Sign the RPM package before moving it #850

marckhouzam · 2025-01-29T21:10:37Z

What this PR does / why we need it

Because the hack/rpm/build_package.sh script can get called more than once to build first a tanzu-cli package an then a tanzu-cli-centos9 package, we ended up on the second call with a ${PKG_DIR}/ directory containing multiple packages.

Then, when signing everything in that directory using a *, we ended up only signing the first package that was passed as an argument to the signer. This caused the tanzu-cli-centos9 package not to get signed because it comes alphabetically after tanzu-cli when the * is expanded.

To solve this and still benefit from using the * which allows to avoid explicitly dealing with the -unstable and/or -centos suffixes we sign the package before we move it to the common ${PKG_DIR}/ directory.

Which issue(s) this PR fixes

Fixes # N/A

Describe testing done for PR

Before this PR:

# Build the needed CLI with a final release version
$ make build-cli-linux-amd64 BUILD_VERSION=v1.6.0
[...]

# Build the `tanzu-cli` package and use `echo` as a signer 
# This step works so we don't need the output
$ make rpm-package-only BUILD_VERSION=v1.6.0 RPM_SIGNER=echo
[...]

# Build the `tanzu-cli-centos9` package and use `echo` as a signer and notice
# that the WRONG package is passed first as an argument
$ make rpm-package-only BUILD_VERSION=v1.6.0 RPM_SIGNER=echo RPM_PACKAGE_NAME=tanzu-cli-centos9
[...]
+ [[ ! -z echo ]]
+ echo /Users/kmarc/git/tanzu-cli/hack/rpm/_output/rpm/tanzu-cli/tanzu-cli-1.6.0-1.x86_64.rpm /Users/kmarc/git/tanzu-cli/hack/rpm/_output/rpm/tanzu-cli/tanzu-cli-centos9-1.6.0-1.x86_64.rpm
/Users/kmarc/git/tanzu-cli/hack/rpm/_output/rpm/tanzu-cli/tanzu-cli-1.6.0-1.x86_64.rpm /Users/kmarc/git/tanzu-cli/hack/rpm/_output/rpm/tanzu-cli/tanzu-cli-centos9-1.6.0-1.x86_64.rpm
[...]
+ [[ ! -z echo ]]
/Users/kmarc/git/tanzu-cli/hack/rpm/_output/rpm/tanzu-cli/tanzu-cli-1.6.0-1.aarch64.rpm /Users/kmarc/git/tanzu-cli/hack/rpm/_output/rpm/tanzu-cli/tanzu-cli-centos9-1.6.0-1.aarch64.rpm
+ echo /Users/kmarc/git/tanzu-cli/hack/rpm/_output/rpm/tanzu-cli/tanzu-cli-1.6.0-1.aarch64.rpm /Users/kmarc/git/tanzu-cli/hack/rpm/_output/rpm/tanzu-cli/tanzu-cli-centos9-1.6.0-1.aarch64.rpm

I ran the same test but using a pre-release version 1.6.0-rc.0 to show that this one worked by simple luck because alphabetical ordering:

# Build the needed CLI with a final release version
$ make build-cli-linux-amd64 BUILD_VERSION=v1.6.0-rc.0
[...]

# Build the `tanzu-cli-unstable` package and use `echo` as a signer 
# This step works so we don't need the output
$ make rpm-package-only BUILD_VERSION=v1.6.0-rc.0 RPM_SIGNER=echo
[...]

# Build the `tanzu-cli-centos9-unstable` package and use `echo` as a signer and notice
# that the wrong number of arguments are passed to the signer
# BUT that by alphabetical luck, the first argument is the correct package
$ make rpm-package-only BUILD_VERSION=v1.6.0-rc.0 RPM_SIGNER=echo RPM_PACKAGE_NAME=tanzu-cli-centos9
[...]
+ [[ ! -z echo ]]
+ echo /Users/kmarc/git/tanzu-cli/hack/rpm/_output/rpm/tanzu-cli/tanzu-cli-centos9-unstable-1.6.0-0.1_rc.0.x86_64.rpm /Users/kmarc/git/tanzu-cli/hack/rpm/_output/rpm/tanzu-cli/tanzu-cli-unstable-1.6.0-0.1_rc.0.x86_64.rpm
/Users/kmarc/git/tanzu-cli/hack/rpm/_output/rpm/tanzu-cli/tanzu-cli-centos9-unstable-1.6.0-0.1_rc.0.x86_64.rpm /Users/kmarc/git/tanzu-cli/hack/rpm/_output/rpm/tanzu-cli/tanzu-cli-unstable-1.6.0-0.1_rc.0.x86_64.rpm
[...]
+ [[ ! -z echo ]]
+ echo /Users/kmarc/git/tanzu-cli/hack/rpm/_output/rpm/tanzu-cli/tanzu-cli-centos9-unstable-1.6.0-0.1_rc.0.aarch64.rpm /Users/kmarc/git/tanzu-cli/hack/rpm/_output/rpm/tanzu-cli/tanzu-cli-unstable-1.6.0-0.1_rc.0.aarch64.rpm
/Users/kmarc/git/tanzu-cli/hack/rpm/_output/rpm/tanzu-cli/tanzu-cli-centos9-unstable-1.6.0-0.1_rc.0.aarch64.rpm /Users/kmarc/git/tanzu-cli/hack/rpm/_output/rpm/tanzu-cli/tanzu-cli-unstable-1.6.0-0.1_rc.0.aarch64.rpm

With this PR:

# Build the needed CLI with a final release version
$ make build-cli-linux-amd64 BUILD_VERSION=v1.6.0
[...]

# Build the `tanzu-cli` package and use `echo` as a signer and notice
# that the correct package is passed as an argument
$ make rpm-package-only BUILD_VERSION=v1.6.0 RPM_SIGNER=echo
[...]
+ [[ ! -z echo ]]
+ echo /root/rpmbuild/RPMS/x86_64/tanzu-cli-1.6.0-1.x86_64.rpm
+ mv /root/rpmbuild/RPMS/x86_64/tanzu-cli-1.6.0-1.x86_64.rpm /Users/kmarc/git/tanzu-cli/hack/rpm/_output/rpm/tanzu-cli/
/root/rpmbuild/RPMS/x86_64/tanzu-cli-1.6.0-1.x86_64.rpm
[...]
+ [[ ! -z echo ]]
+ echo /root/rpmbuild/RPMS/aarch64/tanzu-cli-1.6.0-1.aarch64.rpm
/root/rpmbuild/RPMS/aarch64/tanzu-cli-1.6.0-1.aarch64.rpm
+ mv /root/rpmbuild/RPMS/aarch64/tanzu-cli-1.6.0-1.aarch64.rpm /Users/kmarc/git/tanzu-cli/hack/rpm/_output/rpm/tanzu-cli/

# Build the `tanzu-cli-centos9` package and use `echo` as a signer and notice
# that the correct package is passed as an argument
$ make rpm-package-only BUILD_VERSION=v1.6.0 RPM_SIGNER=echo RPM_PACKAGE_NAME=tanzu-cli-centos9
[...]
+ [[ ! -z echo ]]
+ echo /root/rpmbuild/RPMS/x86_64/tanzu-cli-centos9-1.6.0-1.x86_64.rpm
/root/rpmbuild/RPMS/x86_64/tanzu-cli-centos9-1.6.0-1.x86_64.rpm
+ mv /root/rpmbuild/RPMS/x86_64/tanzu-cli-centos9-1.6.0-1.x86_64.rpm /Users/kmarc/git/tanzu-cli/hack/rpm/_output/rpm/tanzu-cli/
[...]
+ [[ ! -z echo ]]
/root/rpmbuild/RPMS/aarch64/tanzu-cli-centos9-1.6.0-1.aarch64.rpm
+ echo /root/rpmbuild/RPMS/aarch64/tanzu-cli-centos9-1.6.0-1.aarch64.rpm
+ mv /root/rpmbuild/RPMS/aarch64/tanzu-cli-centos9-1.6.0-1.aarch64.rpm /Users/kmarc/git/tanzu-cli/hack/rpm/_output/rpm/tanzu-cli/

I ran the same test but using a pre-release version 1.6.0-rc.0:

# Build the needed CLI with a final release version
$ make build-cli-linux-amd64 BUILD_VERSION=v1.6.0-rc.0
[...]

# Build the `tanzu-cli-unstable` package and use `echo` as a signer and notice
# that the correct package is passed as an argument
$ make rpm-package-only BUILD_VERSION=v1.6.0-rc.0 RPM_SIGNER=echo
[...]
+ [[ ! -z echo ]]
+ echo /root/rpmbuild/RPMS/x86_64/tanzu-cli-unstable-1.6.0-0.1_rc.0.x86_64.rpm
+ mv /root/rpmbuild/RPMS/x86_64/tanzu-cli-unstable-1.6.0-0.1_rc.0.x86_64.rpm /Users/kmarc/git/tanzu-cli/hack/rpm/_output/rpm/tanzu-cli/
/root/rpmbuild/RPMS/x86_64/tanzu-cli-unstable-1.6.0-0.1_rc.0.x86_64.rpm
[...]
+ [[ ! -z echo ]]
+ echo /root/rpmbuild/RPMS/aarch64/tanzu-cli-unstable-1.6.0-0.1_rc.0.aarch64.rpm
/root/rpmbuild/RPMS/aarch64/tanzu-cli-unstable-1.6.0-0.1_rc.0.aarch64.rpm
+ mv /root/rpmbuild/RPMS/aarch64/tanzu-cli-unstable-1.6.0-0.1_rc.0.aarch64.rpm /Users/kmarc/git/tanzu-cli/hack/rpm/_output/rpm/tanzu-cli/

# Build the `tanzu-cli-centos9-unstable` package and use `echo` as a signer and notice
# that the correct package is passed as an argument
$ make rpm-package-only BUILD_VERSION=v1.6.0-rc.0 RPM_SIGNER=echo RPM_PACKAGE_NAME=tanzu-cli-centos9
[...]
+ [[ ! -z echo ]]
+ echo /root/rpmbuild/RPMS/x86_64/tanzu-cli-centos9-unstable-1.6.0-0.1_rc.0.x86_64.rpm
/root/rpmbuild/RPMS/x86_64/tanzu-cli-centos9-unstable-1.6.0-0.1_rc.0.x86_64.rpm
+ mv /root/rpmbuild/RPMS/x86_64/tanzu-cli-centos9-unstable-1.6.0-0.1_rc.0.x86_64.rpm /Users/kmarc/git/tanzu-cli/hack/rpm/_output/rpm/tanzu-cli/
[...]
+ [[ ! -z echo ]]
+ echo /root/rpmbuild/RPMS/aarch64/tanzu-cli-centos9-unstable-1.6.0-0.1_rc.0.aarch64.rpm
/root/rpmbuild/RPMS/aarch64/tanzu-cli-centos9-unstable-1.6.0-0.1_rc.0.aarch64.rpm
+ mv /root/rpmbuild/RPMS/aarch64/tanzu-cli-centos9-unstable-1.6.0-0.1_rc.0.aarch64.rpm /Users/kmarc/git/tanzu-cli/hack/rpm/_output/rpm/tanzu-cli/

# Confirm that both packages for both archs are in the common location to build the repo
ls hack/rpm/_output/rpm/tanzu-cli/
tanzu-cli-centos9-unstable-1.6.0-0.1_rc.0.aarch64.rpm tanzu-cli-unstable-1.6.0-0.1_rc.0.aarch64.rpm
tanzu-cli-centos9-unstable-1.6.0-0.1_rc.0.x86_64.rpm  tanzu-cli-unstable-1.6.0-0.1_rc.0.x86_64.rpm

# Finally build the repo to see that it works
make rpm-package-repo RPM_SIGNER=echo
[...]
+ [[ ! -z echo ]]
+ echo /Users/kmarc/git/tanzu-cli/hack/rpm/_output/rpm/tanzu-cli/repodata/repomd.xml
/Users/kmarc/git/tanzu-cli/hack/rpm/_output/rpm/tanzu-cli/repodata/repomd.xml

Release note

Fix the special RPM signing for Centos9.

Additional information

Special notes for your reviewer

Because the hack/rpm/build_package.sh script can get called more than once to build first a `tanzu-cli` package and then a `tanzu-cli-centos9` package, we ended up on the second call with a `${PKG_DIR}/` directory containing multiple packages. Then, when signing everything in that directory using a `*`, we ended up only signing the first package that was passed as an argument to the signer. This caused the `tanzu-cli-centos9` package not to get signed because it comes alphabetically after `tanzu-cli` when the `*` is expanded. To solve this and still benefit from using the `*` which allows to avoid explicitly dealing with the `-unstable` and/or `-centos` suffixes we sign the package before we move it to the common `${PKG_DIR}/` directory. Signed-off-by: Marc Khouzam <[email protected]>

anujc25

LGTM. Thanks for the quick investigation and fixing this issue. 👏

marckhouzam requested a review from a team as a code owner January 29, 2025 21:10

anujc25 approved these changes Jan 29, 2025

View reviewed changes

marckhouzam merged commit b4a8578 into vmware-tanzu:main Jan 29, 2025
7 checks passed

marckhouzam deleted the marck/fixRPMSigning branch January 29, 2025 22:24

marckhouzam added this to the v1.5.4 milestone Jan 29, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Sign the RPM package before moving it #850

Sign the RPM package before moving it #850

marckhouzam commented Jan 29, 2025 •

edited

Loading

anujc25 left a comment

Sign the RPM package before moving it #850

Sign the RPM package before moving it #850

Conversation

marckhouzam commented Jan 29, 2025 • edited Loading

What this PR does / why we need it

Which issue(s) this PR fixes

Describe testing done for PR

Release note

Additional information

Special notes for your reviewer

anujc25 left a comment

Choose a reason for hiding this comment

marckhouzam commented Jan 29, 2025 •

edited

Loading