matrix/matrix-js-sdk
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-js-sdk.git synced 2025-11-29 16:43:09 +03:00
Code Activity

Merge pull request #438 from matrix-org/rav/release_signing

Browse Source 
Attempt to rework the release-tarball-signing stuff
This commit is contained in:
David Baker
2017-05-19 10:03:36 +01:00
committed by GitHub
parent 4ccec13739 672ad68c64
commit a3f45b466a
1 changed files with 47 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

60
release.sh
View File

@@ -178,27 +178,61 @@ if [ $dodist -eq 0 ]; then
done done
fi fi
# push the release branch (github can't release from
# a branch it doesn't have)
git push origin "$rel_branch"
if [ -n "$signing_id" ]; then if [ -n "$signing_id" ]; then
# make a signed tag # make a signed tag
# gnupg seems to fail to get the right tty device unless we set it here # gnupg seems to fail to get the right tty device unless we set it here
GIT_COMMITTER_EMAIL="$signing_id" GPG_TTY=`tty` git tag -u "$signing_id" -F "${latest_changes}" "$tag" GIT_COMMITTER_EMAIL="$signing_id" GPG_TTY=`tty` git tag -u "$signing_id" -F "${latest_changes}" "$tag"
# also make a signature for the source tarball.
project_name=`jq -r '.name' package.json`
source_sigfile="${tag}-src.tar.gz.asc"
git archive --format tgz --prefix="${project_name}-${release}/" "$tag" |
gpg -u "$signing_id" --armor --output "$source_sigfile" --detach-sig -
assets="$assets -a $source_sigfile"
else else
git tag -a -F "${latest_changes}" "$tag" git tag -a -F "${latest_changes}" "$tag"
fi fi
# push the tag # push the tag and the release branch
git push origin "$tag" git push origin "$rel_branch" "$tag"
if [ -n "$signing_id" ]; then
# make a signature for the source tarball.
#
# github will make us a tarball from the tag - we want to create a
# signature for it, which means that first of all we need to check that
# it's correct.
#
# we can't deterministically build exactly the same tarball, due to
# differences in gzip implementation - but we *can* build the same tar - so
# the easiest way to check the validity of the tarball from git is to unzip
# it and compare it with our own idea of what the tar should look like.
# the name of the sig file we want to create
source_sigfile="${tag}-src.tar.gz.asc"
tarfile="$tag.tar.gz"
gh_project_url=$(git remote get-url origin |
sed -e 's#^git@github.com:#https://github.com/#' -e 's/\.git$//')
project_name="${gh_project_url##*/}"
curl -L "${gh_project_url}/archive/${tarfile}" -o "${tarfile}"
# unzip it and compare it with the tar we would generate
if ! cmp --silent <(gunzip -c $tarfile) \
<(git archive --format tar --prefix="${project_name}-${release}/" "$tag"); then
# we don't bail out here, because really it's more likely that our comparison
# screwed up and it's super annoying to abort the script at this point.
cat >&2 <<EOF
!!!!!!!!!!!!!!!!!
!!!! WARNING !!!!
Mismatch between our own tarfile and that generated by github: not signing
source tarball.
To resolve, determine if $tarfile is correct, and if so sign it with gpg and
attach it to the release as $source_sigfile.
!!!!!!!!!!!!!!!!!
EOF
else
gpg -u "$signing_id" --armor --output "$source_sigfile" --detach-sig "$tarfile"
assets="$assets -a $source_sigfile"
fi
fi
hubflags='' hubflags=''
if [ $prerelease -eq 1 ]; then if [ $prerelease -eq 1 ]; then