merge branch 'pr-3309'

Aleksa Sarai (1): release: correctly handle binary signing for "make releaseall" LGTMs: AkihiroSuda kolyshkin Closes #3309
opencontainers · Dec 9, 2021 · 1b747a4 · 1b747a4
2 parents 13b0806 + acd8f12
commit 1b747a4
Show file tree

Hide file tree

Showing 3 changed files with 124 additions and 33 deletions.
diff --git a/Makefile b/Makefile
@@ -25,6 +25,8 @@ GO_BUILD := $(GO) build -trimpath $(GO_BUILDMODE) $(EXTRA_FLAGS) -tags "$(BUILDT
 GO_BUILD_STATIC := CGO_ENABLED=1 $(GO) build -trimpath $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo osusergo" \
 	-ldflags "-extldflags -static -X main.gitCommit=$(COMMIT) -X main.version=$(VERSION) $(EXTRA_LDFLAGS)"
 
+GPG_KEYID ?= asarai@suse.de
+
 .DEFAULT: runc
 
 runc:
@@ -46,9 +48,10 @@ release: runcimage
 		--rm -v $(CURDIR):/go/src/$(PROJECT) \
 		-e RELEASE_ARGS=$(RELEASE_ARGS) \
 		$(RUNC_IMAGE) make localrelease
+	script/release_sign.sh -S $(GPG_KEYID) -r release/$(VERSION) -v $(VERSION)
 
 localrelease:
-	script/release.sh -r release/$(VERSION) -v $(VERSION) $(RELEASE_ARGS)
+	script/release_build.sh -r release/$(VERSION) -v $(VERSION) $(RELEASE_ARGS)
 
 dbuild: runcimage
 	$(CONTAINER_ENGINE) run $(CONTAINER_ENGINE_RUN_FLAGS) \
@@ -130,7 +133,7 @@ cfmt:
 shellcheck:
 	shellcheck tests/integration/*.bats tests/integration/*.sh \
 		tests/integration/*.bash tests/*.sh \
-		script/release.sh script/seccomp.sh script/lib.sh
+		script/release_*.sh script/seccomp.sh script/lib.sh
 	# TODO: add shellcheck for more sh files
 
 shfmt:

diff --git a/script/release.sh → script/release_build.sh b/script/release.sh → script/release_build.sh
@@ -1,5 +1,6 @@
 #!/bin/bash
 # Copyright (C) 2017 SUSE LLC.
+# Copyright (C) 2017-2021 Open Containers Authors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -99,7 +100,8 @@ function build_project() {
 
 # Print usage information.
 function usage() {
-	echo "usage: release.sh [-S <gpg-key-id>] [-c <commit-ish>] [-r <release-dir>] [-v <version>] [-a <cross-arch>]" >&2
+	echo "usage: release_build.sh [-a <cross-arch>]... [-c <commit-ish>] [-h <hashcmd>]" >&2
+	echo "                        [-r <release-dir>] [-v <version>]" >&2
 	exit 1
 }
 
@@ -114,41 +116,34 @@ function bail() {
 	exit 0
 }
 
-# Conduct a sanity-check to make sure that GPG provided with the given
-# arguments can sign something. Inability to sign things is not a fatal error.
-function gpg_cansign() {
-	gpg "$@" --clear-sign </dev/null >/dev/null
-}
-
 # When creating releases we need to build static binaries, an archive of the
 # current commit, and generate detached signatures for both.
-keyid=""
 commit="HEAD"
 version=""
 releasedir=""
 hashcmd=""
 declare -a add_arches
 
-while getopts "S:c:r:v:h:a:" opt; do
+while getopts "a:c:H:hr:v:" opt; do
 	case "$opt" in
-	S)
-		keyid="$OPTARG"
+	a)
+		add_arches+=("$OPTARG")
 		;;
 	c)
 		commit="$OPTARG"
 		;;
+	H)
+		hashcmd="$OPTARG"
+		;;
+	h)
+		usage
+		;;
 	r)
 		releasedir="$OPTARG"
 		;;
 	v)
 		version="$OPTARG"
 		;;
-	h)
-		hashcmd="$OPTARG"
-		;;
-	a)
-		add_arches+=("$OPTARG")
-		;;
 	:)
 		echo "Missing argument: -$OPTARG" >&2
 		usage
@@ -170,7 +165,6 @@ suffixes=("$native_arch" "${add_arches[@]}" tar.xz)
 log "creating $project release in '$releasedir'"
 log "  version: $version"
 log "   commit: $commit"
-log "      key: ${keyid:-DEFAULT}"
 log "     hash: $hashcmd"
 
 # Make explicit what we're doing.
@@ -191,16 +185,3 @@ git archive --format=tar --prefix="$project-$version/" "$commit" | xz >"$release
 	# Add $project. prefix to all suffixes.
 	"$hashcmd" "${suffixes[@]/#/$project.}" >"$project.$hashcmd"
 )
-
-# Set up the gpgflags.
-gpgflags=()
-[[ "$keyid" ]] && gpgflags=(--default-key "$keyid")
-gpg_cansign "${gpgflags[@]}" || bail "Could not find suitable GPG key, skipping signing step."
-
-# Sign everything.
-for sfx in "${suffixes[@]}"; do
-	gpg "${gpgflags[@]}" --detach-sign --armor "$releasedir/$project.$sfx"
-done
-gpg "${gpgflags[@]}" --clear-sign --armor \
-	--output "$releasedir/$project.$hashcmd"{.tmp,} &&
-	mv "$releasedir/$project.$hashcmd"{.tmp,}
diff --git a/script/release_sign.sh b/script/release_sign.sh
@@ -0,0 +1,107 @@
+#!/bin/bash
+# Copyright (C) 2017 SUSE LLC.
+# Copyright (C) 2017-2021 Open Containers Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -e
+
+project="runc"
+root="$(readlink -f "$(dirname "${BASH_SOURCE[0]}")/..")"
+
+# Print usage information.
+function usage() {
+	echo "usage: release_sign.sh [-S <gpg-key-id>] [-r <release-dir>]" >&2
+	exit 1
+}
+
+# Log something to stderr.
+function log() {
+	echo "[*] $*" >&2
+}
+
+# Log something to stderr and then exit with 0.
+function bail() {
+	log "$@"
+	exit 0
+}
+
+# Conduct a sanity-check to make sure that GPG provided with the given
+# arguments can sign something. Inability to sign things is not a fatal error.
+function gpg_cansign() {
+	gpg "$@" --clear-sign </dev/null >/dev/null
+}
+
+# When creating releases we need to build static binaries, an archive of the
+# current commit, and generate detached signatures for both.
+keyid=""
+version=""
+releasedir=""
+hashcmd=""
+
+while getopts "H:hr:S:v:" opt; do
+	case "$opt" in
+	H)
+		hashcmd="$OPTARG"
+		;;
+	h)
+		usage
+		;;
+	r)
+		releasedir="$OPTARG"
+		;;
+	S)
+		keyid="$OPTARG"
+		;;
+	v)
+		version="$OPTARG"
+		;;
+	:)
+		echo "Missing argument: -$OPTARG" >&2
+		usage
+		;;
+	\?)
+		echo "Invalid option: -$OPTARG" >&2
+		usage
+		;;
+	esac
+done
+
+version="${version:-$(<"$root/VERSION")}"
+releasedir="${releasedir:-release/$version}"
+hashcmd="${hashcmd:-sha256sum}"
+
+log "signing $project release in '$releasedir'"
+log "      key: ${keyid:-DEFAULT}"
+log "     hash: $hashcmd"
+
+# Make explicit what we're doing.
+set -x
+
+# Set up the gpgflags.
+gpgflags=()
+[[ "$keyid" ]] && gpgflags=(--default-key "$keyid")
+gpg_cansign "${gpgflags[@]}" || bail "Could not find suitable GPG key, skipping signing step."
+
+# Only needed for local signing -- change the owner since by default it's built
+# inside a container which means it'll have the wrong owner and permissions.
+[ -w "$releasedir" ] || sudo chown -R "$USER:$GROUP" "$releasedir"
+
+# Sign everything.
+for bin in "$releasedir/$project".*; do
+	[[ "$(basename "$bin")" == "$project.$hashcmd" ]] && continue # skip hash
+	gpg "${gpgflags[@]}" --detach-sign --armor "$bin"
+done
+gpg "${gpgflags[@]}" --clear-sign --armor \
+	--output "$releasedir/$project.$hashcmd"{.tmp,} &&
+	mv "$releasedir/$project.$hashcmd"{.tmp,}