From 672ad68c646628372ea0a43e501f40624116f0d2 Mon Sep 17 00:00:00 2001
From: Richard van der Hoff <richard@matrix.org>
Date: Thu, 18 May 2017 18:58:50 +0100
Subject: [PATCH] release.sh: download the tarball from git to verify it

---
 release.sh | 60 ++++++++++++++++++++++++++++++++++++++++++------------
 1 file changed, 47 insertions(+), 13 deletions(-)

diff --git a/release.sh b/release.sh
index cebeb0139..b92f3638d 100755
--- a/release.sh
+++ b/release.sh
@@ -178,27 +178,61 @@ if [ $dodist -eq 0 ]; then
     done
 fi
 
-# push the release branch (github can't release from
-# a branch it doesn't have)
-git push origin "$rel_branch"
-
 if [ -n "$signing_id" ]; then
     # make a signed tag
     # gnupg seems to fail to get the right tty device unless we set it here
     GIT_COMMITTER_EMAIL="$signing_id" GPG_TTY=`tty` git tag -u "$signing_id" -F "${latest_changes}" "$tag"
-
-    # also make a signature for the source tarball.
-    project_name=`jq -r '.name' package.json`
-    source_sigfile="${tag}-src.tar.gz.asc"
-    git archive --format tgz --prefix="${project_name}-${release}/" "$tag" |
-        gpg -u "$signing_id" --armor --output "$source_sigfile" --detach-sig -
-    assets="$assets -a $source_sigfile"
 else
     git tag -a -F "${latest_changes}" "$tag"
 fi
 
-# push the tag
-git push origin "$tag"
+# push the tag and the release branch
+git push origin "$rel_branch" "$tag"
+
+if [ -n "$signing_id" ]; then
+    # make a signature for the source tarball.
+    #
+    # github will make us a tarball from the tag - we want to create a
+    # signature for it, which means that first of all we need to check that
+    # it's correct.
+    #
+    # we can't deterministically build exactly the same tarball, due to
+    # differences in gzip implementation - but we *can* build the same tar - so
+    # the easiest way to check the validity of the tarball from git is to unzip
+    # it and compare it with our own idea of what the tar should look like.
+
+    # the name of the sig file we want to create
+    source_sigfile="${tag}-src.tar.gz.asc"
+
+    tarfile="$tag.tar.gz"
+    gh_project_url=$(git remote get-url origin |
+                            sed -e 's#^git@github.com:#https://github.com/#' -e 's/\.git$//')
+    project_name="${gh_project_url##*/}"
+    curl -L "${gh_project_url}/archive/${tarfile}" -o "${tarfile}"
+
+    # unzip it and compare it with the tar we would generate
+    if ! cmp --silent <(gunzip -c $tarfile) \
+         <(git archive --format tar --prefix="${project_name}-${release}/" "$tag"); then
+
+        # we don't bail out here, because really it's more likely that our comparison
+        # screwed up and it's super annoying to abort the script at this point.
+        cat >&2 <<EOF
+!!!!!!!!!!!!!!!!!
+!!!! WARNING !!!!
+
+Mismatch between our own tarfile and that generated by github: not signing
+source tarball.
+
+To resolve, determine if $tarfile is correct, and if so sign it with gpg and
+attach it to the release as $source_sigfile.
+
+!!!!!!!!!!!!!!!!!
+EOF
+    else
+        gpg -u "$signing_id" --armor --output "$source_sigfile" --detach-sig "$tarfile"
+        assets="$assets -a $source_sigfile"
+    fi
+fi
 
 hubflags=''
 if [ $prerelease -eq 1 ]; then