osmith has uploaded this change for review.
jobs/reminder-extend-obs-key: new job
Add a script that downloads the current OBS pubkey, checks its
expiration date and fails if it is in less than a year. The idea is to
extend it for two years every year (so users have enough time to update
their osmocom-keyring package).
Change-Id: I934282efbe1fe3bd86813ad53df38ef79575bf8d
---
A jobs/reminder-extend-obs-key.yml
A scripts/reminder-extend-obs-key.sh
2 files changed, 84 insertions(+), 0 deletions(-)
git pull ssh://gerrit.osmocom.org:29418/osmo-ci refs/changes/31/40431/1
diff --git a/jobs/reminder-extend-obs-key.yml b/jobs/reminder-extend-obs-key.yml
new file mode 100644
index 0000000..d2728dc
--- /dev/null
+++ b/jobs/reminder-extend-obs-key.yml
@@ -0,0 +1,39 @@
+---
+- job:
+ name: 'reminder-extend-obs-key'
+ project-type: freestyle
+ concurrent: false
+ defaults: global
+ description: |
+ Reminder for extending the OBS key (OS#6567)
+ properties:
+ - build-discarder:
+ days-to-keep: 30
+ num-to-keep: 30
+ parameters:
+ - string:
+ name: BRANCH_OSMO_CI
+ description: |
+ osmo-ci.git branch with scripts/tarballs/publish-tarballs-for-tags.sh
+ default: 'master'
+ - string:
+ name: EMAIL_NOTIFICATIONS
+ description: For failed build notifications, set to empty to disable
+ default: 'jenkins-notifications@lists.osmocom.org'
+ builders:
+ - shell: |
+ PUBLISH=1 scripts/reminder-extend-obs-key.sh
+ scm:
+ - git:
+ branches:
+ - '$BRANCH_OSMO_CI'
+ url: https://gerrit.osmocom.org/osmo-ci
+ git-config-name: 'Jenkins Builder'
+ git-config-email: 'jenkins@osmocom.org'
+ wipe-workspace: true
+ triggers:
+ - timed: "@daily"
+ publishers:
+ - email:
+ notify-every-unstable-build: true
+ recipients: '$EMAIL_NOTIFICATIONS'
diff --git a/scripts/reminder-extend-obs-key.sh b/scripts/reminder-extend-obs-key.sh
new file mode 100755
index 0000000..2eeebb0
--- /dev/null
+++ b/scripts/reminder-extend-obs-key.sh
@@ -0,0 +1,45 @@
+#!/bin/sh -ex
+mkdir -p _temp
+cd _temp
+
+if ! [ -e public_key ]; then
+ wget -q https://obs.osmocom.org/projects/osmocom/public_key
+fi
+
+gpg --show-keys public_key
+
+EXPIRATION_DATE="$(gpg --show-keys public_key | grep -o 'expires: [0-9-]*' | cut -d ' ' -f2)"
+EXPIRATION_DATE_S="$(date -d "$EXPIRATION_DATE" +%s)"
+ONE_YEAR_FROM_NOW="$(date -d "+356 days" +%Y-%m-%d)"
+ONE_YEAR_FROM_NOW_S="$(date -d "$ONE_YEAR_FROM_NOW" +%s)"
+
+set +x
+
+if [ "$(echo "$EXPIRATION_DATE" | wc -l)" != 1 ] || [ "$EXPIRATION_DATE_S" -lt "$(date -d "2026-01-01" +%s)" ]; then
+ echo "Failed to get valid expiration date"
+ exit 1
+fi
+
+if [ "$ONE_YEAR_FROM_NOW_S" -lt "$(date -d "2026-01-01" +%s)" ]; then
+ echo "Failed to get date one year from now"
+ exit 1
+fi
+
+echo
+echo "Checking if expiration date ($EXPIRATION_DATE) is in less than a year from now ($ONE_YEAR_FROM_NOW)..."
+
+if [ "$ONE_YEAR_FROM_NOW_S" -gt "$EXPIRATION_DATE_S" ]; then
+ echo
+ echo "============================================================="
+ echo "The OBS signing key must be extended!"
+ echo
+ echo "Instructions:"
+ echo "https://osmocom.org/projects/osmocom-servers/wiki/OBS_server_setup#Extending-singing-key"
+ echo
+ echo "The key becomes valid for 2 years, we extend it after 1 year."
+ echo "============================================================="
+ echo
+ exit 1
+else
+ echo "=> OK"
+fi
To view, visit change 40431. To unsubscribe, or for help writing mail filters, visit settings.