From 17de2d9b7994d56eecdb179e897ad68c4dcb0ee5 Mon Sep 17 00:00:00 2001 From: Darko Poljak Date: Sun, 10 Jul 2016 21:17:42 +0200 Subject: [PATCH] Make signed github releases. --- bin/build-helper | 70 +++++++++++++++++++++++++++++++++++++++- bin/build-helper.freebsd | 70 +++++++++++++++++++++++++++++++++++++++- docs/changelog | 1 + 3 files changed, 139 insertions(+), 2 deletions(-) diff --git a/bin/build-helper b/bin/build-helper index b2d3b66e..b370d5af 100755 --- a/bin/build-helper +++ b/bin/build-helper @@ -153,7 +153,70 @@ eof fi printf "Enter tag description for ${target_version}: " read tagmessage - git tag "$target_version" -m "$$tagmessage" + + # setup for signed tags: + # gpg --fulL-gen-key + # gpg --list-secret-keys --keyid-format LONG + # git config --local user.signingkey + # for exporting pub key: + # gpg --armor --export > pubkey.asc + # gpg --output pubkey.gpg --export + # show tag with signature + # git show + # verify tag signature + # git tag -v + # + # gpg verify signature + # gpg --verify + # gpg --no-default-keyring --keyring --verify + # + + git tag -s "$target_version" -m "$tagmessage" + git push --tags + ;; + + sign-git-tag) + if [ $# -lt 3 ] + then + printf "usage: $0 sign-git-tag TAG AUTHTOKEN\n" + exit 1 + fi + tag="$2" + if ! git rev-parse -q --verify "${tag}" >/dev/null 2>&1 + printf "Tag \"${tag}\" not found.\n" + exit 1 + fi + token="$3" + archivename="cdist-${tag}.tar.gz" + git archive --prefix="cdist-${tag}" -o "${archivename}" "${tag}" \ + || exit 1 + gpg --armor --detach-sign "${archivename}" || exit 1 + + # make github release + curl -H "Authorization: token ${token}" \ + --request POST \ + --data "{ \"tag_name\":\"${tag}\", \ + \"target_commitish\":\"master\", \ + \"name\": \"${tag}\", \ + \"body\":\"${tag}\", \ + \"draft\":false, \ + \"prerelease\": false}" \ + "https://api.github.com/repos/ungleich/cdist/releases" || exit 1 + + # get release ID + repoid=$(curl "https://api.github.com/repos/ungleich/cdist/releases/tags/${tag}" \ + || python3 -c 'import json; import sys; print(json.loads(sys.stdin.read())["id"])') \ + || exit 1 + + curl -H "Authorization: token ${token}" \ + -H "Accept: application/vnd.github.manifold-preview" \ + -H "Content-Type: application/pgp-signature" \ + --data-binary @${archivename}.asc \ + "https://uploads.github.com/repos/ungleich/cdist/releases/${repoid}/assets?name=${archivename}.asc" \ + || exit 1 + + # remove generated files (archive and asc) + rm -f "${archivename}" "${archivename}.asc" ;; release) @@ -219,6 +282,11 @@ eof # Tag the current commit "$0" release-git-tag + # sign git tag + printf "Enter github authentication token: " + read token + "$0" sign-git-tag "${target_version}" "${token}" + # Also merge back the version branch if [ "$masterbranch" = yes ]; then git checkout master diff --git a/bin/build-helper.freebsd b/bin/build-helper.freebsd index 4c30575a..a1e9221e 100755 --- a/bin/build-helper.freebsd +++ b/bin/build-helper.freebsd @@ -188,7 +188,70 @@ eof fi printf "Enter tag description for ${target_version}: " read tagmessage - git tag "$target_version" -m "$$tagmessage" + + # setup for signed tags: + # gpg --fulL-gen-key + # gpg --list-secret-keys --keyid-format LONG + # git config --local user.signingkey + # for exporting pub key: + # gpg --armor --export > pubkey.asc + # gpg --output pubkey.gpg --export + # show tag with signature + # git show + # verify tag signature + # git tag -v + # + # gpg verify signature + # gpg --verify + # gpg --no-default-keyring --keyring --verify + # + + git tag -s "$target_version" -m "$tagmessage" + git push --tags + ;; + + sign-git-tag) + if [ $# -lt 3 ] + then + printf "usage: $0 sign-git-tag TAG TOKEN\n" + exit 1 + fi + tag="$2" + if ! git rev-parse -q --verify "${tag}" >/dev/null 2>&1 + printf "Tag \"${tag}\" not found.\n" + exit 1 + fi + token="$3" + archivename="cdist-${tag}.tar.gz" + git archive --prefix="cdist-${tag}" -o "${archivename}" "${tag}" \ + || exit 1 + gpg --armor --detach-sign "${archivename}" || exit 1 + + # make github release + curl -H "Authorization: token ${token}" \ + --request POST \ + --data "{ \"tag_name\":\"${tag}\", \ + \"target_commitish\":\"master\", \ + \"name\": \"${tag}\", \ + \"body\":\"${tag}\", \ + \"draft\":false, \ + \"prerelease\": false}" \ + "https://api.github.com/repos/ungleich/cdist/releases" || exit 1 + + # get release ID + repoid=$(curl "https://api.github.com/repos/ungleich/cdist/releases/tags/${tag}" \ + || python3 -c 'import json; import sys; print(json.loads(sys.stdin.read())["id"])') \ + || exit 1 + + curl -H "Authorization: token ${token}" \ + -H "Accept: application/vnd.github.manifold-preview" \ + -H "Content-Type: application/pgp-signature" \ + --data-binary @${archivename}.asc \ + "https://uploads.github.com/repos/ungleich/cdist/releases/${repoid}/assets?name=${archivename}.asc" \ + || exit 1 + + # remove generated files (archive and asc) + rm -f "${archivename}" "${archivename}.asc" ;; release) @@ -254,6 +317,11 @@ eof # Tag the current commit "$0" release-git-tag + # sign git tag + printf "Enter github authentication token: " + read token + "$0" sign-git-tag "${target_version}" "${token}" + # Also merge back the version branch if [ "$masterbranch" = yes ]; then git checkout master diff --git a/docs/changelog b/docs/changelog index a5b1a6c3..61574133 100644 --- a/docs/changelog +++ b/docs/changelog @@ -2,6 +2,7 @@ Changelog --------- next: + * Build: Make github signed release (Darko Poljak) * Core: pep8 (Darko Poljak) * Documentation: Restructure and fix and improve docs and manpages (Darko Poljak) * Core: Add files directory for static files (Darko Poljak)