Pull request 2277: AG-29637 Sign Windows
Squashed commit of the following: commitd22a4cb262
Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Wed Sep 11 15:19:01 2024 +0300 all: resolve tmp todos commit4574b050ba
Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Wed Sep 11 14:55:44 2024 +0300 bamboo: checkout later commit3036a46566
Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Wed Sep 11 14:35:36 2024 +0300 bamboo: list files commiteb675abfc0
Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Wed Sep 11 14:28:14 2024 +0300 bamboo: work with vcs properly commit0c34b4dcfd
Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Wed Sep 11 14:15:06 2024 +0300 bamboo: add repo name var commit15da8e294f
Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Wed Sep 11 14:06:26 2024 +0300 bamboo: upd api key commitb1d353dbc3
Merge:3309f0703
cbae07e8e
Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Tue Sep 10 19:29:29 2024 +0300 Merge branch 'master' into AG-29637-sign-windows commit3309f07031
Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Tue Sep 10 19:09:44 2024 +0300 all: only sign beta commitf61af53a70
Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Tue Sep 10 15:32:31 2024 +0300 all: sign windows
This commit is contained in:
parent
cbae07e8e6
commit
a74c32f742
4
Makefile
4
Makefile
|
@ -23,6 +23,7 @@ VERBOSE.MACRO = $${VERBOSE:-0}
|
|||
CHANNEL = development
|
||||
CLIENT_DIR = client
|
||||
COMMIT = $$( git rev-parse --short HEAD )
|
||||
DEPLOY_SCRIPT_PATH = not/a/real/path
|
||||
DIST_DIR = dist
|
||||
GOAMD64 = v1
|
||||
GOPROXY = https://proxy.golang.org|direct
|
||||
|
@ -37,6 +38,7 @@ NPM_INSTALL_FLAGS = $(NPM_FLAGS) --quiet --no-progress --ignore-engines\
|
|||
--ignore-optional --ignore-platform --ignore-scripts
|
||||
RACE = 0
|
||||
SIGN = 1
|
||||
SIGNER_API_KEY = not-a-real-key
|
||||
VERSION = v0.0.0
|
||||
YARN = yarn
|
||||
|
||||
|
@ -60,6 +62,7 @@ BUILD_RELEASE_DEPS_1 = go-deps
|
|||
ENV = env\
|
||||
CHANNEL='$(CHANNEL)'\
|
||||
COMMIT='$(COMMIT)'\
|
||||
DEPLOY_SCRIPT_PATH='$(DEPLOY_SCRIPT_PATH)' \
|
||||
DIST_DIR='$(DIST_DIR)'\
|
||||
GO="$(GO.MACRO)"\
|
||||
GOAMD64='$(GOAMD64)'\
|
||||
|
@ -72,6 +75,7 @@ ENV = env\
|
|||
PATH="$${PWD}/bin:$$( "$(GO.MACRO)" env GOPATH )/bin:$${PATH}"\
|
||||
RACE='$(RACE)'\
|
||||
SIGN='$(SIGN)'\
|
||||
SIGNER_API_KEY='$(SIGNER_API_KEY)' \
|
||||
NEXTAPI='$(NEXTAPI)'\
|
||||
VERBOSE="$(VERBOSE.MACRO)"\
|
||||
VERSION="$(VERSION)"\
|
||||
|
|
|
@ -91,6 +91,11 @@
|
|||
'tasks':
|
||||
- 'checkout':
|
||||
'force-clean-build': true
|
||||
- 'checkout':
|
||||
'repository': 'bamboo-deploy-publisher'
|
||||
# The paths are always relative to the working directory.
|
||||
'path': 'bamboo-deploy-publisher'
|
||||
'force-clean-build': true
|
||||
- 'script':
|
||||
'interpreter': 'SHELL'
|
||||
'scripts':
|
||||
|
@ -99,6 +104,9 @@
|
|||
|
||||
set -e -f -u -x
|
||||
|
||||
# Explicitly checkout the revision that we need.
|
||||
git checkout "${bamboo.repository.revision.number}"
|
||||
|
||||
# Run the build with the specified channel.
|
||||
echo "${bamboo.gpgSecretKeyPart1}${bamboo.gpgSecretKeyPart2}"\
|
||||
| awk '{ gsub(/\\n/, "\n"); print; }'\
|
||||
|
@ -107,6 +115,8 @@
|
|||
make\
|
||||
CHANNEL=${bamboo.channel}\
|
||||
GPG_KEY_PASSPHRASE=${bamboo.gpgPassword}\
|
||||
DEPLOY_SCRIPT_PATH="./bamboo-deploy-publisher/deploy.sh"\
|
||||
SIGNER_API_KEY="${bamboo.adguardHomeWinSignerSecretApiKey}"\
|
||||
FRONTEND_PREBUILT=1\
|
||||
PARALLELISM=1\
|
||||
VERBOSE=2\
|
||||
|
|
|
@ -143,12 +143,6 @@
|
|||
'other':
|
||||
'clean-working-dir': true
|
||||
'tasks':
|
||||
# TODO(e.burkov): Remove after test.
|
||||
- 'checkout':
|
||||
'repository': 'bamboo-deploy-publisher'
|
||||
# The paths are always relative to the working directory.
|
||||
'path': 'bamboo-deploy-publisher'
|
||||
'force-clean-build': true
|
||||
- 'checkout':
|
||||
'force-clean-build': true
|
||||
- 'script':
|
||||
|
|
|
@ -83,11 +83,15 @@ if [ "$sign" -eq '1' ]
|
|||
then
|
||||
gpg_key_passphrase="${GPG_KEY_PASSPHRASE:?please set GPG_KEY_PASSPHRASE or unset SIGN}"
|
||||
gpg_key="${GPG_KEY:?please set GPG_KEY or unset SIGN}"
|
||||
signer_api_key="${SIGNER_API_KEY:?please set SIGNER_API_KEY or unset SIGN}"
|
||||
deploy_script_path="${DEPLOY_SCRIPT_PATH:?please set DEPLOY_SCRIPT_PATH or unset SIGN}"
|
||||
else
|
||||
gpg_key_passphrase=''
|
||||
gpg_key=''
|
||||
signer_api_key=''
|
||||
deploy_script_path=''
|
||||
fi
|
||||
readonly gpg_key_passphrase gpg_key
|
||||
readonly gpg_key_passphrase gpg_key signer_api_key deploy_script_path
|
||||
|
||||
# The default distribution files directory is dist.
|
||||
dist="${DIST_DIR:-dist}"
|
||||
|
@ -149,6 +153,50 @@ windows amd64 - -
|
|||
windows arm64 - -"
|
||||
readonly platforms
|
||||
|
||||
# Function sign signs the specified build as intended by the target operating
|
||||
# system.
|
||||
sign() {
|
||||
# Only sign if needed.
|
||||
if [ "$sign" -ne '1' ]
|
||||
then
|
||||
return
|
||||
fi
|
||||
|
||||
# Get the arguments. Here and below, use the "sign_" prefix for all
|
||||
# variables local to function sign.
|
||||
sign_os="$1"
|
||||
sign_bin_path="$2"
|
||||
|
||||
if [ "$sign_os" != 'windows' ]
|
||||
then
|
||||
gpg\
|
||||
--default-key "$gpg_key"\
|
||||
--detach-sig\
|
||||
--passphrase "$gpg_key_passphrase"\
|
||||
--pinentry-mode loopback\
|
||||
-q\
|
||||
"$sign_bin_path"\
|
||||
;
|
||||
|
||||
return
|
||||
# TODO(e.burkov): Enable for all releases.
|
||||
elif [ "$channel" != 'beta' ]
|
||||
then
|
||||
return
|
||||
fi
|
||||
|
||||
signed_bin_path="${sign_bin_path}.signed"
|
||||
|
||||
env\
|
||||
INPUT_FILE="$sign_bin_path"\
|
||||
OUTPUT_FILE="$signed_bin_path"\
|
||||
SIGNER_API_KEY="$signer_api_key"\
|
||||
"$deploy_script_path" sign-executable\
|
||||
;
|
||||
|
||||
mv "$signed_bin_path" "$sign_bin_path"
|
||||
}
|
||||
|
||||
# Function build builds the release for one platform. It builds a binary and an
|
||||
# archive.
|
||||
build() {
|
||||
|
@ -189,17 +237,7 @@ build() {
|
|||
|
||||
log "$build_output"
|
||||
|
||||
if [ "$sign" -eq '1' ]
|
||||
then
|
||||
gpg\
|
||||
--default-key "$gpg_key"\
|
||||
--detach-sig\
|
||||
--passphrase "$gpg_key_passphrase"\
|
||||
--pinentry-mode loopback\
|
||||
-q\
|
||||
"$build_output"\
|
||||
;
|
||||
fi
|
||||
sign "$os" "$build_output"
|
||||
|
||||
# Prepare the build directory for archiving.
|
||||
cp ./CHANGELOG.md ./LICENSE.txt ./README.md "$build_dir"
|
||||
|
|
Loading…
Reference in New Issue