From 6e4204a0d196615ebb19d6f03f2eff2307bd6380 Mon Sep 17 00:00:00 2001 From: Philipp Deppenwiese Date: Thu, 8 Sep 2016 22:35:48 +0200 Subject: [PATCH] util/release: Add support for signed tags and releases * Add gpg key command-line parameter for signing. * Add username command-line parameter for secure ssh clone. * Tag and releases are signed. * Generates ascii amored signature files. Change-Id: I41347a85145dd0389e3b69939497fb8543db4996 Signed-off-by: Philipp Deppenwiese Reviewed-on: https://review.coreboot.org/16553 Tested-by: build bot (Jenkins) Reviewed-by: Martin Roth --- util/release/build-release | 43 +++++++++++++++++++++++++++----------- 1 file changed, 31 insertions(+), 12 deletions(-) diff --git a/util/release/build-release b/util/release/build-release index f09f5b284a..d13e0388f4 100755 --- a/util/release/build-release +++ b/util/release/build-release @@ -1,21 +1,40 @@ #!/bin/bash -# $1: new version name -# $2: commit id (if not master) +# ${VERSION_NAME}: new version name +# ${GPG_KEY_ID}: gpg key id (if not don't sign) +# ${USERNAME}: username (if not default to https) +# ${COMMIT_ID}: commit id (if not master) +VERSION_NAME=${1} +COMMIT_ID=${2} +USERNAME=${3} +GPG_KEY_ID=${4} + set -e -if [ -z "$1" ]; then - echo "usage: $0 version [commit id]" +if [ -z "${VERSION_NAME}" ] || [ "${VERSION_NAME}" = "--help" ]; then + echo "usage: $0 [commit id] [gpg key id] [username]" echo "tags a new coreboot version and creates a tar archive" exit 1 fi -git clone --recurse-submodules http://review.coreboot.org/coreboot.git coreboot-$1 -cd coreboot-$1 -if [ -n "$2" ]; then - git reset --hard $2 +if [ -n "${USERNAME}" ]; then + git clone --recurse-submodules ssh://${USERNAME}@review.coreboot.org:29418/coreboot.git coreboot-${VERSION_NAME} +else + git clone --recurse-submodules https://review.coreboot.org/coreboot.git coreboot-${VERSION_NAME} +fi +cd coreboot-${VERSION_NAME} +if [ -n "${COMMIT_ID}" ]; then + git reset --hard ${COMMIT_ID} fi git submodule update --init --checkout -git tag -a --force $1 -m "coreboot version $1" -printf "$1-$(git log --pretty=%H|head -1)\n" > .coreboot-version +if [ -n "${GPG_KEY_ID}" ]; then + git tag -a -s -u ${GPG_KEY_ID} --force ${VERSION_NAME} -m "coreboot version ${VERSION_NAME}" +else + git tag -a --force ${VERSION_NAME} -m "coreboot version ${VERSION_NAME}" +fi +printf "${VERSION_NAME}-$(git log --pretty=%H|head -1)\n" > .coreboot-version tstamp=$(git log --pretty=format:%ci -1) cd .. -tar --mtime="$tstamp" --owner=coreboot:1000 --group=coreboot:1000 --exclude-vcs --exclude=coreboot-${1}/3rdparty/blobs -cvf - coreboot-${1} |xz -9 > coreboot-${1}.tar.xz -tar --mtime="$tstamp" --owner=coreboot:1000 --group=coreboot:1000 --exclude-vcs -cvf - coreboot-${1}/3rdparty/blobs |xz -9 > coreboot-blobs-${1}.tar.xz +tar --mtime="$tstamp" --owner=coreboot:1000 --group=coreboot:1000 --exclude-vcs --exclude=coreboot-${VERSION_NAME}/3rdparty/blobs -cvf - coreboot-${VERSION_NAME} |xz -9 > coreboot-${VERSION_NAME}.tar.xz +tar --mtime="$tstamp" --owner=coreboot:1000 --group=coreboot:1000 --exclude-vcs -cvf - coreboot-${VERSION_NAME}/3rdparty/blobs |xz -9 > coreboot-blobs-${VERSION_NAME}.tar.xz +if [ -n "${GPG_KEY_ID}" ]; then + gpg2 --armor --local-user ${GPG_KEY_ID} --output coreboot-${VERSION_NAME}.tar.xz.sig --detach-sig coreboot-${VERSION_NAME}.tar.xz + gpg2 --armor --local-user ${GPG_KEY_ID} --output coreboot-blobs-${VERSION_NAME}.tar.xz.sig --detach-sig coreboot-blobs-${VERSION_NAME}.tar.xz +fi