Use Azure Pipelines secure files to import private keys

.ci/scripts/linux-flatpak/azure-ci-flatpak.env

@@ -1,6 +1,4 @@
 # Flatpak specific environment variables
-FLATPAK_ENC_IV
-FLATPAK_ENC_K
 FLATPAK_GPG_PUBLIC_KEY
 FLATPAK_SSH_HOSTNAME
 FLATPAK_SSH_PORT

.ci/scripts/linux-flatpak/azure-ci.env

@@ -9,6 +9,10 @@ AZURE_JOB_ID
 AZURE_REPO_SLUG
 AZURE_TAG
 
+# Path to private keys
+SSH_KEY
+GPG_KEY
+
 # yuzu specific flags
 ENABLE_COMPATIBILITY_REPORTING
 USE_DISCORD_PRESENCE

.ci/scripts/linux-flatpak/docker.sh

@@ -6,7 +6,6 @@ YUZU_SRC_DIR="/yuzu"
 BUILD_DIR="$YUZU_SRC_DIR/build"
 REPO_DIR="$YUZU_SRC_DIR/repo"
 STATE_DIR="$YUZU_SRC_DIR/.flatpak-builder"
-KEYS_ARCHIVE="/tmp/keys.tar"
 SSH_DIR="/upload"
 SSH_KEY="/tmp/ssh.key"
 GPG_KEY="/tmp/gpg.key"
@@ -14,21 +13,14 @@ GPG_KEY="/tmp/gpg.key"
 # Generate flatpak Manifest and AppData files (/tmp/appdata.xml and /tmp/org.yuzu.$REPO_NAME.json)
 /bin/bash -ex $YUZU_SRC_DIR/.ci/scripts/linux-flatpak/generate-data.sh $1
 
-# Extract keys
-#openssl aes-256-cbc -K $FLATPAK_ENC_K -iv $FLATPAK_ENC_IV -in "$YUZU_SRC_DIR/keys.tar.enc" -out "$KEYS_ARCHIVE" -d
-#tar -C /tmp -xvf $KEYS_ARCHIVE
-
 # Configure SSH keys
-#eval "$(ssh-agent -s)"
-#chmod 700 "$HOME/.ssh"
-#chmod -R 600 $HOME/.ssh/*
-#chown -R yuzu "$HOME/.ssh"
-#chmod 600 "$SSH_KEY"
-#ssh-add "$SSH_KEY"
-#echo "[$FLATPAK_SSH_HOSTNAME]:$FLATPAK_SSH_PORT,[$(dig +short $FLATPAK_SSH_HOSTNAME)]:$FLATPAK_SSH_PORT $FLATPAK_SSH_PUBLIC_KEY" > ~/.ssh/known_hosts
+eval "$(ssh-agent -s)"
+chmod 700 "$HOME/.ssh"
+ssh-add "$SSH_KEY"
+echo "[$FLATPAK_SSH_HOSTNAME]:$FLATPAK_SSH_PORT,[$(dig +short $FLATPAK_SSH_HOSTNAME)]:$FLATPAK_SSH_PORT $FLATPAK_SSH_PUBLIC_KEY" > $HOME/.ssh/known_hosts
 
 # Configure GPG keys
-#gpg2 --import "$GPG_KEY"
+gpg2 --import "$GPG_KEY"
 
 # Set permissions
 chown -R yuzu "$YUZU_SRC_DIR"
@@ -52,7 +44,5 @@ ln -sv --force $HOME/ccache "$STATE_DIR/ccache"
 chmod -R 700 "$STATE_DIR/ccache"
 
 # Build the yuzu flatpak
-#flatpak-builder -v --jobs=4 --ccache --force-clean --state-dir="$STATE_DIR" --gpg-sign="$FLATPAK_GPG_PUBLIC_KEY" --repo="$REPO_DIR" "$BUILD_DIR" "/tmp/org.yuzu.$REPO_NAME.json"
-#flatpak build-update-repo "$REPO_DIR" -v --generate-static-deltas --gpg-sign="$FLATPAK_GPG_PUBLIC_KEY"
-flatpak-builder -v --jobs=4 --ccache --force-clean --state-dir="$STATE_DIR" --repo="$REPO_DIR" "$BUILD_DIR" "/tmp/org.yuzu.$REPO_NAME.json"
-flatpak build-update-repo "$REPO_DIR" -v --generate-static-deltas
+flatpak-builder -v --jobs=4 --ccache --force-clean --state-dir="$STATE_DIR" --gpg-sign="$FLATPAK_GPG_PUBLIC_KEY" --repo="$REPO_DIR" "$BUILD_DIR" "/tmp/org.yuzu.$REPO_NAME.json"
+flatpak build-update-repo "$REPO_DIR" -v --generate-static-deltas --gpg-sign="$FLATPAK_GPG_PUBLIC_KEY"

.ci/scripts/linux-flatpak/exec.sh

@@ -1,14 +1,14 @@
 #!/bin/bash -ex
 mkdir -p "ccache"
-
+mkdir -p "$HOME/.ssh"
 
 chmod a+x ./.ci/scripts/linux-flatpak/docker.sh
 
 # the UID for the container yuzu user is 1027
-#sudo chown -R 1027 "$HOME/.ssh"
 sudo chown -R 1027 "ccache"
 sudo chown -R 1027 $(pwd)
-docker run --env-file .ci/scripts/linux-flatpak/azure-ci.env --env-file .ci/scripts/linux-flatpak/azure-ci-flatpak.env -v $(pwd):/yuzu -v "$(pwd)/ccache":/home/yuzu/ccache -v "$HOME/.ssh":/home/yuzu/.ssh --privileged meirod/build-environments:linux-flatpak /bin/bash -ex /yuzu/.ci/scripts/linux-flatpak/docker.sh $1
-#sudo chown -R $UID "$HOME/.ssh"
+sudo chown -R 1027 "$HOME/.ssh"
+docker run --env-file .ci/scripts/linux-flatpak/azure-ci.env --env-file .ci/scripts/linux-flatpak/azure-ci-flatpak.env -v $(pwd):/yuzu -v "$(pwd)/ccache":/home/yuzu/ccache -v "$HOME/.ssh":/home/yuzu/.ssh -v "$SSH_KEY":/tmp/ssh.key -v "$GPG_KEY":/tmp/gpg.key --privileged meirod/build-environments:linux-flatpak /bin/bash -ex /yuzu/.ci/scripts/linux-flatpak/docker.sh $1
+sudo chown -R $UID "$HOME/.ssh"
 sudo chown -R $UID "ccache"
 sudo chown -R $UID $(pwd)

.ci/templates/build-flatpak-single.yml

@@ -13,11 +13,17 @@ steps:
     key: yuzu-v1-$(BuildName)-$(BuildSuffix)-$(CacheSuffix)
     path: $(System.DefaultWorkingDirectory)/ccache
     cacheHitVar: CACHE_RESTORED
+- task: DownloadSecureFile@1
+  name: sshKey
+  inputs:
+    secureFile: 'ssh.key'
+- task: DownloadSecureFile@1
+  name: gpgKey
+  inputs:
+    secureFile: 'gpg.key'
 - script: chmod a+x ./.ci/scripts/$(ScriptFolder)/exec.sh && ./.ci/scripts/$(ScriptFolder)/exec.sh ${{ parameters['version'] }}
   displayName: 'Build'
   env:
-    FLATPAK_ENC_IV: $(FLATPAK_ENC_IV)
-    FLATPAK_ENC_K: $(FLATPAK_ENC_K)
     FLATPAK_GPG_PUBLIC_KEY: $(FLATPAK_GPG_PUBLIC_KEY)
     FLATPAK_SSH_HOSTNAME: $(FLATPAK_SSH_HOSTNAME)
     FLATPAK_SSH_PORT: $(FLATPAK_SSH_PORT)
@@ -30,6 +36,8 @@ steps:
     AZURE_JOB_ID: $(System.JobId)
     AZURE_REPO_SLUG: $(Build.Repository.Name)
     AZURE_TAG: $(Build.SourceBranch)
+    SSH_KEY: $(sshKey.secureFilePath)
+    GPG_KEY: $(gpgKey.secureFilePath)
 - script: chmod a+x ./.ci/scripts/$(ScriptFolder)/finish.sh && ./.ci/scripts/$(ScriptFolder)/finish.sh
   condition: always()
   displayName: 'Clean up'

.ci/yuzu-flatpak-step2.yml

@@ -2,7 +2,9 @@ trigger:
 - master
 
 variables:
-  DisplayVersion: $[counter(variables['DisplayPrefix'], 1)]
+  - group: flatpak-variables
+  - name: DisplayVersion
+    value: $[counter(variables['DisplayPrefix'], 1)]
 
 stages:
 - stage: format