-
Notifications
You must be signed in to change notification settings - Fork 6
/
promote-release.sh
executable file
·149 lines (111 loc) · 6.01 KB
/
promote-release.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
#!/bin/bash -ex
##[ Imports ]####################
source "$(dirname $0)/utils.sh"
source "$(dirname $0)/report.sh"
source "$(dirname $0)/keys.sh"
##[ Required Environment ]#######
require KEYRING
require PASSPHRASE
require SPEC_NAME "[a-z][a-z-]*[a-z]"
require SPEC_VERSION "[1-9][0-9]*(.[0-9]+)?"
require FILE_URLS "https?://download.eclipse.org/[a-zA-Z0-9_./-]+\.(zip|tar.gz|pdf|jar|war|ear|txt)"
##[ Main ]#######################
COMMITTEE_KEYRING=/tmp/committee
CONSUMER_KEYRING=/tmp/consumer
UPDATED_KEYRING=/tmp/updated
( # Import the locally available private keys into a dedicated keyring
export GNUPGHOME="$COMMITTEE_KEYRING"
# The Eclipse infrastrucutre team gives us the KEYRING file via the Jenkins job
# It's possible these keys have been rotated and we will need to take action
gpg-import "$KEYRING"
# Export the corresponding public key. If the private key has been rotated we will need to
# republish our public keys with the current keys included
gpg --armor --export 'jakarta.ee-spec@eclipse.org' > "/tmp/jakartaee-spec.current.pub" || fail "Unable to export jakartaee-spec.current.pub from $GNUPGHOME"
)
( # Download and import the published public keys into a dedicated keyring
export GNUPGHOME="$CONSUMER_KEYRING"
# For safety, we only verify with public keys the Specification Committee has explicitly published
curl "https://raw.githubusercontent.com/jakartaee/specification-committee/master/jakartaee-spec-committee.pub" > "/tmp/jakartaee-spec.published.pub" || fail "Cannot download published jakartaee-spec-committee.pub"
gpg-import "/tmp/jakartaee-spec.published.pub"
)
( # Import both the current and published keys into one keyring
#
# If our keys have been rotated, "jakartaee-spec-committee.updated.pub" is the file
# we need to publish to the url above.
#
# Overwritting the contents of jakartaee-spec-committee.pub
# with jakartaee-spec-committee.updated.pub and committing it is how we would do that.
export GNUPGHOME="$UPDATED_KEYRING"
gpg-import "/tmp/jakartaee-spec.published.pub"
gpg-import "/tmp/jakartaee-spec.current.pub"
gpg --armor --export 'jakarta.ee-spec@eclipse.org' > "$WORKSPACE/jakartaee-spec-committee.updated.pub" || fail "Unable to export jakartaee-spec-committee.updated.pub from $GNUPGHOME"
)
( # Create a tmp dir and download the TCK
TMP="/tmp/download-$$" && mkdir "$TMP" && cd "$TMP"
for url in $FILE_URLS; do
# Local file name of the TCK zip or tar.gz
file="$(basename "$url")"
# File name must start with safe characters
# No passing us a "-r" or ".." file or some cleverness
require file "[a-zA-Z0-9].*"
# Download the file or fail
curl "$url" > "$file" || fail "Could not download $url"
# If the tck starts with "eclipse-" rename it "jakarta-"
[[ "$file" == eclipse-* ]] && cp "$file" "${file/eclipse-/jakarta-}"
done
# Our list of files before we start signing. Used in the final report step
FILES=($(ls))
( # Hash and sign
for file in *; do
( # Sign using the committee keyring
export GNUPGHOME="$COMMITTEE_KEYRING"
echo "${PASSPHRASE}" | gpg --sign --armor --batch --passphrase-fd 0 --output "$file".sig --detach-sig "$file" || fail "Signature failed"
)
( # Verify using the consumer keyring
export GNUPGHOME="$CONSUMER_KEYRING"
# If someone has rotated the private key but NOT updated the
# public key file in github, this step will fail
gpg --verify "$file".sig "$file" || fail "Outdated Public Keys. Signature Verification failed for \"$file\". Our keys have likely been rotated and we need to publish jakartaee-spec-committee.updated.pub"
)
# Calculate the sha256 for convenience
shasum -a 256 "$file" | tr ' ' '\t' | cut -f 1 > "$file.sha256" || fail "SHA-256 creation failed for \"$file\""
done
)
ZONE="/home/data/httpd/download.eclipse.org/jakartaee/"
DROP="/home/data/httpd/download.eclipse.org/jakartaee/${SPEC_NAME}/${SPEC_VERSION}"
HOST='genie.jakartaee-spec-committee@projects-storage.eclipse.org'
( # Test SSH access and write permissions
# do a simple ssh test to flush out basic issues
ssh "$HOST" "uname -a" || fail "Unable to SSH to download server. See setup instructions https://wiki.eclipse.org/Jenkins#Freestyle_job"
# do a simple ssh test to flush out basic issues
ssh "$HOST" "ls -la $ZONE" || fail "Remote directory missing \"$ZONE\""
# do a simple ssh test to flush out basic issues
ssh "$HOST" "touch ${ZONE}status && rm ${ZONE}status" || fail "Remote directory write access denied to \"$ZONE\""
)
( # Perform the upload
# make the remote directory, if needed
ssh "$HOST" "[ -e $DROP ] || mkdir -p $DROP" || fail "Remote directory \"$DROP\" could not be created"
# If any of the local files already exist remotely, fail before we've copied anything
for file in *; do
ssh "$HOST" "[ ! -e $DROP/$file ]" || fail "Refusing to overwrite existing file $file"
done
# Ok, we're clear to copy for real
rsync -v -e ssh * "$HOST:$DROP/"
)
(# Verify our upload
VERIFY="/tmp/verify-$$" && mkdir "$VERIFY" || fail "Could not make tmp directory for verification"
for file in *; do
curl "https://download.eclipse.org/jakartaee/${SPEC_NAME}/${SPEC_VERSION}/$file" > "$VERIFY/$file"
done
for sig in $VERIFY/*.sig; do
# remove the ".sig" extension, this is the file we're verifying
file="${sig/.sig/}"
( # Verify the signature
export GNUPGHOME="$CONSUMER_KEYRING"
gpg --verify "$sig" "$file" || fail "Downloaded Signature Verification failed. Upload was incomplete. $file $sig"
)
done
)
export GNUPGHOME="$COMMITTEE_KEYRING"
report "${FILES[@]}" > "$WORKSPACE/${SPEC_NAME}-${SPEC_VERSION}.html"
)