From 17de2d9b7994d56eecdb179e897ad68c4dcb0ee5 Mon Sep 17 00:00:00 2001 From: Darko Poljak Date: Sun, 10 Jul 2016 21:17:42 +0200 Subject: [PATCH 1/4] Make signed github releases. --- bin/build-helper | 70 +++++++++++++++++++++++++++++++++++++++- bin/build-helper.freebsd | 70 +++++++++++++++++++++++++++++++++++++++- docs/changelog | 1 + 3 files changed, 139 insertions(+), 2 deletions(-) diff --git a/bin/build-helper b/bin/build-helper index b2d3b66e..b370d5af 100755 --- a/bin/build-helper +++ b/bin/build-helper @@ -153,7 +153,70 @@ eof fi printf "Enter tag description for ${target_version}: " read tagmessage - git tag "$target_version" -m "$$tagmessage" + + # setup for signed tags: + # gpg --fulL-gen-key + # gpg --list-secret-keys --keyid-format LONG + # git config --local user.signingkey + # for exporting pub key: + # gpg --armor --export > pubkey.asc + # gpg --output pubkey.gpg --export + # show tag with signature + # git show + # verify tag signature + # git tag -v + # + # gpg verify signature + # gpg --verify + # gpg --no-default-keyring --keyring --verify + # + + git tag -s "$target_version" -m "$tagmessage" + git push --tags + ;; + + sign-git-tag) + if [ $# -lt 3 ] + then + printf "usage: $0 sign-git-tag TAG AUTHTOKEN\n" + exit 1 + fi + tag="$2" + if ! git rev-parse -q --verify "${tag}" >/dev/null 2>&1 + printf "Tag \"${tag}\" not found.\n" + exit 1 + fi + token="$3" + archivename="cdist-${tag}.tar.gz" + git archive --prefix="cdist-${tag}" -o "${archivename}" "${tag}" \ + || exit 1 + gpg --armor --detach-sign "${archivename}" || exit 1 + + # make github release + curl -H "Authorization: token ${token}" \ + --request POST \ + --data "{ \"tag_name\":\"${tag}\", \ + \"target_commitish\":\"master\", \ + \"name\": \"${tag}\", \ + \"body\":\"${tag}\", \ + \"draft\":false, \ + \"prerelease\": false}" \ + "https://api.github.com/repos/ungleich/cdist/releases" || exit 1 + + # get release ID + repoid=$(curl "https://api.github.com/repos/ungleich/cdist/releases/tags/${tag}" \ + || python3 -c 'import json; import sys; print(json.loads(sys.stdin.read())["id"])') \ + || exit 1 + + curl -H "Authorization: token ${token}" \ + -H "Accept: application/vnd.github.manifold-preview" \ + -H "Content-Type: application/pgp-signature" \ + --data-binary @${archivename}.asc \ + "https://uploads.github.com/repos/ungleich/cdist/releases/${repoid}/assets?name=${archivename}.asc" \ + || exit 1 + + # remove generated files (archive and asc) + rm -f "${archivename}" "${archivename}.asc" ;; release) @@ -219,6 +282,11 @@ eof # Tag the current commit "$0" release-git-tag + # sign git tag + printf "Enter github authentication token: " + read token + "$0" sign-git-tag "${target_version}" "${token}" + # Also merge back the version branch if [ "$masterbranch" = yes ]; then git checkout master diff --git a/bin/build-helper.freebsd b/bin/build-helper.freebsd index 4c30575a..a1e9221e 100755 --- a/bin/build-helper.freebsd +++ b/bin/build-helper.freebsd @@ -188,7 +188,70 @@ eof fi printf "Enter tag description for ${target_version}: " read tagmessage - git tag "$target_version" -m "$$tagmessage" + + # setup for signed tags: + # gpg --fulL-gen-key + # gpg --list-secret-keys --keyid-format LONG + # git config --local user.signingkey + # for exporting pub key: + # gpg --armor --export > pubkey.asc + # gpg --output pubkey.gpg --export + # show tag with signature + # git show + # verify tag signature + # git tag -v + # + # gpg verify signature + # gpg --verify + # gpg --no-default-keyring --keyring --verify + # + + git tag -s "$target_version" -m "$tagmessage" + git push --tags + ;; + + sign-git-tag) + if [ $# -lt 3 ] + then + printf "usage: $0 sign-git-tag TAG TOKEN\n" + exit 1 + fi + tag="$2" + if ! git rev-parse -q --verify "${tag}" >/dev/null 2>&1 + printf "Tag \"${tag}\" not found.\n" + exit 1 + fi + token="$3" + archivename="cdist-${tag}.tar.gz" + git archive --prefix="cdist-${tag}" -o "${archivename}" "${tag}" \ + || exit 1 + gpg --armor --detach-sign "${archivename}" || exit 1 + + # make github release + curl -H "Authorization: token ${token}" \ + --request POST \ + --data "{ \"tag_name\":\"${tag}\", \ + \"target_commitish\":\"master\", \ + \"name\": \"${tag}\", \ + \"body\":\"${tag}\", \ + \"draft\":false, \ + \"prerelease\": false}" \ + "https://api.github.com/repos/ungleich/cdist/releases" || exit 1 + + # get release ID + repoid=$(curl "https://api.github.com/repos/ungleich/cdist/releases/tags/${tag}" \ + || python3 -c 'import json; import sys; print(json.loads(sys.stdin.read())["id"])') \ + || exit 1 + + curl -H "Authorization: token ${token}" \ + -H "Accept: application/vnd.github.manifold-preview" \ + -H "Content-Type: application/pgp-signature" \ + --data-binary @${archivename}.asc \ + "https://uploads.github.com/repos/ungleich/cdist/releases/${repoid}/assets?name=${archivename}.asc" \ + || exit 1 + + # remove generated files (archive and asc) + rm -f "${archivename}" "${archivename}.asc" ;; release) @@ -254,6 +317,11 @@ eof # Tag the current commit "$0" release-git-tag + # sign git tag + printf "Enter github authentication token: " + read token + "$0" sign-git-tag "${target_version}" "${token}" + # Also merge back the version branch if [ "$masterbranch" = yes ]; then git checkout master diff --git a/docs/changelog b/docs/changelog index a5b1a6c3..61574133 100644 --- a/docs/changelog +++ b/docs/changelog @@ -2,6 +2,7 @@ Changelog --------- next: + * Build: Make github signed release (Darko Poljak) * Core: pep8 (Darko Poljak) * Documentation: Restructure and fix and improve docs and manpages (Darko Poljak) * Core: Add files directory for static files (Darko Poljak) From 92868500980c7edca6981d1d6ed7d4497d3c247e Mon Sep 17 00:00:00 2001 From: Darko Poljak Date: Sun, 10 Jul 2016 21:44:57 +0200 Subject: [PATCH 2/4] Fix syntax error. --- bin/build-helper | 1 + bin/build-helper.freebsd | 1 + 2 files changed, 2 insertions(+) diff --git a/bin/build-helper b/bin/build-helper index b370d5af..6a70b7f3 100755 --- a/bin/build-helper +++ b/bin/build-helper @@ -183,6 +183,7 @@ eof fi tag="$2" if ! git rev-parse -q --verify "${tag}" >/dev/null 2>&1 + then printf "Tag \"${tag}\" not found.\n" exit 1 fi diff --git a/bin/build-helper.freebsd b/bin/build-helper.freebsd index a1e9221e..f1a4af73 100755 --- a/bin/build-helper.freebsd +++ b/bin/build-helper.freebsd @@ -218,6 +218,7 @@ eof fi tag="$2" if ! git rev-parse -q --verify "${tag}" >/dev/null 2>&1 + then printf "Tag \"${tag}\" not found.\n" exit 1 fi From 317622678a23478ceb8c8cc8dd1d5915489f843f Mon Sep 17 00:00:00 2001 From: Darko Poljak Date: Mon, 11 Jul 2016 08:19:10 +0200 Subject: [PATCH 3/4] Add build-helper param for existing archive for sign-git-tag target. --- bin/build-helper | 26 ++++++++++++++++++-------- bin/build-helper.freebsd | 26 ++++++++++++++++++-------- 2 files changed, 36 insertions(+), 16 deletions(-) diff --git a/bin/build-helper b/bin/build-helper index 6a70b7f3..c96cfe6e 100755 --- a/bin/build-helper +++ b/bin/build-helper @@ -176,21 +176,27 @@ eof ;; sign-git-tag) - if [ $# -lt 3 ] + if [ $# -lt 2 ] then - printf "usage: $0 sign-git-tag TAG AUTHTOKEN\n" + printf "usage: $0 sign-git-tag TAG TOKEN [ARCHIVE]\n" + printf " if ARCHIVE is not specified then it is created\n" exit 1 fi - tag="$2" + tag="$1" if ! git rev-parse -q --verify "${tag}" >/dev/null 2>&1 then printf "Tag \"${tag}\" not found.\n" exit 1 fi - token="$3" - archivename="cdist-${tag}.tar.gz" - git archive --prefix="cdist-${tag}" -o "${archivename}" "${tag}" \ - || exit 1 + token="$2" + if [ $# -ge 2 ] + then + archivename="$3" + else + archivename="cdist-${tag}.tar.gz" + git archive --prefix="cdist-${tag}" -o "${archivename}" "${tag}" \ + || exit 1 + fi gpg --armor --detach-sign "${archivename}" || exit 1 # make github release @@ -217,7 +223,11 @@ eof || exit 1 # remove generated files (archive and asc) - rm -f "${archivename}" "${archivename}.asc" + if [ $# -ge 2] + then + rm -f "${archivename}" + fi + rm -f "${archivename}.asc" ;; release) diff --git a/bin/build-helper.freebsd b/bin/build-helper.freebsd index f1a4af73..786fa158 100755 --- a/bin/build-helper.freebsd +++ b/bin/build-helper.freebsd @@ -211,21 +211,27 @@ eof ;; sign-git-tag) - if [ $# -lt 3 ] + if [ $# -lt 2 ] then - printf "usage: $0 sign-git-tag TAG TOKEN\n" + printf "usage: $0 sign-git-tag TAG TOKEN [ARCHIVE]\n" + printf " if ARCHIVE is not specified then it is created\n" exit 1 fi - tag="$2" + tag="$1" if ! git rev-parse -q --verify "${tag}" >/dev/null 2>&1 then printf "Tag \"${tag}\" not found.\n" exit 1 fi - token="$3" - archivename="cdist-${tag}.tar.gz" - git archive --prefix="cdist-${tag}" -o "${archivename}" "${tag}" \ - || exit 1 + token="$2" + if [ $# -ge 2 ] + then + archivename="$3" + else + archivename="cdist-${tag}.tar.gz" + git archive --prefix="cdist-${tag}" -o "${archivename}" "${tag}" \ + || exit 1 + fi gpg --armor --detach-sign "${archivename}" || exit 1 # make github release @@ -252,7 +258,11 @@ eof || exit 1 # remove generated files (archive and asc) - rm -f "${archivename}" "${archivename}.asc" + if [ $# -ge 2] + then + rm -f "${archivename}" + fi + rm -f "${archivename}.asc" ;; release) From f10ffed4c624b8b9094d1c0321ae1ce5ba082fb3 Mon Sep 17 00:00:00 2001 From: Darko Poljak Date: Mon, 11 Jul 2016 12:28:22 +0200 Subject: [PATCH 4/4] sign-git-tag -> sign-git-release --- bin/build-helper | 6 +++--- bin/build-helper.freebsd | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/bin/build-helper b/bin/build-helper index c96cfe6e..f9b21d76 100755 --- a/bin/build-helper +++ b/bin/build-helper @@ -175,10 +175,10 @@ eof git push --tags ;; - sign-git-tag) + sign-git-release) if [ $# -lt 2 ] then - printf "usage: $0 sign-git-tag TAG TOKEN [ARCHIVE]\n" + printf "usage: $0 sign-git-release TAG TOKEN [ARCHIVE]\n" printf " if ARCHIVE is not specified then it is created\n" exit 1 fi @@ -296,7 +296,7 @@ eof # sign git tag printf "Enter github authentication token: " read token - "$0" sign-git-tag "${target_version}" "${token}" + "$0" sign-git-release "${target_version}" "${token}" # Also merge back the version branch if [ "$masterbranch" = yes ]; then diff --git a/bin/build-helper.freebsd b/bin/build-helper.freebsd index 786fa158..61a095cb 100755 --- a/bin/build-helper.freebsd +++ b/bin/build-helper.freebsd @@ -210,10 +210,10 @@ eof git push --tags ;; - sign-git-tag) + sign-git-release) if [ $# -lt 2 ] then - printf "usage: $0 sign-git-tag TAG TOKEN [ARCHIVE]\n" + printf "usage: $0 sign-git-release TAG TOKEN [ARCHIVE]\n" printf " if ARCHIVE is not specified then it is created\n" exit 1 fi @@ -331,7 +331,7 @@ eof # sign git tag printf "Enter github authentication token: " read token - "$0" sign-git-tag "${target_version}" "${token}" + "$0" sign-git-release "${target_version}" "${token}" # Also merge back the version branch if [ "$masterbranch" = yes ]; then