Copy ascii-armored PGP signature of jenkins.war to get.jenkins.io

Fixes jenkins-infra/helpdesk#4055 Since get.jenkins.io already includes the SHA-256 checksum file for the war file and it is copied to two destinations in this script, it seems like a good place to copy the ASCII-armored PGP signatures for the war at the same time. The sha256 file shows that the file downloaded by the user is the same file that was uploaded. The asc file shows that the uploaded file was signed by the Jenkins PGP signing key. Confirmed that the 2.456 asc matches the war file with: $ wget https://pkg.jenkins.io/debian-stable/jenkins.io-2023.key $ gpg --import jenkins.io-2023.key $ wget https://get.jenkins.io/war/2.456/jenkins.war $ wget https://repo.jenkins-ci.org/artifactory/releases/org/jenkins-ci/main/jenkins-war/2.456/jenkins-war-2.456.war.asc $ mv jenkins-war-2.456.war.asc jenkins.war.asc $ gpg --verify jenkins.war.asc Confirmed that the script changes worked as expected with the following commands: MY_WORKDIR=$(mktemp -d) echo My work directory is $MY_WORKDIR AGENT_WORKDIR=${MY_WORKDIR}/agent-workdir SRCDIR=${MY_WORKDIR}/src-dir WARDIR=${MY_WORKDIR}/dest-war-dir WAR_WEBDIR=${MY_WORKDIR}/dest-war-webdir export AGENT_WORKDIR SRCDIR WARDIR WAR_WEBDIR mkdir -p ${AGENT_WORKDIR} ${SRCDIR} ${WARDIR} ${WAR_WEBDIR} ARTIFACTNAME=jenkins BASE=$(pwd) SSH_OPTS= VERSION=2.456 WAR=${SRCDIR}/jenkins.war WAR_SHASUM=${SRCDIR}/jenkins.war.sha256 export ARTIFACTNAME BASE VERSION SSH_OPTS WAR WAR_SHASUM PKGSERVER=localhost export PKGSERVER (cd $SRCDIR && wget https://get.jenkins.io/war/${VERSION}/jenkins.war) (cd $SRCDIR && wget https://get.jenkins.io/war/${VERSION}/jenkins.war.sha256) (cd $SRCDIR && wget https://repo.jenkins-ci.org/artifactory/releases/org/jenkins-ci/main/jenkins-war/${VERSION}/jenkins-war-${VERSION}.war.asc && mv jenkins-war-${VERSION}.war.asc jenkins.war.asc) echo "WARDIR contents before publish:" && ls ${WARDIR} echo bash -v war/publish/publish.sh echo "WARDIR contents after publish:" && ls ${WARDIR}/ echo "WARDIR/VERSION contents after publish:" && ls ${WARDIR}/${VERSION}/
MarkEWaite · Apr 30, 2024 · 7474c24 · 7474c24
1 parent c3f3424
commit 7474c24
Showing 1 changed file with 18 additions and 0 deletions.
diff --git a/war/publish/publish.sh b/war/publish/publish.sh
@@ -6,6 +6,7 @@ set -euxo pipefail
 : "${WAR:?Require Jenkins War file}"
 : "${WARDIR:? Require where to put binary files}"
 : "${WAR_WEBDIR:? Require where to put repository index and other web contents}"
+: "${JENKINS_ASC:=${WAR}.asc}"
 
 # $$ Contains current pid
 D="$AGENT_WORKDIR/$$"
@@ -60,6 +61,14 @@ function uploadPackage() {
 		--progress \
 		"${WAR_SHASUM}" "${WARDIR}/${VERSION}/"
 
+	rsync \
+		--compress \
+		--recursive \
+		--verbose \
+		--ignore-existing \
+		--progress \
+		"${JENKINS_ASC}" "${WARDIR}/${VERSION}/"
+
 	# Remote
 	rsync \
 		--archive \
@@ -78,6 +87,15 @@ function uploadPackage() {
 		--ignore-existing \
 		--progress \
 		"${WAR_SHASUM}" "$PKGSERVER:${WARDIR}/${VERSION}/"
+
+	rsync \
+		--archive \
+		--compress \
+		--verbose \
+		-e "ssh ${SSH_OPTS[*]}" \
+		--ignore-existing \
+		--progress \
+		"${JENKINS_ASC}" "$PKGSERVER:${WARDIR}/${VERSION}/"
 }
 
 # Site html need to be located in the binary directory