diff --git a/Makefile b/Makefile index aeb62f8c3f7..f9045df615a 100644 --- a/Makefile +++ b/Makefile @@ -25,6 +25,8 @@ GO_BUILD := $(GO) build -trimpath $(GO_BUILDMODE) $(EXTRA_FLAGS) -tags "$(BUILDT GO_BUILD_STATIC := CGO_ENABLED=1 $(GO) build -trimpath $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo osusergo" \ -ldflags "-extldflags -static -X main.gitCommit=$(COMMIT) -X main.version=$(VERSION) $(EXTRA_LDFLAGS)" +GPG_KEYID ?= asarai@suse.de + .DEFAULT: runc runc: @@ -46,9 +48,10 @@ release: runcimage --rm -v $(CURDIR):/go/src/$(PROJECT) \ -e RELEASE_ARGS=$(RELEASE_ARGS) \ $(RUNC_IMAGE) make localrelease + script/release_sign.sh -S $(GPG_KEYID) -r release/$(VERSION) -v $(VERSION) localrelease: - script/release.sh -r release/$(VERSION) -v $(VERSION) $(RELEASE_ARGS) + script/release_build.sh -r release/$(VERSION) -v $(VERSION) $(RELEASE_ARGS) dbuild: runcimage $(CONTAINER_ENGINE) run $(CONTAINER_ENGINE_RUN_FLAGS) \ @@ -130,7 +133,7 @@ cfmt: shellcheck: shellcheck tests/integration/*.bats tests/integration/*.sh \ tests/integration/*.bash tests/*.sh \ - script/release.sh script/seccomp.sh script/lib.sh + script/release_*.sh script/seccomp.sh script/lib.sh # TODO: add shellcheck for more sh files shfmt: diff --git a/script/release.sh b/script/release_build.sh similarity index 84% rename from script/release.sh rename to script/release_build.sh index 64d27b172fa..2d3fe93b6a4 100755 --- a/script/release.sh +++ b/script/release_build.sh @@ -1,5 +1,6 @@ #!/bin/bash # Copyright (C) 2017 SUSE LLC. +# Copyright (C) 2017-2021 Open Containers Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -99,7 +100,8 @@ function build_project() { # Print usage information. function usage() { - echo "usage: release.sh [-S ] [-c ] [-r ] [-v ] [-a ]" >&2 + echo "usage: release_build.sh [-a ]... [-c ] [-h ]" >&2 + echo " [-r ] [-v ]" >&2 exit 1 } @@ -114,41 +116,34 @@ function bail() { exit 0 } -# Conduct a sanity-check to make sure that GPG provided with the given -# arguments can sign something. Inability to sign things is not a fatal error. -function gpg_cansign() { - gpg "$@" --clear-sign /dev/null -} - # When creating releases we need to build static binaries, an archive of the # current commit, and generate detached signatures for both. -keyid="" commit="HEAD" version="" releasedir="" hashcmd="" declare -a add_arches -while getopts "S:c:r:v:h:a:" opt; do +while getopts "a:c:H:hr:v:" opt; do case "$opt" in - S) - keyid="$OPTARG" + a) + add_arches+=("$OPTARG") ;; c) commit="$OPTARG" ;; + H) + hashcmd="$OPTARG" + ;; + h) + usage + ;; r) releasedir="$OPTARG" ;; v) version="$OPTARG" ;; - h) - hashcmd="$OPTARG" - ;; - a) - add_arches+=("$OPTARG") - ;; :) echo "Missing argument: -$OPTARG" >&2 usage @@ -170,7 +165,6 @@ suffixes=("$native_arch" "${add_arches[@]}" tar.xz) log "creating $project release in '$releasedir'" log " version: $version" log " commit: $commit" -log " key: ${keyid:-DEFAULT}" log " hash: $hashcmd" # Make explicit what we're doing. @@ -191,16 +185,3 @@ git archive --format=tar --prefix="$project-$version/" "$commit" | xz >"$release # Add $project. prefix to all suffixes. "$hashcmd" "${suffixes[@]/#/$project.}" >"$project.$hashcmd" ) - -# Set up the gpgflags. -gpgflags=() -[[ "$keyid" ]] && gpgflags=(--default-key "$keyid") -gpg_cansign "${gpgflags[@]}" || bail "Could not find suitable GPG key, skipping signing step." - -# Sign everything. -for sfx in "${suffixes[@]}"; do - gpg "${gpgflags[@]}" --detach-sign --armor "$releasedir/$project.$sfx" -done -gpg "${gpgflags[@]}" --clear-sign --armor \ - --output "$releasedir/$project.$hashcmd"{.tmp,} && - mv "$releasedir/$project.$hashcmd"{.tmp,} diff --git a/script/release_sign.sh b/script/release_sign.sh new file mode 100755 index 00000000000..5b2e6f365f5 --- /dev/null +++ b/script/release_sign.sh @@ -0,0 +1,107 @@ +#!/bin/bash +# Copyright (C) 2017 SUSE LLC. +# Copyright (C) 2017-2021 Open Containers Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -e + +project="runc" +root="$(readlink -f "$(dirname "${BASH_SOURCE[0]}")/..")" + +# Print usage information. +function usage() { + echo "usage: release_sign.sh [-S ] [-r ]" >&2 + exit 1 +} + +# Log something to stderr. +function log() { + echo "[*] $*" >&2 +} + +# Log something to stderr and then exit with 0. +function bail() { + log "$@" + exit 0 +} + +# Conduct a sanity-check to make sure that GPG provided with the given +# arguments can sign something. Inability to sign things is not a fatal error. +function gpg_cansign() { + gpg "$@" --clear-sign /dev/null +} + +# When creating releases we need to build static binaries, an archive of the +# current commit, and generate detached signatures for both. +keyid="" +version="" +releasedir="" +hashcmd="" + +while getopts "H:hr:S:v:" opt; do + case "$opt" in + H) + hashcmd="$OPTARG" + ;; + h) + usage + ;; + r) + releasedir="$OPTARG" + ;; + S) + keyid="$OPTARG" + ;; + v) + version="$OPTARG" + ;; + :) + echo "Missing argument: -$OPTARG" >&2 + usage + ;; + \?) + echo "Invalid option: -$OPTARG" >&2 + usage + ;; + esac +done + +version="${version:-$(<"$root/VERSION")}" +releasedir="${releasedir:-release/$version}" +hashcmd="${hashcmd:-sha256sum}" + +log "signing $project release in '$releasedir'" +log " key: ${keyid:-DEFAULT}" +log " hash: $hashcmd" + +# Make explicit what we're doing. +set -x + +# Set up the gpgflags. +gpgflags=() +[[ "$keyid" ]] && gpgflags=(--default-key "$keyid") +gpg_cansign "${gpgflags[@]}" || bail "Could not find suitable GPG key, skipping signing step." + +# Only needed for local signing -- change the owner since by default it's built +# inside a container which means it'll have the wrong owner and permissions. +[ -w "$releasedir" ] || sudo chown -R "$USER:$GROUP" "$releasedir" + +# Sign everything. +for bin in "$releasedir/$project".*; do + [[ "$(basename "$bin")" == "$project.$hashcmd" ]] && continue # skip hash + gpg "${gpgflags[@]}" --detach-sign --armor "$bin" +done +gpg "${gpgflags[@]}" --clear-sign --armor \ + --output "$releasedir/$project.$hashcmd"{.tmp,} && + mv "$releasedir/$project.$hashcmd"{.tmp,}