Sign the gcc bootstrap cache and add pub-key as artifact (#40)

* Sign the gcc bootstrap cache and add pub-key as artifact
* Use key stored in github secrets
* Remove the whole spack installation after signing
* Use spack provided BOOTSTRAP_GCC_KEY in GHA by mounting github actions secret
* Reduce container and cache size by stripping gcc binaries
* Upload public key by its name
* No need to upload the buildcache to artifacts

.github/workflows/containers.yml

@@ -79,6 +79,8 @@ jobs:
             ghcr.io/spack/${{ matrix.dockerfile[0] }}:latest
             ${{ steps.meta.outputs.tags }}
           cache-to: type=inline
+          secrets: |
+            "bootstrap_gcc_key=${{ secrets.BOOTSTRAP_GCC_KEY }}"
 
   upload-gcc-buildcache:
     timeout-minutes: 60
@@ -88,33 +90,25 @@ jobs:
     needs: [ deploy-images ]
     env:
       CONTAINER_NAME: 'ghcr.io/spack/pcluster-amazonlinux-2'
+      KEY_FINGERPRINT: '5195AD463E705FC2014BFF08FE8754F9EEC75620'
     steps:
       - name: Get Container Tag
         id: meta
         uses: docker/metadata-action@v5
         with:
           images: ${{ env.CONTAINER_NAME }}
-      - uses: actions/checkout@v4
-      - env:
+      - name: Checkout Container
+        uses: actions/checkout@v4
+      - name: Copy from container to local disk
+        env:
           CONTAINER_TAG: ${{ steps.meta.outputs.tags }}
         run: |
           id=$(docker create --platform linux/amd64 ${CONTAINER_TAG})
-          mkdir bootstrap-gcc-cache-x86_64
-          docker cp $id:/bootstrap-gcc-cache bootstrap-gcc-cache-x86_64
-          docker rm -v $id
-
-          id=$(docker create --platform linux/arm64 ${CONTAINER_TAG})
-          mkdir bootstrap-gcc-cache-aarch64
-          docker cp $id:/bootstrap-gcc-cache bootstrap-gcc-cache-aarch64
+          docker cp $id:/bootstrap-gcc-cache/build_cache/_pgp/${KEY_FINGERPRINT}.pub ${KEY_FINGERPRINT}.pub
           docker rm -v $id
 
-      - uses: actions/upload-artifact@v3
-        with:
-          name: bootstrap-gcc-cache-x86_64
-          path: |
-            bootstrap-gcc-cache-x86_64
-      - uses: actions/upload-artifact@v3
+      - name: Upload public key to Github artifacts
+        uses: actions/upload-artifact@v3
         with:
-          name: bootstrap-gcc-cache-aarch64
-          path: |
-            bootstrap-gcc-cache-aarch64
+          name: ${{ env.KEY_FINGERPRINT }}.pub
+          path: ${{ env.KEY_FINGERPRINT }}.pub

Dockerfiles/pcluster-amazonlinux-2/Dockerfile

@@ -128,6 +128,19 @@ RUN mkdir -p $(dirname "${SPACK_ROOT}") \
     && spack buildcache create -a -u /bootstrap-gcc-cache $(spack find --format '/{hash}') \
     && rm -rf $(dirname "${SPACK_ROOT}") /root/.spack
 
+# Sign the buildcache
+RUN --mount=type=secret,id=bootstrap_gcc_key \
+    mkdir -p $(dirname "${SPACK_ROOT}") \
+    && git clone https://github.com/spack/spack "${SPACK_ROOT}" \
+    && pushd "${SPACK_ROOT}" && git checkout ${SPACK_COMMIT} && popd \
+    && . "${SPACK_ROOT}/share/spack/setup-env.sh" \
+    && spack gpg trust /run/secrets/bootstrap_gcc_key \
+    && secretkey_fingerprint=$(GNUPGHOME="${SPACK_ROOT}"/opt/spack/gpg gpg2 -K --with-fingerprint --with-colons | awk -F: '/fpr/{print $10}') \
+    && ls /bootstrap-gcc-cache/build_cache/*json | xargs -I {} spack gpg sign --output {}.sig --key ${secretkey_fingerprint} --clearsign {} \
+    && spack mirror add bootstrap-gcc-cache /bootstrap-gcc-cache \
+    && spack gpg publish --rebuild-index -m bootstrap-gcc-cache ${secretkey_fingerprint} \
+    && rm -rf $(dirname "${SPACK_ROOT}") /root/.spack
+
 ENV PATH=/bootstrap/runner/view/bin:$PATH \
     NVIDIA_VISIBLE_DEVICES=all \
     NVIDIA_DRIVER_CAPABILITIES=compute,utility \

Dockerfiles/pcluster-amazonlinux-2/amd64/packages.yaml

@@ -2,4 +2,4 @@
 packages:
   gcc:
     compiler: [gcc]
-    require: "gcc@12 +binutils ^[email protected] target=x86_64_v3"
+    require: "gcc@12 +strip +binutils ^[email protected] target=x86_64_v3"

Dockerfiles/pcluster-amazonlinux-2/arm64/packages.yaml

@@ -2,4 +2,4 @@
 packages:
   gcc:
     compiler: [gcc]
-    require: "gcc@12 +binutils ^[email protected] target=aarch64"
+    require: "gcc@12 +strip +binutils ^[email protected] target=aarch64"