Merge pull request #10193 from brave/presign_rpm

Add option to presign rpm before upload_to_rpm_repo script

Author: bsclifton

tools/upload_to_rpm_repo

@@ -1,8 +1,9 @@
-#!/bin/sh
+#!/bin/bash
 set -exu
 
 BUCKET=${1:-brave-rpm-nightly}
-GPG_KEY=${2:-4A1B4360}
+GPG_KEY_ID=${2:-4A1B4360}
+GPG_KEY_SHORT_ID=${GPG_KEY_ID:(-8)}
 KEY_NAME=keys.asc
 KEY_FILE=/tmp/${KEY_NAME}
 TMP_REPO=/tmp/rpm_repo
@@ -14,7 +15,14 @@ echo "%_signature gpg
 
 rm -rf $TMP_REPO
 mkdir -pv $TMP_REPO/x86_64
-env GPG_PASS=$PASSPHRASE ./tools/auto_rpm_sign
+if !rpm --checksig dist/*.rpm | grep pgp; then
+  env GPG_PASS=$PASSPHRASE ./tools/auto_rpm_sign
+  rpm --checksig dist/*.rpm | grep pgp
+fi
+# Ensure the rpm has the correct signature before continuing
+# NOTE: rpm displays the short key id, all lower case
+rpm -v -K dist/*.rpm | grep "key ID ${GPG_KEY_SHORT_ID,,}: OK"
+
 cp dist/*.rpm $TMP_REPO/x86_64/
 
 for arch in $TMP_REPO/x86_64 ; do
@@ -24,8 +32,7 @@ for arch in $TMP_REPO/x86_64 ; do
 	createrepo -v --update --deltas $arch/
 done
 
-gpg --export --armor ${GPG_KEY} > ${KEY_FILE}
+gpg --export --armor ${GPG_KEY_ID} > ${KEY_FILE}
 aws s3 cp ${KEY_FILE} s3://${BUCKET}/keys.asc
 aws s3api put-object-acl --acl public-read --bucket ${BUCKET} --key ${KEY_NAME}
 aws s3 sync --acl public-read $TMP_REPO/ s3://$BUCKET/
-rpm --checksig ./dist/*.rpm