From a74c32f74227f26fd3a73d8be085b2d5fd363d10 Mon Sep 17 00:00:00 2001 From: Eugene Burkov Date: Wed, 11 Sep 2024 19:39:54 +0300 Subject: [PATCH] Pull request 2277: AG-29637 Sign Windows Squashed commit of the following: commit d22a4cb262c984241863d8dec1e498d83733ac6f Author: Eugene Burkov Date: Wed Sep 11 15:19:01 2024 +0300 all: resolve tmp todos commit 4574b050bae921ec9ebed5f90f96f571ca7800cd Author: Eugene Burkov Date: Wed Sep 11 14:55:44 2024 +0300 bamboo: checkout later commit 3036a46566c78350f1335cdd9f17f28c837b679f Author: Eugene Burkov Date: Wed Sep 11 14:35:36 2024 +0300 bamboo: list files commit eb675abfc0415907e41e08c8c2bc565162697478 Author: Eugene Burkov Date: Wed Sep 11 14:28:14 2024 +0300 bamboo: work with vcs properly commit 0c34b4dcfd836f0f1c01cbde50cfc505eb46a5ff Author: Eugene Burkov Date: Wed Sep 11 14:15:06 2024 +0300 bamboo: add repo name var commit 15da8e294f6ee43643787264492facd881bf7713 Author: Eugene Burkov Date: Wed Sep 11 14:06:26 2024 +0300 bamboo: upd api key commit b1d353dbc3b1b29596f15fa2c6fcb1d7d5f57d72 Merge: 3309f0703 cbae07e8e Author: Eugene Burkov Date: Tue Sep 10 19:29:29 2024 +0300 Merge branch 'master' into AG-29637-sign-windows commit 3309f07031331d6f72170a7bb91c35e0a2e50c46 Author: Eugene Burkov Date: Tue Sep 10 19:09:44 2024 +0300 all: only sign beta commit f61af53a70b3abd15717f341f07b58091eb4a988 Author: Eugene Burkov Date: Tue Sep 10 15:32:31 2024 +0300 all: sign windows --- Makefile | 4 +++ bamboo-specs/release.yaml | 10 ++++++ bamboo-specs/test.yaml | 6 ---- scripts/make/build-release.sh | 62 ++++++++++++++++++++++++++++------- 4 files changed, 64 insertions(+), 18 deletions(-) diff --git a/Makefile b/Makefile index 3bb721fc..6501e375 100644 --- a/Makefile +++ b/Makefile @@ -23,6 +23,7 @@ VERBOSE.MACRO = $${VERBOSE:-0} CHANNEL = development CLIENT_DIR = client COMMIT = $$( git rev-parse --short HEAD ) +DEPLOY_SCRIPT_PATH = not/a/real/path DIST_DIR = dist GOAMD64 = v1 GOPROXY = https://proxy.golang.org|direct @@ -37,6 +38,7 @@ NPM_INSTALL_FLAGS = $(NPM_FLAGS) --quiet --no-progress --ignore-engines\ --ignore-optional --ignore-platform --ignore-scripts RACE = 0 SIGN = 1 +SIGNER_API_KEY = not-a-real-key VERSION = v0.0.0 YARN = yarn @@ -60,6 +62,7 @@ BUILD_RELEASE_DEPS_1 = go-deps ENV = env\ CHANNEL='$(CHANNEL)'\ COMMIT='$(COMMIT)'\ + DEPLOY_SCRIPT_PATH='$(DEPLOY_SCRIPT_PATH)' \ DIST_DIR='$(DIST_DIR)'\ GO="$(GO.MACRO)"\ GOAMD64='$(GOAMD64)'\ @@ -72,6 +75,7 @@ ENV = env\ PATH="$${PWD}/bin:$$( "$(GO.MACRO)" env GOPATH )/bin:$${PATH}"\ RACE='$(RACE)'\ SIGN='$(SIGN)'\ + SIGNER_API_KEY='$(SIGNER_API_KEY)' \ NEXTAPI='$(NEXTAPI)'\ VERBOSE="$(VERBOSE.MACRO)"\ VERSION="$(VERSION)"\ diff --git a/bamboo-specs/release.yaml b/bamboo-specs/release.yaml index d6432c27..5ace2365 100644 --- a/bamboo-specs/release.yaml +++ b/bamboo-specs/release.yaml @@ -91,6 +91,11 @@ 'tasks': - 'checkout': 'force-clean-build': true + - 'checkout': + 'repository': 'bamboo-deploy-publisher' + # The paths are always relative to the working directory. + 'path': 'bamboo-deploy-publisher' + 'force-clean-build': true - 'script': 'interpreter': 'SHELL' 'scripts': @@ -99,6 +104,9 @@ set -e -f -u -x + # Explicitly checkout the revision that we need. + git checkout "${bamboo.repository.revision.number}" + # Run the build with the specified channel. echo "${bamboo.gpgSecretKeyPart1}${bamboo.gpgSecretKeyPart2}"\ | awk '{ gsub(/\\n/, "\n"); print; }'\ @@ -107,6 +115,8 @@ make\ CHANNEL=${bamboo.channel}\ GPG_KEY_PASSPHRASE=${bamboo.gpgPassword}\ + DEPLOY_SCRIPT_PATH="./bamboo-deploy-publisher/deploy.sh"\ + SIGNER_API_KEY="${bamboo.adguardHomeWinSignerSecretApiKey}"\ FRONTEND_PREBUILT=1\ PARALLELISM=1\ VERBOSE=2\ diff --git a/bamboo-specs/test.yaml b/bamboo-specs/test.yaml index 26e0c5d3..29a8bae5 100644 --- a/bamboo-specs/test.yaml +++ b/bamboo-specs/test.yaml @@ -143,12 +143,6 @@ 'other': 'clean-working-dir': true 'tasks': - # TODO(e.burkov): Remove after test. - - 'checkout': - 'repository': 'bamboo-deploy-publisher' - # The paths are always relative to the working directory. - 'path': 'bamboo-deploy-publisher' - 'force-clean-build': true - 'checkout': 'force-clean-build': true - 'script': diff --git a/scripts/make/build-release.sh b/scripts/make/build-release.sh index 3bc8caf5..581081d5 100644 --- a/scripts/make/build-release.sh +++ b/scripts/make/build-release.sh @@ -83,11 +83,15 @@ if [ "$sign" -eq '1' ] then gpg_key_passphrase="${GPG_KEY_PASSPHRASE:?please set GPG_KEY_PASSPHRASE or unset SIGN}" gpg_key="${GPG_KEY:?please set GPG_KEY or unset SIGN}" + signer_api_key="${SIGNER_API_KEY:?please set SIGNER_API_KEY or unset SIGN}" + deploy_script_path="${DEPLOY_SCRIPT_PATH:?please set DEPLOY_SCRIPT_PATH or unset SIGN}" else gpg_key_passphrase='' gpg_key='' + signer_api_key='' + deploy_script_path='' fi -readonly gpg_key_passphrase gpg_key +readonly gpg_key_passphrase gpg_key signer_api_key deploy_script_path # The default distribution files directory is dist. dist="${DIST_DIR:-dist}" @@ -149,6 +153,50 @@ windows amd64 - - windows arm64 - -" readonly platforms +# Function sign signs the specified build as intended by the target operating +# system. +sign() { + # Only sign if needed. + if [ "$sign" -ne '1' ] + then + return + fi + + # Get the arguments. Here and below, use the "sign_" prefix for all + # variables local to function sign. + sign_os="$1" + sign_bin_path="$2" + + if [ "$sign_os" != 'windows' ] + then + gpg\ + --default-key "$gpg_key"\ + --detach-sig\ + --passphrase "$gpg_key_passphrase"\ + --pinentry-mode loopback\ + -q\ + "$sign_bin_path"\ + ; + + return + # TODO(e.burkov): Enable for all releases. + elif [ "$channel" != 'beta' ] + then + return + fi + + signed_bin_path="${sign_bin_path}.signed" + + env\ + INPUT_FILE="$sign_bin_path"\ + OUTPUT_FILE="$signed_bin_path"\ + SIGNER_API_KEY="$signer_api_key"\ + "$deploy_script_path" sign-executable\ + ; + + mv "$signed_bin_path" "$sign_bin_path" +} + # Function build builds the release for one platform. It builds a binary and an # archive. build() { @@ -189,17 +237,7 @@ build() { log "$build_output" - if [ "$sign" -eq '1' ] - then - gpg\ - --default-key "$gpg_key"\ - --detach-sig\ - --passphrase "$gpg_key_passphrase"\ - --pinentry-mode loopback\ - -q\ - "$build_output"\ - ; - fi + sign "$os" "$build_output" # Prepare the build directory for archiving. cp ./CHANGELOG.md ./LICENSE.txt ./README.md "$build_dir"