forked from adamlaska/runc
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathrelease_sign.sh
More file actions
executable file
·108 lines (94 loc) · 2.73 KB
/
release_sign.sh
File metadata and controls
executable file
·108 lines (94 loc) · 2.73 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
#!/bin/bash
# Copyright (C) 2017 SUSE LLC.
# Copyright (C) 2017-2021 Open Containers Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -e
project="runc"
root="$(readlink -f "$(dirname "${BASH_SOURCE[0]}")/..")"
# Print usage information.
function usage() {
echo "usage: release_sign.sh [-S <gpg-key-id>] [-H <hashcmd>]" >&2
echo " [-r <release-dir>] [-v <version>]" >&2
exit 1
}
# Log something to stderr.
function log() {
echo "[*] $*" >&2
}
# Log something to stderr and then exit with 0.
function bail() {
log "$@"
exit 0
}
# Conduct a sanity-check to make sure that GPG provided with the given
# arguments can sign something. Inability to sign things is not a fatal error.
function gpg_cansign() {
gpg "$@" --clear-sign </dev/null >/dev/null
}
# When creating releases we need to build static binaries, an archive of the
# current commit, and generate detached signatures for both.
keyid=""
version=""
releasedir=""
hashcmd=""
while getopts "H:hr:S:v:" opt; do
case "$opt" in
H)
hashcmd="$OPTARG"
;;
h)
usage
;;
r)
releasedir="$OPTARG"
;;
S)
keyid="$OPTARG"
;;
v)
version="$OPTARG"
;;
:)
echo "Missing argument: -$OPTARG" >&2
usage
;;
\?)
echo "Invalid option: -$OPTARG" >&2
usage
;;
esac
done
version="${version:-$(<"$root/VERSION")}"
releasedir="${releasedir:-release/$version}"
hashcmd="${hashcmd:-sha256sum}"
log "signing $project release in '$releasedir'"
log " key: ${keyid:-DEFAULT}"
log " hash: $hashcmd"
# Make explicit what we're doing.
set -x
# Set up the gpgflags.
gpgflags=()
[[ "$keyid" ]] && gpgflags=(--default-key "$keyid")
gpg_cansign "${gpgflags[@]}" || bail "Could not find suitable GPG key, skipping signing step."
# Only needed for local signing -- change the owner since by default it's built
# inside a container which means it'll have the wrong owner and permissions.
[ -w "$releasedir" ] || sudo chown -R "$USER:$GROUP" "$releasedir"
# Sign everything.
for bin in "$releasedir/$project".*; do
[[ "$(basename "$bin")" == "$project.$hashcmd" ]] && continue # skip hash
gpg "${gpgflags[@]}" --detach-sign --armor "$bin"
done
gpg "${gpgflags[@]}" --clear-sign --armor \
--output "$releasedir/$project.$hashcmd"{.tmp,} &&
mv "$releasedir/$project.$hashcmd"{.tmp,}