Rework the "sign" job

Adapt the "sign" job to use the YAML template for SSH-confirmed jobs.
Make the signing process user-agnostic.

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 710b86cac5f8dab69ab02ac79a80b56b9bdce79f..123b4d1f0bbe3847237fb4aee40831bd63e099fe 100644 (file)
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1667,44 +1667,29 @@ release:
 # Job signing the source tarballs in the release directory
 
 sign:
-  stage: release
-  tags:
-    - signer
-  script:
-    - export RELEASE_DIRECTORY="bind-${CI_COMMIT_TAG}-release"
-    - pushd "${RELEASE_DIRECTORY}"
-    - |
-      echo
-      cat > /tmp/sign-bind9.sh <<EOF
-      #!/bin/sh
-      {
-          for FILE in \$(find "${PWD}" -name "*.tar.xz" | sort); do
-              echo ">>> Signing \${FILE}..."
-              gpg2 --local-user "\${SIGNING_KEY_FINGERPRINT}" --armor --digest-algo SHA512 --detach-sign --output "\${FILE}.asc" "\${FILE}"
-          done
-      } 2>&1 | tee "${CI_PROJECT_DIR}/signing.log"
-      EOF
-      chmod +x /tmp/sign-bind9.sh
-      echo -e "\e[31m*** Please sign the releases by following the instructions at:\e[0m"
-      echo -e "\e[31m*** \e[0m"
-      echo -e "\e[31m*** ${SIGNING_HELP_URL}\e[0m"
-      echo -e "\e[31m*** \e[0m"
-      echo -e "\e[31m*** Sleeping until files in ${PWD} are signed... ⌛\e[0m"
-      while [ "$(find . -name "*.asc" -size +0 | sed "s|\.asc$||" | sort)" != "$(find . -name "*.tar.xz" | sort)" ]; do sleep 10; done
-    - popd
-    - tar --create --file="${RELEASE_DIRECTORY}.tar.gz" --gzip "${RELEASE_DIRECTORY}"
+  <<: *signer_ssh_job
+  before_script:
+    - export SOURCE_TARBALL="bind-${CI_COMMIT_TAG#v}.tar.xz"
+  variables:
+    RELEASE_DIRECTORY: bind-${CI_COMMIT_TAG}-release
+    SSH_SCRIPT_RUNNER_PRE: |-
+      ( umask 111 && cat "${RELEASE_DIRECTORY}/$${SOURCE_TARBALL}" > "/tmp/${CI_COMMIT_TAG}.bin" )
+    SSH_SCRIPT_CLIENT: |-
+      gpg2 --local-user "$${SIGNING_KEY_FINGERPRINT}" --armor --digest-algo SHA512 --detach-sign --output "/tmp/${CI_COMMIT_TAG}.asc" "/tmp/${CI_COMMIT_TAG}.bin"
+    SSH_SCRIPT_RUNNER_POST: |-
+      cat "/tmp/${CI_COMMIT_TAG}.asc" > "${RELEASE_DIRECTORY}/$${SOURCE_TARBALL}.asc"
+      tar --create --file="${RELEASE_DIRECTORY}".tar.gz --gzip "${RELEASE_DIRECTORY}"
+      rm -f "/tmp/${CI_COMMIT_TAG}.bin" "/tmp/${CI_COMMIT_TAG}.asc"
   artifacts:
     paths:
-      - "*.tar.gz"
-      - signing.log
+      - bind-${CI_COMMIT_TAG}-release.tar.gz
+      - sign-${CI_COMMIT_TAG}.log
     expire_in: never
   needs:
     - job: release
       artifacts: true
   rules:
     - *rule_tag
-  when: manual
-  allow_failure: false
 
 # Job creating the release announcement MR in Printing Press