52354ea463
When the script is run, it fetches a new copy of the repo, then creates a tag, signed by GPG. When this signing step runs, a window pops up for the user to enter their PGP key's passphrase. This window prevents the user from doing anything else on their desktop, like looking up the passphrase. It also times out after a while, and causes the script to fail at that point. To prevent this annoyance, pause right before the step asking for the passphrase until the user is ready. Because the submodules aren't tagged, we can delay their update until after the tag is created to lower the amount of time needed before the tag & signing step. Signed-off-by: Martin Roth <gaumless@gmail.com> Change-Id: I414dfc0f8944b4408881392278a2bce2a364992b Reviewed-on: https://review.coreboot.org/c/coreboot/+/77366 Reviewed-by: Paul Menzel <paulepanter@mailbox.org> Reviewed-by: Felix Singer <service+coreboot-gerrit@felixsinger.de> Reviewed-by: Felix Held <felix-coreboot@felixheld.de> Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
117 lines
4.1 KiB
Bash
Executable file
117 lines
4.1 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
# SPDX-License-Identifier: GPL-2.0-only
|
|
# ${VERSION_NAME}: new version name
|
|
# ${COMMIT_ID}: commit id for new version
|
|
# ${USERNAME}: username (if not default to https)
|
|
# ${GPG_KEY_ID}: gpg key id (if not don't sign)
|
|
VERSION_NAME=$1
|
|
COMMIT_ID=$2
|
|
USERNAME=$3
|
|
GPG_KEY_ID=$4
|
|
|
|
set -e
|
|
|
|
TIME_FILE="$(mktemp -d)/.coreboot-time"
|
|
COREBOOT_RELEASE_NAME=coreboot-${VERSION_NAME}
|
|
COREBOOT_TARBALL="${COREBOOT_RELEASE_NAME}.tar.xz"
|
|
COREBOOT_BLOBS_TARBALL="coreboot-blobs-${VERSION_NAME}.tar.xz"
|
|
|
|
if [ -z "$GPG_TTY" ]; then
|
|
GPG_TTY=$(tty)
|
|
export GPG_TTY
|
|
fi
|
|
|
|
# set local + tz to be reproducible
|
|
LC_ALL=C
|
|
LANG=C
|
|
TZ=UTC0
|
|
export LC_ALL LANG TZ
|
|
|
|
if [ -z "${VERSION_NAME}" ] || [ "${VERSION_NAME}" = "--help" ] || [ -z "${COMMIT_ID}" ]; then
|
|
echo "usage: $0 <version> <commit id> [username] [gpg key id]"
|
|
echo "Tags a new coreboot version and creates a tar archive"
|
|
echo
|
|
echo "version: New version name to tag the tree with"
|
|
echo "commit id: check out this commit-id after cloning the coreboot tree"
|
|
echo "username: clone the tree using ssh://USERNAME - defaults to https://"
|
|
echo "gpg key id: used to tag the version, and generate a gpg signature"
|
|
exit 1
|
|
fi
|
|
|
|
pause() {
|
|
local text=$1
|
|
|
|
echo
|
|
if [ -n "$text" ]; then
|
|
echo "$text"
|
|
fi
|
|
read -r -p "Press [Enter] key to continue..."
|
|
}
|
|
|
|
# Verify that tar supports --sort
|
|
if ! tar --sort=name -cf /dev/null /dev/null 2>/dev/null ; then
|
|
echo "Error: The installed version of tar does not support --sort"
|
|
echo " GNU tar version 1.28 or greater is required. Exiting."
|
|
exit 1
|
|
fi
|
|
|
|
# Clone new copy of repo if needed
|
|
if [ ! -d "${COREBOOT_RELEASE_NAME}/.git" ]; then
|
|
rm -rf "${COREBOOT_RELEASE_NAME}"
|
|
declare -a GIT_REF_OPTS
|
|
if [ -d .git ]; then
|
|
GIT_REF_OPTS=("--reference" "." "--dissociate")
|
|
elif [ -d ../../.git ]; then
|
|
GIT_REF_OPTS=("--reference" "../.." "--dissociate")
|
|
fi
|
|
if [ -n "${USERNAME}" ]; then
|
|
git clone "${GIT_REF_OPTS[@]}" "ssh://${USERNAME}@review.coreboot.org:29418/coreboot.git" "${COREBOOT_RELEASE_NAME}" --
|
|
else
|
|
git clone "${GIT_REF_OPTS[@]}" https://review.coreboot.org/coreboot.git "${COREBOOT_RELEASE_NAME}" --
|
|
fi
|
|
fi
|
|
|
|
# Handle everything that needs to be done from inside the new coreboot
|
|
# directory. Use requested version, update submodules, and get ready to
|
|
# run from outside a git repository, and create a signed tag to push.
|
|
(
|
|
cd "${COREBOOT_RELEASE_NAME}" || exit 1
|
|
git reset --hard "${COMMIT_ID}"
|
|
|
|
util/crossgcc/buildgcc -W > .crossgcc-version
|
|
|
|
if [ -n "${GPG_KEY_ID}" ]; then
|
|
pause "The next step will need your PGP key's passphrase, so be ready."
|
|
git tag -a -s -u "$GPG_KEY_ID" --force "${VERSION_NAME}" -m "coreboot version ${VERSION_NAME}" --
|
|
else
|
|
git tag -a --force "${VERSION_NAME}" -m "coreboot version ${VERSION_NAME}" --
|
|
fi
|
|
|
|
git submodule update --init --checkout
|
|
|
|
printf "%s-%s\n" "$VERSION_NAME" "$(git log --pretty=%h -1)" > .coreboot-version
|
|
printf "%s\n" "$(git log --pretty=format:%ci -1)" > "${TIME_FILE}"
|
|
)
|
|
tstamp=$(cat "${TIME_FILE}" | sed 's/ +0000//')
|
|
|
|
# Create the two tarballs, source and blobs.
|
|
exclude_paths="3rdparty/blobs 3rdparty/fsp 3rdparty/intel-microcode 3rdparty/amd_blobs 3rdparty/qc_blobs"
|
|
|
|
declare -a blobs_paths
|
|
declare -a exclude_opts
|
|
for i in ${exclude_paths}; do
|
|
blobs_paths+=("${COREBOOT_RELEASE_NAME}/${i}")
|
|
exclude_opts+=("--exclude=${COREBOOT_RELEASE_NAME}/${i}")
|
|
done
|
|
|
|
tar --sort=name --mtime="${tstamp}" --owner=coreboot:1000 --group=coreboot:1000 --exclude=*/.git --exclude=*/.gitignore --exclude=*/.gitreview --exclude=*/.mailmap --exclude=*/.gitmodules "${exclude_opts[@]}" -cvf - "${COREBOOT_RELEASE_NAME}" |xz -9 > "${COREBOOT_TARBALL}"
|
|
tar --sort=name --mtime="${tstamp}" --owner=coreboot:1000 --group=coreboot:1000 --exclude=*/.git --exclude=*/.gitignore --exclude=*/.gitreview --exclude=*/.mailmap --exclude=*/.gitmodules -cvf - "${blobs_paths[@]}" |xz -9 > "${COREBOOT_BLOBS_TARBALL}"
|
|
|
|
# Sign the tarballs
|
|
if [ -n "${GPG_KEY_ID}" ]; then
|
|
gpg --armor --local-user "$GPG_KEY_ID" --output "${COREBOOT_TARBALL}.sig" --detach-sig "${COREBOOT_TARBALL}"
|
|
gpg --armor --local-user "$GPG_KEY_ID" --output "${COREBOOT_BLOBS_TARBALL}.sig" --detach-sig "${COREBOOT_BLOBS_TARBALL}"
|
|
fi
|
|
|
|
# Clean up
|
|
rm -f "${TIME_FILE}"
|