ci: sign RPM packages before pushing to GCP Artifact Registry

[PrzemekZglinicki]

Summary

• Move RPM signing from a shell helper in `push_pkg_to_gcp_ar.sh` to goreleaser's native nfpm support: `nfpms[*].rpm.signature.key_file` in both `.goreleaser/connect.yaml` and `.goreleaser/connect-fips.yaml`
• nfpm signs the RPM at package build time (before upload) using Go's internal OpenPGP library — no dependency on system `rpmsign` or `gpg`
• The GPG private key is written to a temp `.asc` file in a new "Prepare RPM signing key" step and passed to goreleaser via `RPM_KEY_FILE_PRIVATE` in `$GITHUB_ENV`; the env var name makes clear it holds the private key material
• DEBs are unchanged — GCP AR provides repository-level signing for APT
• Add "Verify RPM signature in GCP AR" step in `release.yml`: after goreleaser publishes, downloads the RPM from GCP AR and verifies its GPG signature using `rpm --dbpath ` (avoids the silent-pass bug where plain `rpm --checksig` checks the system keyring and returns exit 0 for NOKEY)
• Fix `SEARCH_TERM` construction to use `tr '-' ''` instead of `${VERSION//-/}` — bash expands `~` to `$HOME` in parameter substitution replacements even inside double quotes
• `test-push-to-gcp-ar` job in `test.yml` tests routing only (GA → `redpanda-yum`, RC → `redpanda-unstable-yum`, DEB → `redpanda-apt`) against a mocked `gcloud` CLI; actual signing correctness is validated by the "Verify RPM signature in GCP AR" step in `release.yml`, which does a full nfpm build + GCP AR round-trip

🤖 Generated with Claude Code

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

---

Przemek Zglinicki seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

---

Przemek Zglinicki seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[PrzemekZglinicki]

@claude review once

[claude]

Commits

1. The single commit ci: sign RPM packages before pushing to GCP Artifact Registry bundles two unrelated changes: the RPM signing work (the focus of the PR) and a new label-gated integration-test job in .github/workflows/test.yml#L65-L114. The integration-test job is not mentioned in the commit body or PR description and has no functional relationship to RPM signing. Per the commit policy, each commit should be one self-contained logical change — please split this into two commits/PRs.

Review
The RPM signing logic and test-push-to-gcp-ar job look reasonable: AWS region is validated, GPG state is isolated to a temp GNUPGHOME, and verification correctly uses a temp RPM database (the comment in resources/scripts/push_pkg_to_gcp_ar.sh#L68-L76 accurately explains why the previous rpm --checksig was insufficient). Test coverage exercises GA, RC, DEB skip, and missing-region paths.

1. See inline comment on the unrelated integration-test job in .github/workflows/test.yml.

[claude]

Commits
LGTM

Review
CI changes to sign RPM packages with a key fetched from AWS Secrets Manager before pushing to GCP Artifact Registry, with a new test-push-to-gcp-ar job exercising RPM/DEB routing and the missing-region error path.

LGTM

[claude]

Commits
LGTM

Review
Single commit ci: sign RPM packages before pushing to GCP Artifact Registry adds RPM signing in push_pkg_to_gcp_ar.sh plus a CI test job that mocks aws/gcloud and exercises GA, RC, DEB, and missing-region paths. Script correctly uses set -euo pipefail, scopes temp dirs/keyring inside a subshell with an EXIT trap so cleanup fires even on early exit, verifies signatures via a temp RPM database (rpm --dbpath) instead of the system keyring, and short-circuits with a clear error when no AWS region is set.

LGTM

[claude]

Commits
LGTM

Review
RPM signing flow uses a subshell with an EXIT trap so cleanup runs even under set -e, and set -euo pipefail plus the pre-flight region check give clear failure modes. The new CI job exercises GA / RC / DEB / missing-region paths against mocked aws and gcloud, and the verification step correctly uses rpm --dbpath to ensure the GPG check actually validates against the imported key.

LGTM

[claude]

Commits
LGTM

Review
RPM signing logic in push_pkg_to_gcp_ar.sh is well-isolated: subshell + EXIT trap correctly cleans up temp GNUPGHOME/dbpath/pubkey, the ${tmpdb:-}/${pubkey:-} defaults handle ordering safely, and verification via rpm --dbpath correctly addresses the silent-pass bug noted in the PR description. The test-push-to-gcp-ar job exercises GA/RC/DEB routing plus the missing-key error path with a throwaway GPG key and mocked gcloud.

LGTM

[claude]

Commits

LGTM

Review

Targeted change adds RPM signing before GCP AR upload. The script uses a subshell-scoped EXIT trap with ${var:-} defaults so cleanup is safe even under set -u partial init, signing is verified through a temp RPM database (avoiding the well-known rpm --checksig system-keyring trap), and the new test-push-to-gcp-ar job exercises GA/RC/DEB routing, missing-key error path, and passphrase-protected key fast-fail (good defense against future hangs).

LGTM

[claude]

Commits
LGTM

Review
Single-commit PR adding RPM signing to the GCP Artifact Registry push pipeline. Adds a sign_rpm() helper that imports the AWS Secrets Manager-stored key into a fresh GNUPGHOME, signs via rpmsign --resign, and verifies the signature using a temp rpm --dbpath database. CI test job exercises GA/RC routing, DEB skip-signing, missing-key failure, and the no-hang behavior for passphrase-protected keys.

LGTM

[claude]

Commits

1. Commit a2d3e5d — ci: Test purpose changes. Drop before merge\! — has multiple commit-policy issues:
   • Self-flagged as "Drop before merge!" — this is a fixup-style commit that should not be in the final history. Squash or drop it before merging.
   • After the ci: prefix, the message must start lowercase ("test", not "Test"), per the format system: message.
   • Vague message body — "Test purpose changes" doesn't describe what changed.
   • Empty commit body.

Review

The production-intent changes in commit c340f6e (the sign_rpm function in push_pkg_to_gcp_ar.sh, the test-push-to-gcp-ar CI job, the RPM_SIGNING_KEY_PRIVATE env propagation in the goreleaser configs, and the post-publish Verify RPM signature in GCP AR step) look correct: subshell EXIT trap with defensive ${var:-} expansion, key_id existence check, signing via rpmsign --resign with loopback pinentry, and GPG-verified validation against a temp RPM database.

LGTM for the code in commit c340f6e. Confirm commit a2d3e5d is dropped/reverted before merging.

[PrzemekZglinicki]

Test purpose packages was uploaded to gcp ar:

[claude]

Commits

1. Commits a2d3e5d ("ci: Test purpose changes. Drop before merge!") and 67ed751 ("ci: Remove test-purpose changes, keep RPM signing fixes") cancel each other out — the message of a2d3e5d itself says "Drop before merge!". They should be squashed/dropped before merge so the final history contains only the meaningful change in c340f6e.
2. Both a2d3e5d and 67ed751 violate the message-format rule that the message after system: must start lowercase (ci: Test..., ci: Remove...).

Review
The actual change set in c340f6e (RPM signing in push_pkg_to_gcp_ar.sh, AWS Secrets Manager fetch + Validate secrets + post-upload signature verification in release.yml, RPM_SIGNING_KEY_PRIVATE plumbing through both .goreleaser/*.yaml files, and the test-push-to-gcp-ar job in test.yml) is consistent and looks correct. The subshell + EXIT trap in sign_rpm and the use of a temp --dbpath for rpm --checksig (called out in the PR description) are sound.

LGTM

[PrzemekZglinicki]

Commits

1. Commits `a2d3e5d` ("ci: Test purpose changes. Drop before merge!") and `67ed751` ("ci: Remove test-purpose changes, keep RPM signing fixes") cancel each other out — the message of `a2d3e5d` itself says "Drop before merge!". They should be squashed/dropped before merge so the final history contains only the meaningful change in `c340f6e`.

2. Both `a2d3e5d` and `67ed751` violate the message-format rule that the message after `system:` must start lowercase (`ci: Test...`, `ci: Remove...`).

Review The actual change set in c340f6e (RPM signing in push_pkg_to_gcp_ar.sh, AWS Secrets Manager fetch + Validate secrets + post-upload signature verification in release.yml, RPM_SIGNING_KEY_PRIVATE plumbing through both .goreleaser/*.yaml files, and the test-push-to-gcp-ar job in test.yml) is consistent and looks correct. The subshell + EXIT trap in sign_rpm and the use of a temp --dbpath for rpm --checksig (called out in the PR description) are sound.

LGTM

In this repo we use the squash and merge concept, so the names of the particular commit doesn't matter, but also I can update them. What is more I think it is worth to keep test examples in the PR for future.

[ivotron]

goreleaser has support for signing rpm packages using a custom key. that should be done instead. see https://goreleaser.com/customization/sign/sign/ for more

[claude]

The release workflow trigger has been replaced with pull_request: and the original push: tags, schedule, and workflow_dispatch triggers commented out. This converts the production release workflow into a PR-only workflow — production tag releases, nightly edge builds, and manual dispatch will all stop working if merged. This appears to be test scaffolding from the dropped "ci: Test purpose changes. Drop before merge!" commit (a2d3e5d) that the third commit claimed to remove but did not. The original triggers must be restored before merge.

[claude]

Test-purpose change must be reverted before merge. goos was reduced to [linux] only, with the original [windows, darwin, linux] commented out. If merged, Windows and macOS binaries would no longer be built or released. Restore the original goos line.

[claude]

Test-purpose change must be reverted before merge. The Darwin signing/notarization post-build hook is commented out. With Darwin builds also disabled (line 10), this is consistent for testing — but both must be restored before merge so macOS binaries continue to be signed and notarized.

[claude]

Test-purpose change must be reverted before merge. The entire archives: section is commented out. If merged, no tar.gz archives would be produced for any release.

[claude]

Test-purpose change must be reverted before merge. The entire dockers_v2: section is commented out. If merged, no Docker images for redpandadata/connect or public.ecr.aws/l9j0i2e0/connect would be built or pushed.

[claude]

Test-purpose change must be reverted before merge. The Cloudsmith publisher is commented out. The PR description states "DEBs are unchanged — GCP AR provides repository-level signing for APT", but this commit also disables Cloudsmith publishing entirely, which is unrelated to the RPM signing change. Restore the Cloudsmith publisher.

[claude]

Test-purpose change must be reverted before merge. The release: block has been replaced with disable: true (with the original GitHub release config commented out), and the checksum: block is commented out. If merged, no GitHub release would be published for the connect distribution and no checksum file would be produced. Restore both blocks.

[claude]

Test-purpose change must be reverted before merge. The entire archives: section is commented out. If merged, no tar.gz archive of the FIPS distribution would be produced.

[claude]

Test-purpose change must be reverted before merge. The Cloudsmith publisher for connect-fips-pkgs is commented out. This is unrelated to the RPM signing change and would stop FIPS packages from being pushed to Cloudsmith.

[claude]

Test-purpose change must be reverted before merge. Same pattern as in connect.yaml — the release: block is replaced with disable: true (original commented out) and checksum: is commented out. Restore both blocks for the FIPS distribution.

[claude]

This test-push-to-gcp-ar job uses touch /tmp/test.rpm / touch /tmp/test.deb to create empty files and only verifies the gcloud routing (which command/repository the script invokes). Despite the PR description claiming the test "asserts signing + routing", signing is not exercised here — it happens in goreleaser via nfpms.rpm.signature.key_file. The "missing-region error case" mentioned in the PR description is also not tested. Either align the description with what the test actually does, or expand the test to actually validate signing and the missing-region path.

[claude]

Commits

1. Commit 2 (a2d3e5d) — ci: Test purpose changes. Drop before merge\! — the message itself indicates this commit must be dropped/squashed before merge. The format also violates the commit policy: the message after ci: should start lowercase and be in imperative mood. Squash with the previous commit or drop.
2. Commit 3 (55d6d7d) — ci: Remove test-purpose changes, keep RPM signing fixes — title says "Remove" but the test-purpose changes are still present in the diff (workflow trigger swap, commented-out matrix variants, disabled goreleaser releases, commented Cloudsmith/Docker steps, etc.). Title should also start lowercase (remove). Either the commit needs to actually do what its title says, or the title needs to be corrected, before merge.

Review

This PR mixes two distinct categories of change: (a) a legitimate RPM-signing implementation in the goreleaser configs (nfpms.rpm.signature.key_file) plus a CI verification step, and (b) a large set of test-only modifications that the most recent commit was supposed to remove but did not. The test-only changes — pull_request: trigger replacing production triggers, four matrix variants commented out, goos: [linux] only, archives/dockers_v2/release/checksum sections commented out, Cloudsmith publishers commented out, Docker Hub login removed, telemetry key step removed, fake v0.0.0-rc.test* tag created at runtime, GoReleaser conditionals flipped to pull_request — would all break production releases if merged.

The PR description is also misleading: it claims sign_rpm() was added to push_pkg_to_gcp_ar.sh and that the test asserts signing + the missing-region error case, but the script only changed set -ex → set -euo pipefail, signing is implemented via goreleaser, and the test only validates routing.

1. Workflow trigger replaced with pull_request: (release.yml#L3-L10).
2. Four matrix variants commented out (release.yml#L22-L28).
3. Debug "Validate secrets" step (release.yml#L55-L64).
4. Release Notes step + --release-notes arg removed (release.yml#L98-L99).
5. Cloudsmith CLI / Docker Hub login / Buildx / telemetry-key steps commented out (release.yml#L117-L140).
6. Test tag v0.0.0-rc.test<run_number> created on every run (release.yml#L149-L150).
7. GoReleaser Release if: flipped from push to pull_request (release.yml#L152-L153).
8. The new RPM signature verification only runs on pull_request (release.yml#L204-L243) — once production triggers are restored, this verification will not run on real releases.
9. goos reduced to linux-only and Darwin signing hooks commented out (connect.yaml#L10-L23).
10. archives: / dockers_v2: / Cloudsmith publisher / release: / checksum: all commented out or disabled in both connect.yaml#L37-L113 and connect-fips.yaml#L28-L93.
11. The test-push-to-gcp-ar job tests routing only, not signing or the missing-region case the PR description claims (test.yml#L65-L98).

[claude]

Commits

1. Commit a2d3e5d (ci: Test purpose changes. Drop before merge\!) and commit 31a1524 (ci: Remove test-purpose changes, keep RPM signing fixes) cancel each other out (the second reverts the first). They should be squashed/dropped from the branch before merge — the explicit "Drop before merge!" marker in the second commit confirms this.
2. Both commit headlines violate the system: message format rule that message must start lowercase: Test purpose… should be test purpose… (and per its own admission should be removed entirely), Remove test-purpose… should be remove test-purpose….
3. The body of commit c340f6e is misleading per the message-quality policy: it claims to "Add sign_rpm() to push_pkg_to_gcp_ar.sh" but that script is not modified in this PR (signing is done via goreleaser's nfpms.rpm.signature.key_file instead), and it claims the new test-push-to-gcp-ar job "generates a throwaway GPG key, builds a minimal RPM, mocks aws and gcloud, and asserts signing + routing for … missing-region error cases" — but the actual job only touches empty files, mocks only gcloud (not aws), and asserts only routing for three cases (no signing test, no missing-region test). The PR description has the same mismatch.

Review

The actual code changes (fetch RPM signing key from AWS Secrets Manager, configure goreleaser to sign RPMs for the connect and connect-fips variants, install rpm/gnupg2 on the runner, verify the published RPM's signature against an isolated rpmdb, and add a routing-only test job for push_pkg_to_gcp_ar.sh) are coherent and the env-var plumbing between the prep step and goreleaser config looks correct. The signature-verification path correctly uses rpm --dbpath <tmpdb> --import + --checksig against an isolated rpmdb, which addresses the prior NOKEY-but-exit-0 issue noted in the description.

LGTM

[claude]

Commits

1. Commits 0d9b252 (ci: test purpose changes, drop before merge) and 9e54ece (ci: remove test purpose changes) cancel each other out and should be dropped/squashed before merge — the first commit's own title says "drop before merge". Net effect on the diff is zero, so they are noise in the history.

Review

CI-only change: moves RPM signing into goreleaser's nfpm support, adds a post-publish signature verification step in release.yml, and adds a routing-only test job in test.yml. The overall approach (build-time signing via nfpms[*].rpm.signature.key_file, post-publish verification with an isolated --dbpath) looks sound. SEARCH_TERM tr '-' '~' rationale is correct (bash does tilde-expand in ${var/x/~}).

LGTM

[ivotron]

this secret should be moved so that it is stored as JSON, to keep it consistent with the rest of secrets. that'd also allow for this to be moved to the previous task, with the rest of commits that are fetched as part of this workflow

[PrzemekZglinicki]

https://github.com/redpanda-data/vtools/pull/4219#discussion_r3192152576 - answered here

[ivotron]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

Przemek Zglinicki seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
You have signed the CLA already but the status is still pending? Let us recheck it.

@PrzemekZglinicki you have to sign the CLA

[ivotron]

instead of this being here, it should be in a separate bash script and referenced in the goreleaser config, as done for cloudsmith here https://github.com/redpanda-data/connect/blob/main/.goreleaser/connect.yaml#L97-L100

[PrzemekZglinicki]

It is verification, we can move it to the script. It is similar approach as in the smokechecks in the vtools repo, we sign the package, push it to the gcp ar and at the end verify that this package is available and correctly signed, it isn't a big effort and we are sure that package is correct.

[PrzemekZglinicki]

Whole logic of the push to gcp ar is in the script.

[claude]

Commits

1. Commit efe275b1 (ci: test purpose changes, drop before merge) is a temporary WIP commit that disables release triggers, comments out variants/archives/dockers/release sections in the goreleaser configs, and adds a local test tag step. The commit message itself acknowledges this. It must be dropped (or this PR converted to draft) before merge — leaving it in would break the release workflow.

Review
The feature commit (01903ee4) is straightforward: nfpm-native RPM signing via rpm.signature.key_file, key material staged through a temp .asc file passed via GITHUB_ENV, and a post-publish verification that uses an isolated rpm --dbpath keyring (correctly avoiding the silent NOKEY-pass behavior). The tr '-' '~' fix for SEARCH_TERM is also correct — \${var//-/~} would expand ~ to \$HOME even inside double quotes.

LGTM

[claude]

Commits

1. Commits 32aa9e9 (ci: test purpose changes, drop before merge) and 2d8c9f2 (ci: remove test purpose changes) cancel each other out — none of their content reaches the final state and the first commit's own message says it should be dropped before merge. Per the commit-granularity policy ("each commit is one small, self-contained, logical change"), please drop both from history (interactive rebase / squash) before merging so the PR ships as a single clean commit.

Review
LGTM. nfpm-native RPM signing is wired into both connect.yaml and connect-fips.yaml, the private key handling uses mktemp (default mode 600) and is read from the env that goreleaser interpolates, and the post-publish verification uses a fresh rpm --dbpath to avoid the system-keyring NOKEY silent-pass. The grep "${PKG_NAME}-" | grep -v "${PKG_NAME}-fips" filter is correct for both fips and non-fips package names, and the tr '-' '~' SEARCH_TERM construction sidesteps the bash tilde-in-replacement gotcha as called out in the PR description.

LGTM