Merge pull request #438 from matrix-org/rav/release_signing

Attempt to rework the release-tarball-signing stuff
2025-11-28 05:03:59 +03:00 · 2017-05-19 10:03:36 +01:00
parent 4ccec13739 672ad68c64
commit a3f45b466a
1 changed files with 47 additions and 13 deletions
--- a/release.sh
+++ b/release.sh
@@ -178,27 +178,61 @@ if [ $dodist -eq 0 ]; then
    done
 fi

-# push the release branch (github can't release from
-# a branch it doesn't have)
-git push origin "$rel_branch"
-
 if [ -n "$signing_id" ]; then
    # make a signed tag
    # gnupg seems to fail to get the right tty device unless we set it here
    GIT_COMMITTER_EMAIL="$signing_id" GPG_TTY=`tty` git tag -u "$signing_id" -F "${latest_changes}" "$tag"
-
-    # also make a signature for the source tarball.
-    project_name=`jq -r '.name' package.json`
-    source_sigfile="${tag}-src.tar.gz.asc"
-    git archive --format tgz --prefix="${project_name}-${release}/" "$tag" |
-        gpg -u "$signing_id" --armor --output "$source_sigfile" --detach-sig -
-    assets="$assets -a $source_sigfile"
 else
    git tag -a -F "${latest_changes}" "$tag"
 fi

-# push the tag
-git push origin "$tag"
+# push the tag and the release branch
+git push origin "$rel_branch" "$tag"
+
+if [ -n "$signing_id" ]; then
+    # make a signature for the source tarball.
+    #
+    # github will make us a tarball from the tag - we want to create a
+    # signature for it, which means that first of all we need to check that
+    # it's correct.
+    #
+    # we can't deterministically build exactly the same tarball, due to
+    # differences in gzip implementation - but we *can* build the same tar - so
+    # the easiest way to check the validity of the tarball from git is to unzip
+    # it and compare it with our own idea of what the tar should look like.
+
+    # the name of the sig file we want to create
+    source_sigfile="${tag}-src.tar.gz.asc"
+
+    tarfile="$tag.tar.gz"
+    gh_project_url=$(git remote get-url origin |
+                            sed -e 's#^git@github.com:#https://github.com/#' -e 's/\.git$//')
+    project_name="${gh_project_url##*/}"
+    curl -L "${gh_project_url}/archive/${tarfile}" -o "${tarfile}"
+
+    # unzip it and compare it with the tar we would generate
+    if ! cmp --silent <(gunzip -c $tarfile) \
+         <(git archive --format tar --prefix="${project_name}-${release}/" "$tag"); then
+
+        # we don't bail out here, because really it's more likely that our comparison
+        # screwed up and it's super annoying to abort the script at this point.
+        cat >&2 <<EOF
+!!!!!!!!!!!!!!!!!
+!!!! WARNING !!!!
+
+Mismatch between our own tarfile and that generated by github: not signing
+source tarball.
+
+To resolve, determine if $tarfile is correct, and if so sign it with gpg and
+attach it to the release as $source_sigfile.
+
+!!!!!!!!!!!!!!!!!
+EOF
+    else
+        gpg -u "$signing_id" --armor --output "$source_sigfile" --detach-sig "$tarfile"
+        assets="$assets -a $source_sigfile"
+    fi
+fi

 hubflags=''
 if [ $prerelease -eq 1 ]; then