Travis signature checking, deployment to github and firehol.org

Allows us to eliminate a large number of scripts from the firehol infrastructure. Netdata does multiple compiler tests. We pick one (CC = gcc) for deploying; it doesn't really matter which, since binaries are not part of the deployment.
netdata · Nov 24, 2016 · db05ad1 · db05ad1
1 parent 7e1e77d
commit db05ad1
Show file tree

Hide file tree

Showing 6 changed files with 131 additions and 3 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -1,13 +1,57 @@
+dist: precise
+#
+# C includes autotools and make by default
 language: c
 compiler:
  - gcc
  - clang
+#
+# Extra packages
+addons:
+  apt:
+    packages:
+    - gnupg
+    - libcap2-bin
+    - zlib1g-dev
+    - uuid-dev
+#
+# Setup environment
 before_install:
- - sudo apt-get update -qq
- - sudo apt-get install -qq automake make libcap2-bin zlib1g-dev uuid-dev
+ # Decrypt our private files for CI use only
+ - openssl aes-256-cbc -K $encrypted_decb6f6387c4_key -iv $encrypted_decb6f6387c4_iv -in .travis/travis_rsa.enc -out .travis/travis_rsa -d
+ - eval "$(ssh-agent -s)"        # start the ssh agent
+ - chmod 600 .travis/travis_rsa  # add our key
+ - ssh-add .travis/travis_rsa    # add our key
+ - rm -f .travis/travis_rsa      # remove to prevent leaks
+ # WARNING: Any changes to the above 5 lines should be monitored closely
+ - ssh-keyscan -H firehol.org >> ~/.ssh/known_hosts
+#
+# Run
+before_script:
+ - gpg --import packaging/gpg.keys
+ # Run the commit hooks in case the developer didn't
+ - git diff 4b825dc642cb6eb9a060e54bf8d69288fbee4904 | ./packaging/check-files -
 script:
+   # make release packages
+ - fakeroot ./packaging/git-build
    # default build
  - ./autogen.sh && ./configure && make -j4
-
    # test installer
  - fakeroot ./netdata-installer.sh --install $HOME --dont-wait --dont-start-it
+#
+# Deploy as required
+after_success:
+  - for i in *.tar.*; do md5sum -b $i > $i.md5; sha512sum -b $i > $i.sha; done
+  - "case \"$TRAVIS_BRANCH\" in master|stable-*) if [ $TRAVIS_PULL_REQUEST = false -a \"$TRAVIS_TAG\" = \"\" -a \"$CC\" = \"gcc\" ]; then ssh travis@firehol.org mkdir -p uploads/netdata/$TRAVIS_BRANCH/ && scp -p *.tar.* travis@firehol.org:uploads/netdata/$TRAVIS_BRANCH/ && ssh travis@firehol.org touch uploads/netdata/$TRAVIS_BRANCH/complete.txt; fi;; esac"
+deploy:
+  # Upload results to GitHub (tag only)
+  - provider: releases
+    api_key:
+      secure: invJ0ZdNOPi9x8JJmFkqSIQMxljkLROwgRFCbmXMausJ0rA4E/PgLtM7ddWrHlu6lu8N9e5Pus4bG8DWATHbY0blMUhL5C82S5KK4mxAANLCLgTV8Qr7dMWnMqRV/OJBMGM1ZWpC2AA5GVhPLF7Z++54iqK+LM8P0EuOTAKbebIWCIkGybbSpXj+jJqaQXY0tLGSn5fXPFfyV3Tw0URJPcO3Uz5iukELngkLVSve2d0XYwy8M5tpLKHJi5bzc9CwcJZ/JK1WvklqmV3fNdSSzZunaAfDwWosV3hO7QcGnAVEbNl0HBKZJ8JkriV2fDbH4fttoSvLO2tW9HauP7Yf5XqLDudqUj4gPTuGzd31vRb9kx9cAulfE9onMAmDbjbne8Cp2Bq9/yBEqaofqEIaRcLgnlZSNc+PWbH4FQJ6fIOs5nfqLJo0G+3isgRWrqxp/rjILOvbIGbfLkbPl9aV09IvzShyW2lK7E+QOP0TZIwyXGT0NW0Rr/eyzuMXooy8wi9NehKfrxIcUr7784nU2E+EtItrhtTkJpK8XBBh16swn7s2sQ89qx9PYd/wE5qnKfG0yy3SSc2ycKzEpH7Cy3E6lC4Jytw0AM1Mc179WASBhlR2tyElkRcuhlqOFlJ/6iXjp3kqSgW4kvWbwHwT6VsyiDRhf+Ir4XILFBJ26Z8=
+    skip_cleanup: true
+    file_glob: true
+    file: "netdata*.tar.*"
+    on:
+      condition: $CC = gcc
+      repo: firehol/netdata
+      tags: true
diff --git a/.travis/travis_rsa.enc b/.travis/travis_rsa.enc
diff --git a/packaging/README.md b/packaging/README.md
@@ -18,6 +18,9 @@ and post-release update.
 Programs and packages with specific needs should create extra
 `whatever.functions` and supporting scripts in a subdirectory.
 
+The `gpg.keys` file is a list of keys that can be expected to sign
+tags and packages.
+
 Making a release
 ----------------
 `

diff --git a/packaging/check-files b/packaging/check-files
@@ -36,6 +36,8 @@ then
   echo "check-files [--debug] -|filenames"
   echo "e.g."
   echo "  git diff | ./packaging/check-files -"
+  echo "for a complete check (v.s. empty repo):"
+  echo "  git diff 4b825dc642cb6eb9a060e54bf8d69288fbee4904 | ./packaging/check-files -"
   echo "or in .git/hooks/pre-commit:"
   echo "  exec git diff --cached | ./packaging/check-files -"
   exit 1

diff --git a/packaging/git-build b/packaging/git-build
@@ -13,6 +13,20 @@ fi
 # just make the assumption
 if [ -d .git ]
 then
+  if [ -n "$TRAVIS_TAG" ]
+  then
+    echo "Checking we have a good signature during CI build..."
+    echo "Checking tag: $TRAVIS_TAG"
+    git tag -v "$TRAVIS_TAG" 2>&1 | tee /tmp/tagcheck
+    grep -iq "gpg. good signature" /tmp/tagcheck
+    status=$?
+    rm -f /tmp/tagcheck
+    if [ $status -ne 0 ]
+    then
+      exit $status
+    fi
+  fi
+
   clean=$(git status -s | grep "^?")
 
   if [ "$clean" ]

diff --git a/packaging/gpg.keys b/packaging/gpg.keys
@@ -0,0 +1,65 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQENBE/SZE8BCAC2tGkIFG2jYmtO7X/SFzqAlgWd4iW3ZSpjAki5Z9PGMIkaOFgL
+fnNrQV/il4mMUzmvetgV9ShA288JT6KLT4lnL/lHCgxY9dJgzXfOrHxxlXQNU7i4
+XWRO+96aNysFjVJPsjRv+51836OV+w+TvE495zG7YNUUcWVAqsc49WPyt1Bm4Bsw
+X8fG7NggsV7wA+bMV/CzRAbiXSkJYKVn+GQk1wRYwR6YlpsZ22EKR2rEUxCc4CwN
+75mo9nY3cUKJfFvR7xg1rG6tLwLgv4/SSXbtHPfdKce6dmNWJjwTv8iAZxJUGM1D
+lhAWCl/ZnGIRBf7KDsxk6NCODenDEZvOoxKTABEBAAG0IVBoaWwgV2hpbmVyYXkg
+PHBoaWxAc2FuZXdhbGwub3JnPokBOAQTAQIAIgUCT9JkTwIbAwYLCQgHAwIGFQgC
+CQoLBBYCAwECHgECF4AACgkQY98eRNgpeX4//QgAtCvArmgn/Mt6IJmx8mowPpJz
+Rv6ErwYgBkVRxd87yFHZDV2DX+BjhuD5k8e3/z+1GqwrUCR/+svLsb5e6s9ISSES
+A68xlBNLG8sfZHm4CMEN63lqZsoiMposNUTOa2NY53qYNy8oDmNkjrfIkeKdTeUB
+w8atfFGWe8PZMhaxFox/acQfleyTKPIjfzHGoFvgs7nmYdfFHiFBh5hc+mEI+S+z
+Ao9CVoT3MzyANhJJLINGcQVdexRfvv4210euHQIH2NClRv3qo5cZmeo9DyLdGU9T
+wkAosRNflxciap5hyQvK/Z9pRAPzOR5SnpJj+Daa+Xslq5j61uUdEeMsI2dTv7Qg
+UGhpbCBXaGluZXJheSA8cGhpbEBmaXJlaG9sLm9yZz6JATgEEwECACIFAlZIrFYC
+GwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEGPfHkTYKXl+Hh4H/RkLQui0
+mKwLAq4+aLEJu3yCgFdpQPYFZFYw7fGKcrw92g8pnoY5V43yNaJMiJFkYrHv/UqN
+k0A2v/JIOKBXfe1YWakSIirrNMBMFwBUup4X7losPcAxF8K3Vtuo8PR/c2QF8UZB
+xkB3oPr/4DCBUKKYnk1g+yozfnqut7UNFKPZLWcNCcfy+ueLTmfzGg2CDGvsuY7m
+uXARkY7/h3YptJrRXkmBM8A1g3+Pia90RaJASR9W1LRiPVVb8M0pqVPeeccw1FNq
+yxrZzJl967T5gIWzRZ8ASvhJc/RMxeA6BCfqGp6ehGUgGVb2dlOHQkU9fu6l+4NG
+9sNAzAEkFe2Gdfq5AQ0ET9JkTwEIAOfdWdtPzHRgRLw0uEegoocn47exFoacgEGP
+xi5OFSnDY1IxckvpNap1bshvPQGPtA/p/K33NvX8hZzhk6YGgPzHh0b04GRFQFRC
+TspjjDk8poSuX8JiWnL1jzluFpriV8X7j1pos9fdIS0gQMBAHFTeGJooAfopZAoy
+8GycXUNBOiuLG4Eihbqq3E1BnDVdr5HIJKrMV2RisyukL5GYNbSp0l1DIAurYEbN
+AoUMK/9qe/6iSiX0VMgpXJpVZyFJhI6Z+/7Na0WPN4jjLgva+6g/eo8HPzKZOTak
+lhInBr9+5rl9uA8P1LqYwg0oshK/2LYF+STqfrzcRGldXajd6G0AEQEAAYkBHwQY
+AQIACQUCT9JkTwIbDAAKCRBj3x5E2Cl5frptB/4z7KzQV9X0vR6NdRVHWFnaAuFW
+gzIefG+XZR9xS4Wgc9pEMRs5ZR1bRbHWd2yNiBckajHOOSYdRD2ECMlCYrBhmH0M
+ep3vS9ly2rJRlgeFeNUdXtu0+XVdZGFsULlW2Kcb2Pv/UvOnmEppL1caAfEAMMjw
+Nc2QIKPYEyMLVQ/x7x61/RRqIuwSZL4xVAjrMic9m/gpsnwB+pxwmT2h3+BDF/gY
+jOz4YFWYV1HDYu1EFRmtpsnpuSC7xiMN92RNkBsdXLeXSkNqxLbqEISx37NFxcCy
+5pz0AytWpZNyYql2RWfiWWQa8TDjPeufxxd0+87OpJ6eHrRtpTRMsbdnC21s
+=fY8a
+-----END PGP PUBLIC KEY BLOCK-----
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQENBFbxoXsBCADm7C+gJkjU10vpMkmB9LP2HuJrzzvCuOLeaFKB0wM0y3seNvKJ
+VSeNg76Db4gCZ0Fw8eBk3V49cnjPqtHqB6fBlx3zyu9jcN6RQLO+sLZy7xrqwZkx
+Lox+D/iBU97wXDudVE3Li4J04goBH8NsQ/bf41H6ZEhLWO3xM4mrwb1BNhyC7+Hm
+O0wkCNHe2P+Vf7Vss3FZ6ZPAynLOvFHHE2W0mAV0fA79Pe/nbA7kP6CueyxKLsFR
+xGavRir+19WSFq19xzMg1S4pDGOqm4PBnJvwlwjFz/4yIn0uSoaFtuJIfDvYTgFh
+XZJFR8sV/0AbZLybKsCv9pEgYlm1oeiQSk77ABEBAAG0IkNvc3RhIFRzYW91c2lz
+IDxjb3N0YUB0c2FvdXNpcy5ncj6JATkEEwEIACMFAlbxoXsCGwMHCwkIBwMCAQYV
+CAIJCgsEFgIDAQIeAQIXgAAKCRApyjNYibmoY1RPB/9o8azh6siD7VsHWjaMStBU
+alSa9nyGIinZzmb2u94VzdPUF0ZW08HI++I37HoAIQmXEa1oUtNK4D6pUYhrJpL6
+NnOVVhfFbJH1Siwl1v0dqpNqKmcJ0oUvHEHsKfGWBGqqQCFE4bnDmyayedunzoUV
+aXnUt+3dTD8hwOcicKQ1CID2rT8QvEoSv4jIGqks8t+Dnvp0Gx8bKvxF2CYfEQlr
+LxZbXrjloXQR4IaAjv/Wxpghl0RXslXIx6yRiHYu4QavBDYvL9iZ2168eIUiRiUD
+xkT38N6Itj/YfhBjW+ZXHF73UeGwFlYjagJM7YG3dKrB31OsUdch9leBcw2satmA
+uQENBFbxoXsBCADC+y/ZuxxKn742DYoXX6BvedjNwdrs5swEWrg4JnzdXRAW8g5D
+6YkPlfQ56ov7yXuOAjTgU4vMA0OjI0JN1DrR9ZmsyvmOtQq9+mZMZLFeFSPYXDRa
+0EuBFs6m2V0kq5sfFqcsItC6RSQu0mTu+1HmOmrat2o4XZXhT5Jr/QXQ6ShHkWmm
+823y4XBOxHzDRD6NfZKJbiWfLkmS5Ojza2pOp6otxlLmsknQrEe8V2mHNjiJntMv
+cSv9tJO6EnN613eo/IDejz9mrGJURbu/hTWHX00ONYmwfOmCtF4nPMyh85B3NSTF
+JhORjziEGt4lnOPV6G0vK1hlD2kwmZ48tLy3ABEBAAGJAR8EGAEIAAkFAlbxoXsC
+GwwACgkQKcozWIm5qGPD7Af+Pg398YBVnYW/ze5pGDd/IEPhmUp/mSRu2nU9pZXa
+k30eItf3Cd5JfYIKBFgeOlEx8hb0bXU2OReb1bUpT9aAW7h7YW2F9tjm1gBPdtD4
+iO9jBiNbI6wvUwPsW95f7BMKlh9tO71MmFpghKD5Dougl9X8LmXUa35PDrJxcXAi
+BaLXcrdqjxB/6r+0RFHYzr/JgMCgenu7DQMHUi0P7P+uMbhZwMuVvAtUIgbb8Vw3
+WQ6cJBbrwiAWwVjF1JauFdB8Oy/fm7k1TTein9nWXF1tZ/OTdUDriqktHbkSVjvN
+SKW3nD2RpZ4F5Pa3uNcK9lcbBfM126HCzybjZHZntcyvSA==
+=7nny
+-----END PGP PUBLIC KEY BLOCK-----