Merge pull request #462 from darko-poljak/signed-release

Make signed github releases.
This commit is contained in:
Nico Schottelius 2016-07-12 14:04:09 +09:00 committed by GitHub
commit 001232f0d7
3 changed files with 161 additions and 2 deletions

View file

@ -153,7 +153,81 @@ eof
fi
printf "Enter tag description for ${target_version}: "
read tagmessage
git tag "$target_version" -m "$$tagmessage"
# setup for signed tags:
# gpg --fulL-gen-key
# gpg --list-secret-keys --keyid-format LONG
# git config --local user.signingkey <id>
# for exporting pub key:
# gpg --armor --export <id> > pubkey.asc
# gpg --output pubkey.gpg --export <id>
# show tag with signature
# git show <tag>
# verify tag signature
# git tag -v <tag>
#
# gpg verify signature
# gpg --verify <asc-file> <file>
# gpg --no-default-keyring --keyring <pubkey.gpg> --verify <asc-file> <file>
#
git tag -s "$target_version" -m "$tagmessage"
git push --tags
;;
sign-git-release)
if [ $# -lt 2 ]
then
printf "usage: $0 sign-git-release TAG TOKEN [ARCHIVE]\n"
printf " if ARCHIVE is not specified then it is created\n"
exit 1
fi
tag="$1"
if ! git rev-parse -q --verify "${tag}" >/dev/null 2>&1
then
printf "Tag \"${tag}\" not found.\n"
exit 1
fi
token="$2"
if [ $# -ge 2 ]
then
archivename="$3"
else
archivename="cdist-${tag}.tar.gz"
git archive --prefix="cdist-${tag}" -o "${archivename}" "${tag}" \
|| exit 1
fi
gpg --armor --detach-sign "${archivename}" || exit 1
# make github release
curl -H "Authorization: token ${token}" \
--request POST \
--data "{ \"tag_name\":\"${tag}\", \
\"target_commitish\":\"master\", \
\"name\": \"${tag}\", \
\"body\":\"${tag}\", \
\"draft\":false, \
\"prerelease\": false}" \
"https://api.github.com/repos/ungleich/cdist/releases" || exit 1
# get release ID
repoid=$(curl "https://api.github.com/repos/ungleich/cdist/releases/tags/${tag}" \
|| python3 -c 'import json; import sys; print(json.loads(sys.stdin.read())["id"])') \
|| exit 1
curl -H "Authorization: token ${token}" \
-H "Accept: application/vnd.github.manifold-preview" \
-H "Content-Type: application/pgp-signature" \
--data-binary @${archivename}.asc \
"https://uploads.github.com/repos/ungleich/cdist/releases/${repoid}/assets?name=${archivename}.asc" \
|| exit 1
# remove generated files (archive and asc)
if [ $# -ge 2]
then
rm -f "${archivename}"
fi
rm -f "${archivename}.asc"
;;
release)
@ -219,6 +293,11 @@ eof
# Tag the current commit
"$0" release-git-tag
# sign git tag
printf "Enter github authentication token: "
read token
"$0" sign-git-release "${target_version}" "${token}"
# Also merge back the version branch
if [ "$masterbranch" = yes ]; then
git checkout master

View file

@ -188,7 +188,81 @@ eof
fi
printf "Enter tag description for ${target_version}: "
read tagmessage
git tag "$target_version" -m "$$tagmessage"
# setup for signed tags:
# gpg --fulL-gen-key
# gpg --list-secret-keys --keyid-format LONG
# git config --local user.signingkey <id>
# for exporting pub key:
# gpg --armor --export <id> > pubkey.asc
# gpg --output pubkey.gpg --export <id>
# show tag with signature
# git show <tag>
# verify tag signature
# git tag -v <tag>
#
# gpg verify signature
# gpg --verify <asc-file> <file>
# gpg --no-default-keyring --keyring <pubkey.gpg> --verify <asc-file> <file>
#
git tag -s "$target_version" -m "$tagmessage"
git push --tags
;;
sign-git-release)
if [ $# -lt 2 ]
then
printf "usage: $0 sign-git-release TAG TOKEN [ARCHIVE]\n"
printf " if ARCHIVE is not specified then it is created\n"
exit 1
fi
tag="$1"
if ! git rev-parse -q --verify "${tag}" >/dev/null 2>&1
then
printf "Tag \"${tag}\" not found.\n"
exit 1
fi
token="$2"
if [ $# -ge 2 ]
then
archivename="$3"
else
archivename="cdist-${tag}.tar.gz"
git archive --prefix="cdist-${tag}" -o "${archivename}" "${tag}" \
|| exit 1
fi
gpg --armor --detach-sign "${archivename}" || exit 1
# make github release
curl -H "Authorization: token ${token}" \
--request POST \
--data "{ \"tag_name\":\"${tag}\", \
\"target_commitish\":\"master\", \
\"name\": \"${tag}\", \
\"body\":\"${tag}\", \
\"draft\":false, \
\"prerelease\": false}" \
"https://api.github.com/repos/ungleich/cdist/releases" || exit 1
# get release ID
repoid=$(curl "https://api.github.com/repos/ungleich/cdist/releases/tags/${tag}" \
|| python3 -c 'import json; import sys; print(json.loads(sys.stdin.read())["id"])') \
|| exit 1
curl -H "Authorization: token ${token}" \
-H "Accept: application/vnd.github.manifold-preview" \
-H "Content-Type: application/pgp-signature" \
--data-binary @${archivename}.asc \
"https://uploads.github.com/repos/ungleich/cdist/releases/${repoid}/assets?name=${archivename}.asc" \
|| exit 1
# remove generated files (archive and asc)
if [ $# -ge 2]
then
rm -f "${archivename}"
fi
rm -f "${archivename}.asc"
;;
release)
@ -254,6 +328,11 @@ eof
# Tag the current commit
"$0" release-git-tag
# sign git tag
printf "Enter github authentication token: "
read token
"$0" sign-git-release "${target_version}" "${token}"
# Also merge back the version branch
if [ "$masterbranch" = yes ]; then
git checkout master

View file

@ -2,6 +2,7 @@ Changelog
---------
next:
* Build: Make github signed release (Darko Poljak)
* Core: Fix hostdir: use hash instead of target host (Steven Armstrong)
* Core: pep8 (Darko Poljak)
* Documentation: Restructure and fix and improve docs and manpages (Darko Poljak)