_NAME}/${SN_ID}.zip"
curl --show-error --silent --fail --user "${ARTIFACTORY_USER}:${ARTIFACTORY_TOKEN}" \
--request GET \
"${ARTIFACTORY_ENDPOINT}/${ARTIFACTORY_OUTPUT_REPO}/${PRODUCT_NAME}/${SN_ID}.zip" \
--output "signed_${SN_ID}.zip"
signed_checksum=$(
curl --silent --show-error --fail --user "${ARTIFACTORY_USER}:${ARTIFACTORY_TOKEN}" \
--head \
"${ARTIFACTORY_ENDPOINT}/${ARTIFACTORY_OUTPUT_REPO}/${PRODUCT_NAME}/${SN_ID}.zip" \
| grep -i "x-checksum-sha256" | awk 'gsub("[\r\n]", "", $2) {print $2;}'
)
echo "${signed_checksum} signed_${SN_ID}.zip" | gsha256sum -c
mv "signed_${SN_ID}.zip" "$TARGET_ZIP"