osmith has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmo-ci/+/40431?usp=email )
Change subject: jobs/reminder-extend-obs-key: new job ......................................................................
jobs/reminder-extend-obs-key: new job
Add a script that downloads the current OBS pubkey, checks its expiration date and fails if it is in less than a year. The idea is to extend it for two years every year (so users have enough time to update their osmocom-keyring package).
Change-Id: I934282efbe1fe3bd86813ad53df38ef79575bf8d --- A jobs/reminder-extend-obs-key.yml A scripts/reminder-extend-obs-key.sh 2 files changed, 84 insertions(+), 0 deletions(-)
git pull ssh://gerrit.osmocom.org:29418/osmo-ci refs/changes/31/40431/1
diff --git a/jobs/reminder-extend-obs-key.yml b/jobs/reminder-extend-obs-key.yml new file mode 100644 index 0000000..d2728dc --- /dev/null +++ b/jobs/reminder-extend-obs-key.yml @@ -0,0 +1,39 @@ +--- +- job: + name: 'reminder-extend-obs-key' + project-type: freestyle + concurrent: false + defaults: global + description: | + Reminder for extending the OBS key (OS#6567) + properties: + - build-discarder: + days-to-keep: 30 + num-to-keep: 30 + parameters: + - string: + name: BRANCH_OSMO_CI + description: | + osmo-ci.git branch with scripts/tarballs/publish-tarballs-for-tags.sh + default: 'master' + - string: + name: EMAIL_NOTIFICATIONS + description: For failed build notifications, set to empty to disable + default: 'jenkins-notifications@lists.osmocom.org' + builders: + - shell: | + PUBLISH=1 scripts/reminder-extend-obs-key.sh + scm: + - git: + branches: + - '$BRANCH_OSMO_CI' + url: https://gerrit.osmocom.org/osmo-ci + git-config-name: 'Jenkins Builder' + git-config-email: 'jenkins@osmocom.org' + wipe-workspace: true + triggers: + - timed: "@daily" + publishers: + - email: + notify-every-unstable-build: true + recipients: '$EMAIL_NOTIFICATIONS' diff --git a/scripts/reminder-extend-obs-key.sh b/scripts/reminder-extend-obs-key.sh new file mode 100755 index 0000000..2eeebb0 --- /dev/null +++ b/scripts/reminder-extend-obs-key.sh @@ -0,0 +1,45 @@ +#!/bin/sh -ex +mkdir -p _temp +cd _temp + +if ! [ -e public_key ]; then + wget -q https://obs.osmocom.org/projects/osmocom/public_key +fi + +gpg --show-keys public_key + +EXPIRATION_DATE="$(gpg --show-keys public_key | grep -o 'expires: [0-9-]*' | cut -d ' ' -f2)" +EXPIRATION_DATE_S="$(date -d "$EXPIRATION_DATE" +%s)" +ONE_YEAR_FROM_NOW="$(date -d "+356 days" +%Y-%m-%d)" +ONE_YEAR_FROM_NOW_S="$(date -d "$ONE_YEAR_FROM_NOW" +%s)" + +set +x + +if [ "$(echo "$EXPIRATION_DATE" | wc -l)" != 1 ] || [ "$EXPIRATION_DATE_S" -lt "$(date -d "2026-01-01" +%s)" ]; then + echo "Failed to get valid expiration date" + exit 1 +fi + +if [ "$ONE_YEAR_FROM_NOW_S" -lt "$(date -d "2026-01-01" +%s)" ]; then + echo "Failed to get date one year from now" + exit 1 +fi + +echo +echo "Checking if expiration date ($EXPIRATION_DATE) is in less than a year from now ($ONE_YEAR_FROM_NOW)..." + +if [ "$ONE_YEAR_FROM_NOW_S" -gt "$EXPIRATION_DATE_S" ]; then + echo + echo "=============================================================" + echo "The OBS signing key must be extended!" + echo + echo "Instructions:" + echo "https://osmocom.org/projects/osmocom-servers/wiki/OBS_server_setup#Extending..." + echo + echo "The key becomes valid for 2 years, we extend it after 1 year." + echo "=============================================================" + echo + exit 1 +else + echo "=> OK" +fi
-
osmith