Added RPM repository (#600)

* goreleaser: added signatures to RPM binaries

Currently goreleaser does not support it, so we're overriding
signing script and signing all RPMs that it produces.

Also changed goreleaser parameters to only publish binaries
when running on linux/amd64.

* build: added automatic publishing of RPMs to a YUM repository

Also fixed RPM file names to match local conventions.

.goreleaser.yml

@@ -52,6 +52,13 @@ nfpms:
     - deb
     - rpm
     bindir: /usr/bin
+    overrides:
+      rpm:
+        file_name_template: "{{ .ProjectName }}-{{ .Version }}.{{ .Arch }}"
+        replacements:
+          amd64: x86_64
+          arm64: aarch64
+          arm: armhfp
 brews:
   - homepage: "https://kopia.io"
     tap:
@@ -61,9 +68,10 @@ brews:
     install:
       bin.install "kopia"
 signs:
-  -
-    artifacts: checksum
-    args: ["-a", "--output", "${signature}", "--detach-sign", "${artifact}"]
+  - id: all
+    artifacts: all
+    cmd: tools/sign.sh
+    args: ["${artifact}", "${signature}"]
 changelog:
   filters:
     exclude:

Makefile

@@ -109,7 +109,7 @@ travis-release:
 	$(retry) $(MAKE) layering-test
 	$(retry) $(MAKE) integration-tests
 ifeq ($(TRAVIS_OS_NAME),linux)
-	$(MAKE) apt-publish
+	$(MAKE) publish-packages
 	$(MAKE) robustness-tool-tests
 	$(MAKE) website
 	$(MAKE) stress-test
@@ -123,31 +123,29 @@ endif
 GORELEASER_OPTIONS=--rm-dist --parallelism=6
 
 sign_gpg=1
+publish_binaries=1
+
 ifneq ($(TRAVIS_PULL_REQUEST),false)
 	# not running on travis, or travis in PR mode, skip signing
 	sign_gpg=0
 endif
 
-ifeq ($(TRAVIS_OS_NAME),windows)
-	# signing does not work on Windows on Travis
+# publish and sign only from linux/amd64 to avoid duplicates
+ifneq ($(TRAVIS_OS_NAME)/$(kopia_arch_name),linux/amd64)
 	sign_gpg=0
+	publish_binaries=0
 endif
 
 ifeq ($(sign_gpg),0)
 GORELEASER_OPTIONS+=--skip-sign
 endif
 
-publish_binaries=1
-
+# publish only from tagged releases
 ifeq ($(TRAVIS_TAG),)
-	# not a tagged release
 	GORELEASER_OPTIONS+=--snapshot
 	publish_binaries=0
 endif
 
-ifneq ($(TRAVIS_OS_NAME),linux)
-	publish_binaries=0
-endif
 ifeq ($(publish_binaries),0)
 GORELEASER_OPTIONS+=--skip-publish
 endif
@@ -292,9 +290,10 @@ travis-create-long-term-repository:
 endif
 
 ifeq ($(TRAVIS_PULL_REQUEST),false)
-apt-publish:
+publish-packages:
 	$(CURDIR)/tools/apt-publish.sh $(CURDIR)/dist
+	$(CURDIR)/tools/rpm-publish.sh $(CURDIR)/dist
 else
-apt-publish:
-	@echo Not pushing to APT repository on pull request builds.
+publish-packages:
+	@echo Not pushing to Linux repositories on pull request builds.
 endif

site/content/docs/Installation/_index.md

@@ -92,6 +92,37 @@ sudo apt install kopia
 sudo apt install kopia-ui
 ```
 
+### Linux installation using RPM (RedHat, CentOS)
+
+Install GPG signing key:
+
+```shell
+rpm --import https://kopia.io/signing-key
+```
+
+Install Yum repository:
+
+```shell
+cat <<EOF | sudo tee /etc/yum.repos.d/kopia.repo
+[Kopia]
+name=Kopia
+baseurl=http://packages.kopia.io/rpm/stable/\$basearch/
+gpgcheck=1
+enabled=1
+gpgkey=https://kopia.io/signing-key
+EOF
+```
+
+>By default the **stable** channel provides official stable releases. If you prefer you can also select **testing** channel (which also provides release candidates and is generally stable) or **unstable** which includes all latest changes, but may not be stable.
+
+Finally install Kopia or KopiaUI:
+
+```shell
+sudo yum install kopia
+sudo yum install kopia-ui
+```
+
+
 ### Compilation From Source
 
 If you have [Go 1.14](https://golang.org/) or newer, you may download and build Kopia yourself. No special setup is necessary, other than the Go compiler. You can simply run:

tools/rpm-publish.sh

@@ -0,0 +1,91 @@
+#!/bin/bash
+set -e
+GS_PREFIX=gs://packages.kopia.io/rpm
+PKGDIR=$1
+
+if [ -z "$PKGDIR" ]; then
+  echo usage $0: /path/to/dist
+  exit 1
+fi
+
+if [ ! -d "$PKGDIR" ]; then
+  echo $PKGDIR must be a directory containing '*.rpm' files
+  exit 1
+fi
+
+architectures="x86_64 aarch64 armhfp"
+distributions="stable testing unstable"
+
+WORK_DIR=/tmp/rpm-publish
+#rm -rf "$WORK_DIR"
+mkdir -p "$WORK_DIR"
+
+echo Downloading packages...
+
+for a in $architectures; do
+    for d in $distributions; do
+        mkdir -p $WORK_DIR/$d/$a
+    done
+done
+
+gsutil rsync $GS_PREFIX/ $WORK_DIR/
+
+rpm_files=$(find $1 -name '*.rpm')
+
+# sort all files into appropriate binary directories
+for f in $rpm_files; do
+  bn=$(basename $f)
+  if [[ "$bn" =~ ^([^0-9]+)(.*)\.([^\.]+).rpm$ ]]; then
+    ver=${BASH_REMATCH[2]}
+    arch=${BASH_REMATCH[3]}
+    dists=""
+
+    if [[ $ver =~ "next" ]]; then
+      # ignore -next versions which are from goreleaser snapshots
+      continue
+    fi
+
+    # x.y.z
+    if [[ $ver =~ [0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+      dists="stable testing"
+    fi
+
+    # x.y.z-prerelease
+    if [[ $ver =~ [0-9]+\.[0-9]+\.[0-9]+\-.*$ ]]; then
+      dists="testing"
+    fi
+
+    # yyyymmdd.0.hhmmss starts with 20
+    if [[ $ver =~ 20[0-9]+\.[0-9]+\.[0-9]+ ]]; then
+      dists="unstable"
+    fi
+
+    echo "f: $f arch: $arch dists: $dists"
+
+    bn=$(basename $f)
+    for d in $dists; do
+      packages_dir=$WORK_DIR/$d/$arch
+      cp -av $f $packages_dir
+      rpm --define "%_gpg_name Kopia Builder" --addsign "$packages_dir/$bn"
+    done
+  fi
+done
+
+# regenerate indexes
+for a in $architectures; do
+    for d in $distributions; do
+        docker run -it -e verbose=true -v $WORK_DIR/$d/$a:/data sark/createrepo:latest
+    done
+done
+
+echo Synchronizing...
+gsutil -m rsync -r $WORK_DIR/ $GS_PREFIX/
+
+for a in $architectures; do
+    for d in $distributions; do
+      gsutil -m setmeta -h "Cache-Control:no-cache, max-age=0" -r $GS_PREFIX/$d/$a/repodata/
+    done
+done
+
+
+echo Done.

tools/sign.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+set -e
+input=$1
+signature=$2
+
+# add signature to RPMs
+if [ ${input: -4} == ".rpm" ]; then
+  rpm --define "%_gpg_name Kopia Builder" --addsign $input
+fi
+
+if [ $input == "dist/checksums.txt" ]; then
+    # before signing checksums.txt, regenerate it since we've just signed some RPMs.
+    filenames=$(cut -f 2- -d " " dist/checksums.txt)
+    (cd dist && sha256sum $filenames > checksums.txt)
+    gpg --output dist/checksums.txt.sig --detach-sig dist/checksums.txt
+fi