Add better error handling around release signatures (#6353)

* Better error handling around sig after offline-sig * Add error handling around first sig with git. * Don't fail if offline-sig fails.
certbot · Sep 11, 2018 · 251355c · 251355c
1 parent 85a859d
commit 251355c
Showing 1 changed file with 15 additions and 13 deletions.
diff --git a/tools/_release.sh b/tools/_release.sh
@@ -15,8 +15,7 @@ RELEASE_BRANCH="candidate-$version"
 if [ "$RELEASE_OPENSSL_PUBKEY" = "" ] ; then
     RELEASE_OPENSSL_PUBKEY="`realpath \`dirname $0\``/eff-pubkey.pem"
 fi
-DEFAULT_GPG_KEY="A2CFB51FA275A7286234E7B24D17C995CD9775F2"
-RELEASE_GPG_KEY=${RELEASE_GPG_KEY:-"$DEFAULT_GPG_KEY"}
+RELEASE_GPG_KEY=${RELEASE_GPG_KEY:-A2CFB51FA275A7286234E7B24D17C995CD9775F2}
 # Needed to fix problems with git signatures and pinentry
 export GPG_TTY=$(tty)
 
@@ -185,29 +184,27 @@ fi
 letsencrypt-auto-source/build.py
 
 # and that it's signed correctly
-tools/offline-sigrequest.sh
+tools/offline-sigrequest.sh || true
 while ! openssl dgst -sha256 -verify $RELEASE_OPENSSL_PUBKEY -signature \
         letsencrypt-auto-source/letsencrypt-auto.sig \
         letsencrypt-auto-source/letsencrypt-auto            ; do
     echo "The signature on letsencrypt-auto is not correct."
     read -p "Would you like this script to try and sign it again [Y/n]?" response
     case $response in
       [yY][eE][sS]|[yY]|"")
-        tools/offline-sigrequest.sh;;
+        tools/offline-sigrequest.sh || true;;
       *)
         ;;
     esac
 done
 
-if [ "$RELEASE_GPG_KEY" = "$DEFAULT_GPG_KEY" ]; then
-    while ! gpg2 --card-status >/dev/null 2>&1; do
-        echo gpg cannot find your OpenPGP card
-        read -p "Please take the card out and put it back in again."
-    done
-fi
-
 # This signature is not quite as strong, but easier for people to verify out of band
-gpg2 -u "$RELEASE_GPG_KEY" --detach-sign --armor --sign --digest-algo sha256 letsencrypt-auto-source/letsencrypt-auto
+while ! gpg2 -u "$RELEASE_GPG_KEY" --detach-sign --armor --sign --digest-algo sha256 letsencrypt-auto-source/letsencrypt-auto; do
+    echo "Unable to sign letsencrypt-auto using $RELEASE_KEY."
+    echo "Make sure your OpenPGP card is in your computer if you are using one."
+    echo "You may need to take the card out and put it back in again."
+    read -p "Press enter to try signing again."
+done
 # We can't rename the openssl letsencrypt-auto.sig for compatibility reasons,
 # but we can use the right name for certbot-auto.asc from day one
 mv letsencrypt-auto-source/letsencrypt-auto.asc letsencrypt-auto-source/certbot-auto.asc
@@ -218,7 +215,12 @@ cp -p letsencrypt-auto-source/letsencrypt-auto letsencrypt-auto
 
 git add certbot-auto letsencrypt-auto letsencrypt-auto-source docs/cli-help.txt
 git diff --cached
-git commit --gpg-sign="$RELEASE_GPG_KEY" -m "Release $version"
+while ! git commit --gpg-sign="$RELEASE_GPG_KEY" -m "Release $version"; do
+    echo "Unable to sign the release commit using git."
+    echo "You may have to configure git to use gpg2 by running:"
+    echo 'git config --global gpg.program $(command -v gpg2)'
+    read -p "Press enter to try signing again."
+done
 git tag --local-user "$RELEASE_GPG_KEY" --sign --message "Release $version" "$tag"
 
 cd ..