Download secure files doesn't download files

I am currently working on a CI Pipeline to create and sign docker images; I uploaded the delegated key for signing to GitLab. During the pipeline, I use download secure file to retrieve the file. My problem now is that, as you can see below, the script reports that it has downloaded the key /var/certs/, but after using a ls on the directory, the file is not there.

Before, I had already tried to store the key inside a VARIABLE and use echo to write the content in the file, but there I lost the new lines, which docker trust doesn’t like. I also tried running on moving the repository to gitlab.com, because I wasn’t sure if the Server of my university is up to date, but the execution still fails.

Below, you will see the deployment stage of the pipeline.

deploy:
  stage: deploy
  image: docker:latest
  services:
    - docker:latest
  variables:
    SECURE_FILES_DOWNLOAD_PATH: '/var/certs'
  only:
    - master
  script:
    - apk update
    - apk add curl
    - apk add bash
    - curl --silent "https://gitlab.com/gitlab-org/incubation-engineering/mobile-devops/download-secure-files/-/raw/main/installer" | bash
    - ls -la /var/certs/
    - ls -la .secure_files/
    - echo $SIGNING_KEY_PASSWORD | docker trust key load /var/certs/10505ee4d3913ea70a8d69e19df1a59dc5af99920f9ba4a1b11714b383da4a00.key --name gitlab
    # 'docker info' command is used to debug the job.
    - docker info

My command to start the gitlab runner is the followin.

sudo gitlab-runner register -n  --url "https://gitlab.com/"  --registration-token TOKEN  --executor docker --description "My Docker Runner"  --docker-image "docker:24.0.5"  --docker-privileged

From the provided information and screenshot, the issue seems to revolve around the expected behavior of the download-secure-files script, which claims to have downloaded the key file but doesn’t actually make it available in the specified directory.

Here’s how we can approach resolving this:


1. Confirm Successful Secure File Download

  • Ensure that the curl command successfully downloads the download-secure-files installer.
  • Add debugging steps to verify the existence of the installer script:
script:
  - curl --silent "https://gitlab.com/gitlab-org/incubation-engineering/mobile-devops/download-secure-files/-/raw/main/installer" -o installer
  - cat installer
  - bash installer
  - ls -la /var/certs/
  • If the installer is empty or invalid, this points to a download issue.

2. Debug SECURE_FILES_DOWNLOAD_PATH

  • The SECURE_FILES_DOWNLOAD_PATH variable specifies where secure files are downloaded. Ensure the script respects this variable by adding debug logs:
script:
  - echo "SECURE_FILES_DOWNLOAD_PATH: $SECURE_FILES_DOWNLOAD_PATH"
  - ls -la $SECURE_FILES_DOWNLOAD_PATH
  • If /var/certs is empty, the issue might be:
    • Permissions: Ensure the GitLab Runner has permissions to write to /var/certs.
    • Incorrect variable usage in the installer script.

3. Validate File Downloaded Path

  • The script may not store files in /var/certs. Secure files might instead be placed under the .secure_files directory.
  • Check both directories (/var/certs and .secure_files) for the key file:
script:
  - ls -la /var/certs/
  - ls -la .secure_files/

4. Explicitly Set and Verify Permissions

  • Since /var/certs might have restrictive permissions, set them explicitly:
script:
  - mkdir -p /var/certs
  - chmod 777 /var/certs
  - curl --silent "https://gitlab.com/gitlab-org/incubation-engineering/mobile-devops/download-secure-files/-/raw/main/installer" | bash
  - ls -la /var/certs/

5. Alternative Secure File Retrieval

If the download-secure-files script isn’t working as expected, consider manually echoing the key’s content into a file while preserving new lines:

script:
  - mkdir -p /var/certs
  - echo "$SIGNING_KEY" | base64 -d > /var/certs/signing.key
  - chmod 600 /var/certs/signing.key

For the above:

  • Store the Base64-encoded signing key in a CI variable (SIGNING_KEY).
  • Decode and save it during the pipeline execution.
  • This avoids relying on the download-secure-files script.

6. Debug Docker Runner Privileges

  • Your runner configuration uses the --docker-privileged flag, but ensure the runner has permissions to write to /var and interact with Docker securely.
  • Add debug commands to confirm runner capabilities:
script:
  - whoami
  - ls -ld /var
  - docker info

7. Use an Alternative Directory

If /var/certs isn’t writable or causes issues, you can set a different secure file path:

variables:
  SECURE_FILES_DOWNLOAD_PATH: '.secure_files'

Then adjust your script to reference .secure_files:

script:
  - ls -la .secure_files/
  - echo $SIGNING_KEY_PASSWORD | docker trust key load .secure_files/10505ee4d3913ea70a8d69e19df1a59dc5af99920f9ba4a1b11714b383da4a00.key --name gitlab

Next Steps

  1. Implement the debugging steps to locate where the downloaded file resides or if it’s downloaded at all.
  2. If the issue persists, consider replacing the download-secure-files script with a manual approach for secure key handling.

Let me know the results of these steps, and we can further refine the solution!