build: verifies the rpm packages signatures.

Closes #12370
2025-02-25 18:55:37 -06:00 · 2018-08-14 10:45:32 +02:00 · 2018-08-14 10:45:32 +02:00 · aefcb06ff8
commit aefcb06ff8
parent 332e59d314
2 changed files with 22 additions and 0 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@ -147,6 +147,11 @@ jobs:
      - run:
          name: sign packages
          command: './scripts/build/sign_packages.sh'
+      - run:
+          name: verify signed packages
+          command: |
+            curl https://grafanarel.s3.amazonaws.com/RPM-GPG-KEY-grafana > ~/.rpmdb/pubkeys/grafana.key
+            ./scripts/build/verify_signed_packages.sh dist/*.rpm
      - run:
          name: sha-sum packages
          command: 'go run build.go sha-dist'
--- a/scripts/build/verify_signed_packages.sh
+++ b/scripts/build/verify_signed_packages.sh
@ -0,0 +1,17 @@
+#!/bin/bash
+_files=$*
+
+ALL_SIGNED=0
+
+for file in $_files; do
+  rpm -K "$file" | grep "pgp.*OK" -q
+  if [[ $? != 0 ]]; then
+    ALL_SIGNED=1
+    echo $file NOT SIGNED
+  else
+    echo $file OK
+  fi
+done
+
+
+exit $ALL_SIGNED