Skip to content
/ artifactor Public

Artifactor uploads artifacts to GCS with checksums, signatures and versions

1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

jonmorehouse/artifactor

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit

bin

bin

 
 

Dockerfile

Dockerfile

 
 

README.md

README.md

 
 

artifactor.go

artifactor.go

 
 

build

build

 
 

build.yml

build.yml

 
 

Repository files navigation

Artifactor

Artifactor is a small tool for creating and upload signed and versioned sets of static files. Artifacts are great for managing binary releases.

Artifact Version

An artifact usually corresponds to a set of binaries for a project at a specific git ref. For example, given a project foo, which, when built contains the following binaries:

  • foo_darwin_386
  • foo_linux_386

An artifact version would correspond to a series of files uploaded to artifacts.jm.house (or whichever url/gcs bucket is specified). The uploaded assets would include all of the aforementioned files, as well as the following:

  • manifest.json - a manifest which includes version meta information, as well as a list of all files with metadata
  • manifest.json.asc.sig - a gpg "detached" signature of the manifest.json file
  • checksums - a plaintext list of filenames and checksums
  • checksums.asc.sig - a gpg "detached" signature of the checksums file

Given the artifacts server at https://artifacts.jm.house fetching a version 123 of project foo would consist of the following steps:

1. download both https://artifacts.jm.house/foo/123/manifest.json and https://artifacts.jm.house/foo/123/manifest.json.asc.sig

2. verify the signature contained in manifest.json.asc.sig with the manifest.json file using the known public key that was used to create the signature. For example, the key found at https://keybase.io/jonmorehouse/key.asc.

$ curl https://keybase.io/jonmorehouse/key.asc | gpg --import
$ gpg --verify manifest.json.asc.sig manifest.json

3. Once the manifest.json file has been verified, it's metainformation can be used to download files contained in the artifact version.

Given the following component contained in the manifest, the url and any _checksum field could be used to download the file and verify it's contents.

{
  "components": [
    {
      "filepath": "artifactor_darwin_386",
      "gcs_filepath": "gcs://jonmorehouse-public-artifacts/artifactor/bed4b3b/artifactor_darwin_386",
      "url": "https://artifacts.jm.house/artifactor/bed4b3b/artifactor_darwin_386",
      "bytes": 12801804,
      "md5_checksum": "604117cb2c5cba5689811e711800de29",
      "sha256_checksum": "08c66345777255d464a40b34f0bbd094f7d41cef5729964b80161aa9a290dde3",
      "sha384_checksum": "6eb922311190592aa215d734adaddb891b0605c2bef22ac4875e7601f659e56db2bc62573203212ada429a16ea629a5f",
      "sha512_checksum": "ac38af950f8655c4292624a572ee050646fb939877ab72b5368c2fd2ee30dcab"
    }
}

Creating an artifact

1. Create a directory with any and all assets that are part of the artifact version. For instance:

/tmp/artifactor/bed4b3b
├── artifactor_darwin_386
├── artifactor_darwin_amd64
├── artifactor_linux_386
├── artifactor_linux_amd64
|── artifactor_linux_arm

2. Export google credentials file path using:

export GOOGLE_APPLICATION_CREDENTIALS=/tmp/gcp.json

3. Call artifactor to create an artifact version

$ artifactor -dir $dir \
  -version $(git rev-parse --short HEAD) \
  -latest \
  -project foobar \
  -gcs-prefix gcs://jonmorehouse-public-artifacts \
  -url-prefix https://artifacts.jm.house

About

Artifactor uploads artifacts to GCS with checksums, signatures and versions

Resources

Readme
Activity

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages