CICD: fix package signing issues (#5934)

8 files changed, 64 insertions, 95 deletions

diff --git a/package-deploy.yaml b/package-deploy.yaml
index 8daf262ac..9b67a2fe6 100644
--- a/package-deploy.yaml
+++ b/package-deploy.yaml
@@ -56,7 +56,6 @@ agents:
       - NETWORK=$NETWORK
       - NO_DEPLOY=$NO_DEPLOY
       - PACKAGES_DIR=$PACKAGES_DIR
-      - S3_SOURCE=$S3_SOURCE
       - STAGING=$STAGING
       - VERSION=$VERSION
     volumes:
diff --git a/scripts/release/mule/common/ensure_centos8_image.sh b/scripts/release/mule/common/ensure_centos8_image.sh
new file mode 100755
index 000000000..1ebd3475f
--- /dev/null
+++ b/scripts/release/mule/common/ensure_centos8_image.sh
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+set -exo pipefail
+
+# Ensure the centos8 docker image is built and available
+
+DOCKER_IMAGE="algorand/go-algorand-ci-linux-centos8:amd64-$(sha1sum scripts/configure_dev-deps.sh | cut -f1 -d' ')"
+MATCH=${DOCKER_IMAGE/:*/}
+
+echo "Checking for RPM image"
+if docker images $DOCKER_IMAGE | grep -qs $MATCH > /dev/null 2>&1; then
+  echo "Image exists"
+else
+  echo "RPM image doesn't exist, building"
+  docker build --platform=linux/amd64 --build-arg ARCH=amd64 \
+    --build-arg GOLANG_VERSION=$(./scripts/get_golang_version.sh) -t $DOCKER_IMAGE -f docker/build/cicd.centos8.Dockerfile .
+fi
diff --git a/scripts/release/mule/deploy/deb/deploy.sh b/scripts/release/mule/deploy/deb/deploy.sh
index c9c4b4b6c..2584b8412 100755
--- a/scripts/release/mule/deploy/deb/deploy.sh
+++ b/scripts/release/mule/deploy/deb/deploy.sh
@@ -2,28 +2,13 @@
 
 set -ex
 
-if [ -z "$NETWORK" ]
-then
-    echo "[$0] Network is a required parameter."
-    exit 1
-fi
-
-if [ -z "$STAGING" ]
-then
-    echo "[$0] Staging is a required parameter."
-    exit 1
-fi
-
-CHANNEL=$("./scripts/release/mule/common/get_channel.sh" "$NETWORK")
+CHANNEL=${CHANNEL:-$("./scripts/release/mule/common/get_channel.sh" "$NETWORK")}
 VERSION=${VERSION:-$(./scripts/compute_build_number.sh -f)}
+PACKAGES_DIR=${PACKAGES_DIR:-~/packages}
+SNAPSHOT=${SNAPSHOT:-"${CHANNEL}-${VERSION}"}
 
-if [ -z "$SNAPSHOT" ]
-then
-    SNAPSHOT="$CHANNEL-$VERSION"
-fi
-
-PACKAGES_DIR=/root/packages
-mkdir -p /root/packages
+mkdir -p $PACKAGES_DIR
+rm -f $PACKAGES_DIR/*.deb
 
 aptly mirror update stable
 aptly mirror update beta
diff --git a/scripts/release/mule/deploy/docker/docker.sh b/scripts/release/mule/deploy/docker/docker.sh
index ee0c55fe0..093922fd3 100755
--- a/scripts/release/mule/deploy/docker/docker.sh
+++ b/scripts/release/mule/deploy/docker/docker.sh
@@ -13,9 +13,9 @@ if [ -z "$NETWORK" ] || [ -z "$VERSION" ]; then
     exit 1
 fi
 
-if [[ ! "$NETWORK" =~ ^mainnet$|^testnet$|^betanet$|^alphanet$ ]]
+if [[ ! "$NETWORK" =~ ^mainnet$|^testnet$|^betanet$ ]]
 then
-    echo "[$0] Network values must be either \`mainnet\`, \`testnet\`, \`betanet\`, or \`alphanet\`."
+    echo "[$0] Network values must be either \`mainnet\`, \`testnet\`, or \`betanet\`."
     exit 1
 fi
 
@@ -28,7 +28,7 @@ then
 
   # Build and push testnet.
   ./build_releases.sh --tagname "$VERSION" --network testnet --cached
-elif [ "$NETWORK" = betanet ] || [ "$NETWORK" = alphanet ]
+elif [ "$NETWORK" = betanet ]
 then
   ./build_releases.sh --tagname "$VERSION" --network "$NETWORK"
 fi
diff --git a/scripts/release/mule/deploy/releases_page/generate_releases_page.sh b/scripts/release/mule/deploy/releases_page/generate_releases_page.sh
index 5b6a488ce..75df10d52 100755
--- a/scripts/release/mule/deploy/releases_page/generate_releases_page.sh
+++ b/scripts/release/mule/deploy/releases_page/generate_releases_page.sh
@@ -8,13 +8,8 @@
 
 set -ex
 
-if [ -z "$NETWORK" ] || [ -z "$VERSION" ]
-then
-    echo "[$0] Network and version are required parameters."
-    exit 1
-fi
-
-CHANNEL=$(./scripts/release/mule/common/get_channel.sh "$NETWORK")
+CHANNEL=${CHANNEL:-$(./scripts/release/mule/common/get_channel.sh "$NETWORK")}
+VERSION=${VERSION:-$(./scripts/compute_build_number.sh -f)}
 
 cd scripts/release/mule/deploy/releases_page
 
diff --git a/scripts/release/mule/deploy/rpm/deploy.sh b/scripts/release/mule/deploy/rpm/deploy.sh
index f660f1d01..b96cccd6c 100755
--- a/scripts/release/mule/deploy/rpm/deploy.sh
+++ b/scripts/release/mule/deploy/rpm/deploy.sh
@@ -7,28 +7,25 @@ echo
 date "+build_release begin DEPLOY rpm stage %Y%m%d_%H%M%S"
 echo
 
-if [ -z "$NETWORK" ]; then
-    echo "[$0] NETWORK is missing."
-    exit 1
-fi
-
-CHANNEL=$(./scripts/release/mule/common/get_channel.sh "$NETWORK")
+CHANNEL=${CHANNEL:-$(./scripts/release/mule/common/get_channel.sh "$NETWORK")}
 VERSION=${VERSION:-$(./scripts/compute_build_number.sh -f)}
 NO_DEPLOY=${NO_DEPLOY:-false}
-OS_TYPE=$(./scripts/release/mule/common/ostype.sh)
-PACKAGES_DIR=${PACKAGES_DIR:-"./tmp/node_pkgs/$OS_TYPE/$ARCH_TYPE"}
-STAGING=${STAGING:-"algorand-staging/releases"}
+PACKAGES_DIR=${PACKAGES_DIR:-"tmp"}
 
 if [ -n "$S3_SOURCE" ]
 then
     PREFIX="$S3_SOURCE/$CHANNEL/$VERSION"
     if [ "$CHANNEL" == "beta" ]
     then
-        aws s3 cp "s3://$PREFIX/algorand-beta-$VERSION-1.x86_64.rpm" /root
-        aws s3 cp "s3://$PREFIX/algorand-devtools-beta-$VERSION-1.x86_64.rpm" /root
+        aws s3 cp "s3://$PREFIX/algorand-beta-$VERSION-1.x86_64.rpm" $PACKAGES_DIR
+        aws s3 cp "s3://$PREFIX/algorand-devtools-beta-$VERSION-1.x86_64.rpm" $PACKAGES_DIR
+        aws s3 cp "s3://$PREFIX/algorand-beta-$VERSION-1.aarch64.rpm" $PACKAGES_DIR
+        aws s3 cp "s3://$PREFIX/algorand-devtools-beta-$VERSION-1.aarch64.rpm" $PACKAGES_DIR
     else
-        aws s3 cp "s3://$PREFIX/algorand-$VERSION-1.x86_64.rpm" /root
-        aws s3 cp "s3://$PREFIX/algorand-devtools-$VERSION-1.x86_64.rpm" /root
+        aws s3 cp "s3://$PREFIX/algorand-$VERSION-1.x86_64.rpm" $PACKAGES_DIR
+        aws s3 cp "s3://$PREFIX/algorand-devtools-$VERSION-1.x86_64.rpm" $PACKAGES_DIR
+        aws s3 cp "s3://$PREFIX/algorand-$VERSION-1.aarch64.rpm" $PACKAGES_DIR
+        aws s3 cp "s3://$PREFIX/algorand-devtools-$VERSION-1.aarch64.rpm" $PACKAGES_DIR
     fi
 else
     cp "$PACKAGES_DIR"/*"$VERSION"*.rpm /root
@@ -56,11 +53,7 @@ cat << EOF > .rpmmacros
 EOF
 
 mkdir rpmrepo
-for rpm in $(ls *"$VERSION"*.rpm)
-do
-    rpmsign --addsign "$rpm"
-    cp -p "$rpm" rpmrepo
-done
+mv -f *"$VERSION"*.rpm rpmrepo
 
 createrepo --database rpmrepo
 rm -f rpmrepo/repodata/repomd.xml.asc
@@ -72,8 +65,19 @@ then
     cp -r /root/rpmrepo .
 else
     aws s3 sync rpmrepo "s3://algorand-releases/rpm/$CHANNEL/"
+
     # sync signatures to releases so that the .sig files load from there
-    aws s3 sync s3://$STAGING/releases/$CHANNEL/ s3://algorand-releases/rpm/sigs/$CHANNEL/ --exclude='*' --include='*.rpm.sig'
+    if [ -n "$S3_SOURCE" ]; then
+        # if S3_SOURCE exists, we copied files from s3
+        echo "Copy signatures from s3 staging to s3 releases"
+        aws s3 sync s3://algorand-staging/releases/$CHANNEL/ s3://algorand-releases/rpm/sigs/$CHANNEL/ --exclude='*' --include='*.rpm.sig'
+
+    else
+        # We are working with files locally
+        popd
+        echo "Copy local signatures to s3 releases"
+        aws s3 sync "$PACKAGES_DIR" "s3://algorand-releases/rpm/sigs/$CHANNEL/" --exclude='*' --include='*.rpm.sig'
+    fi
 fi
 
 echo
diff --git a/scripts/release/mule/sign/sign.sh b/scripts/release/mule/sign/sign.sh
index e08e2d52d..89baedb9c 100755
--- a/scripts/release/mule/sign/sign.sh
+++ b/scripts/release/mule/sign/sign.sh
@@ -10,18 +10,13 @@ echo
 date "+build_release begin SIGN stage %Y%m%d_%H%M%S"
 echo
 
-if [ -z "$NETWORK" ]; then
-    echo "[$0] NETWORK is missing."
-    exit 1
-fi
-
-CHANNEL=$(./scripts/release/mule/common/get_channel.sh "$NETWORK")
+CHANNEL=${CHANNEL:-$(./scripts/release/mule/common/get_channel.sh "$NETWORK")}
 VERSION=${VERSION:-$(./scripts/compute_build_number.sh -f)}
 PKG_DIR="./tmp/node_pkgs"
 SIGNING_KEY_ADDR=dev@algorand.com
 OS_TYPE=$(./scripts/release/mule/common/ostype.sh)
-ARCHS=(amd64 arm arm64)
-ARCH_BITS=(x86_64 armv7l aarch64)
+ARCHS=(amd64 arm64)
+ARCH_BITS=(x86_64 aarch64)
 # Note that we don't want to use $GNUPGHOME here because that is a documented env var for the gnupg
 # project and if it's set in the environment mule will automatically pick it up, which could have
 # unintended consequences and be hard to debug.
@@ -40,6 +35,14 @@ then
     find "$GPG_DIR" -type f -exec chmod 600 {} \;
 fi
 
+pushd /root
+cat << EOF > .rpmmacros
+%_gpg_name Algorand RPM <rpm@algorand.com>
+%__gpg /usr/bin/gpg2
+%__gpg_check_password_cmd true
+EOF
+popd
+
 # Note that when downloading from the cloud that we'll get all packages for all architectures.
 if [ -n "$S3_SOURCE" ]
 then
@@ -87,13 +90,14 @@ for os in "${OS_TYPES[@]}"; do
 
                 for file in *.rpm
                 do
+                    rpmsign --addsign "$file"
                     gpg -u rpm@algorand.com --detach-sign "$file"
                 done
 
                 HASHFILE="hashes_${CHANNEL}_${os}_${arch}_${VERSION}"
                 md5sum *.tar.gz *.deb *.rpm >> "$HASHFILE"
-                shasum -a 256 *.tar.gz *.deb *.rpm >> "$HASHFILE"
-                shasum -a 512 *.tar.gz *.deb *.rpm >> "$HASHFILE"
+                sha256sum *.tar.gz *.deb *.rpm >> "$HASHFILE"
+                sha512sum *.tar.gz *.deb *.rpm >> "$HASHFILE"
 
                 gpg -u "$SIGNING_KEY_ADDR" --detach-sign "$HASHFILE"
                 gpg -u "$SIGNING_KEY_ADDR" --clearsign "$HASHFILE"
diff --git a/test/muleCI/mule.yaml b/test/muleCI/mule.yaml
index cb75187db..afa73ae2c 100644
--- a/test/muleCI/mule.yaml
+++ b/test/muleCI/mule.yaml
@@ -61,22 +61,6 @@ agents:
       - GOLANG_VERSION=`./scripts/get_golang_version.sh`
       - ARCH=arm64v8
       - GOARCH=arm64
-  - name: cicd.ubuntu.arm
-    dockerFilePath: docker/build/cicd.ubuntu.Dockerfile
-    image: algorand/go-algorand-ci-linux
-    version: scripts/configure_dev-deps.sh
-    arch: arm32v7
-    env:
-      - TRAVIS_BRANCH=${GIT_BRANCH}
-      - NETWORK=$NETWORK
-      - VERSION=$VERSION
-      - BUILD_NUMBER=$BUILD_NUMBER
-      - GOHOSTARCH=arm
-      - FULLVERSION=${FULLVERSION}
-    buildArgs:
-      - GOLANG_VERSION=`./scripts/get_golang_version.sh`
-      - ARCH=arm32v7
-      - GOARCH=armv6l
   - name: docker-ubuntu
     dockerFilePath: docker/build/docker.ubuntu.Dockerfile
     image: algorand/go-algorand-docker-linux-ubuntu
@@ -122,10 +106,6 @@ tasks:
     name: build.arm64
     agent: cicd.ubuntu.arm64
     target: ci-build
-  - task: docker.Make
-    name: build.arm
-    agent: cicd.ubuntu.arm
-    target: ci-build
 
   - task: docker.Make
     name: archive
@@ -168,12 +148,6 @@ tasks:
     globSpecs:
       - tmp/node_pkgs/**/*
   - task: stash.Stash
-    name: linux-arm
-    bucketName: go-algorand-ci-cache
-    stashId: ${JENKINS_JOB_CACHE_ID}/linux-arm
-    globSpecs:
-      - tmp/node_pkgs/**/*
-  - task: stash.Stash
     name: packages
     bucketName: go-algorand-ci-cache
     stashId: ${JENKINS_JOB_CACHE_ID}/packages
@@ -194,10 +168,6 @@ tasks:
     bucketName: go-algorand-ci-cache
     stashId: ${JENKINS_JOB_CACHE_ID}/darwin-amd64
   - task: stash.Unstash
-    name: linux-arm
-    bucketName: go-algorand-ci-cache
-    stashId: ${JENKINS_JOB_CACHE_ID}/linux-arm
-  - task: stash.Unstash
     name: darwin-arm64
     bucketName: go-algorand-ci-cache
     stashId: ${JENKINS_JOB_CACHE_ID}/darwin-arm64
@@ -233,15 +203,10 @@ jobs:
     tasks:
       - docker.Make.build.arm64
       - stash.Stash.linux-arm64
-  build-linux-arm32:
-    tasks:
-      - docker.Make.build.arm
-      - stash.Stash.linux-arm
   package-all:
     tasks:
       - stash.Unstash.linux-amd64
       - stash.Unstash.linux-arm64
-      - stash.Unstash.linux-arm
       - stash.Unstash.darwin-arm64
       - stash.Unstash.darwin-amd64
       - docker.Make.deb.amd64