Merge branch 'debian_plug_sign' into 'master'

Plug Debian SignDistributionService in GenerateDistributionService

See merge request gitlab-org/gitlab!66907

app/services/packages/debian/generate_distribution_service.rb

@@ -161,13 +161,23 @@ module Packages
       end
 
       def generate_release
-        @distribution.file = CarrierWaveStringFile.new(release_header + release_sums)
+        @distribution.key || @distribution.create_key(GenerateDistributionKeyService.new.execute)
+        @distribution.file = CarrierWaveStringFile.new(release_content)
+        @distribution.file_signature = SignDistributionService.new(@distribution, release_content, detach: true).execute
+        @distribution.signed_file = CarrierWaveStringFile.new(
+          SignDistributionService.new(@distribution, release_content).execute
+        )
         @distribution.updated_at = release_date
         @distribution.save!
       end
 
+      def release_content
+        strong_memoize(:release_content) do
+          release_header + release_sums
+        end
+      end
+
       def release_header
-        strong_memoize(:release_header) do
         [
           %w[origin label suite version codename].map do |attribute|
             rfc822_field(attribute.capitalize, @distribution.attributes[attribute])
@@ -181,7 +191,6 @@ module Packages
           rfc822_field('Description', @distribution.description)
         ].flatten.compact.join('')
       end
-      end
 
       def release_date
         strong_memoize(:release_date) do

app/services/packages/debian/sign_distribution_service.rb

@@ -5,10 +5,10 @@ module Packages
     class SignDistributionService
       include Gitlab::Utils::StrongMemoize
 
-      def initialize(distribution, content, params: {})
+      def initialize(distribution, content, detach: false)
         @distribution = distribution
         @content = content
-        @params = params
+        @detach = detach
       end
 
       def execute
@@ -16,7 +16,7 @@ module Packages
 
         sig_mode = GPGME::GPGME_SIG_MODE_CLEAR
 
-        sig_mode = GPGME::GPGME_SIG_MODE_DETACH if @params[:detach]
+        sig_mode = GPGME::GPGME_SIG_MODE_DETACH if @detach
 
         Gitlab::Gpg.using_tmp_keychain do
           GPGME::Ctx.new(

spec/services/packages/debian/generate_distribution_service_spec.rb

@@ -12,14 +12,8 @@ RSpec.describe Packages::Debian::GenerateDistributionService do
       context "for #{container_type}" do
         include_context 'with Debian distribution', container_type
 
-        context 'with Debian components and architectures' do
         it_behaves_like 'Generate Debian Distribution and component files'
       end
-
-        context 'without components and architectures' do
-          it_behaves_like 'Generate minimal Debian Distribution'
-        end
-      end
     end
   end
 end

spec/services/packages/debian/sign_distribution_service_spec.rb

@@ -6,12 +6,11 @@ RSpec.describe Packages::Debian::SignDistributionService do
   let_it_be(:group) { create(:group, :public) }
 
   let(:content) { FFaker::Lorem.paragraph }
-  let(:params) { {} }
-  let(:service) { described_class.new(distribution, content, params: params) }
+  let(:service) { described_class.new(distribution, content, detach: detach) }
 
   shared_examples 'Sign Distribution' do |container_type, detach: false|
     context "for #{container_type} detach=#{detach}" do
-      let(:params) { { detach: detach } }
+      let(:detach) { detach }
 
       if container_type == :group
         let_it_be(:distribution) { create('debian_group_distribution', container: group) }

spec/support/shared_examples/services/packages/debian/generate_distribution_shared_examples.rb

 # frozen_string_literal: true
 
 RSpec.shared_examples 'Generate Debian Distribution and component files' do
+  def check_release_files(expected_release_content)
+    distribution.reload
+
+    distribution.file.use_file do |file_path|
+      expect(File.read(file_path)).to eq(expected_release_content)
+    end
+
+    expect(distribution.file_signature).to start_with("-----BEGIN PGP SIGNATURE-----\n")
+    expect(distribution.file_signature).to end_with("\n-----END PGP SIGNATURE-----\n")
+
+    distribution.signed_file.use_file do |file_path|
+      expect(File.read(file_path)).to start_with("-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA512\n\n#{expected_release_content}-----BEGIN PGP SIGNATURE-----\n")
+      expect(File.read(file_path)).to end_with("\n-----END PGP SIGNATURE-----\n")
+    end
+  end
+
+  context 'with Debian components and architectures' do
     let_it_be(:component_main) { create("debian_#{container_type}_component", distribution: distribution, name: 'main') }
     let_it_be(:component_contrib) { create("debian_#{container_type}_component", distribution: distribution, name: 'contrib') }
 
@@ -135,14 +152,12 @@ RSpec.shared_examples 'Generate Debian Distribution and component files' do
          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855        0 main/binary-arm64/Packages
         EOF
 
-      distribution.file.use_file do |file_path|
-        expect(File.read(file_path)).to eq(expected_release_content)
+        check_release_files(expected_release_content)
       end
     end
   end
-end
 
-RSpec.shared_examples 'Generate minimal Debian Distribution' do
+  context 'without components and architectures' do
     it 'generates minimal distribution', :aggregate_failures do
       travel_to(Time.utc(2020, 01, 25, 15, 17, 18, 123456)) do
         expect(Gitlab::ErrorTracking).not_to receive(:log_exception)
@@ -160,8 +175,7 @@ RSpec.shared_examples 'Generate minimal Debian Distribution' do
         SHA256:
         EOF
 
-      distribution.file.use_file do |file_path|
-        expect(File.read(file_path)).to eq(expected_release_content)
+        check_release_files(expected_release_content)
       end
     end
   end