Pull request 2299: AG-29637 Sign release

Squashed commit of the following: commit 265097a29ed8e89933c08cb8094297ac89a8b140 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Wed Nov 6 18:03:19 2024 +0300 all: fix darwin find, log changes commit 298b31c4078239ce83fdf7a3a741062e56f35b9d Merge: 82c487518 d06b18a49 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Wed Nov 6 18:01:28 2024 +0300 Merge branch 'master' into AG-29637-sign-release commit 82c487518bd21a995921a7d5265da6884aac9e9f Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Wed Nov 6 17:34:12 2024 +0300 scripts: imp fmt manually commit 4e33ec1a77dd239df8b5eeec16843e517797d486 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Wed Nov 6 14:42:09 2024 +0300 scripts: imp fmt, sign releases
2024-11-06 18:45:21 +03:00 · 2024-11-06 18:45:21 +03:00 · b1a0f4fa44
parent d06b18a493
commit b1a0f4fa44
4 changed files with 105 additions and 150 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -25,6 +25,10 @@ See also the [v0.107.55 GitHub milestone][ms-v0.107.55].
 NOTE: Add new changes BELOW THIS COMMENT.
 -->
 ### Security
 - The release executables are now signed.
 <!--
 NOTE: Add new changes ABOVE THIS COMMENT.
 -->
--- a/scripts/make/build-docker.sh
+++ b/scripts/make/build-docker.sh
@ -2,8 +2,7 @@
 verbose="${VERBOSE:-0}"
-if [ "$verbose" -gt '0' ]
+if [ "$verbose" -gt '0' ]; then
 then
 	set -x
 	debug_flags='--debug=1'
 else
@ -20,8 +19,7 @@ commit="${COMMIT:?please set COMMIT}"
 dist_dir="${DIST_DIR:?please set DIST_DIR}"
 readonly channel commit dist_dir
-if [ "${VERSION:-}" = 'v0.0.0' ] || [ "${VERSION:-}" = '' ]
+if [ "${VERSION:-}" = 'v0.0.0' ] || [ "${VERSION:-}" = '' ]; then
 then
 	version="$(sh ./scripts/make/version.sh)"
 else
 	version="$VERSION"
@ -59,27 +57,26 @@ readonly docker_image_name
 docker_output="${DOCKER_OUTPUT:-type=image,name=${docker_image_name},push=false}"
 readonly docker_output
-case "$channel"
+case "$channel" in
-in
+'release')
 ('release')
 	docker_version_tag="--tag=${docker_image_name}:${version}"
 	docker_channel_tag="--tag=${docker_image_name}:latest"
 	;;
-('beta')
+'beta')
 	docker_version_tag="--tag=${docker_image_name}:${version}"
 	docker_channel_tag="--tag=${docker_image_name}:beta"
 	;;
-('edge')
+'edge')
 	# Set the version tag to an empty string when pushing to the edge channel.
 	docker_version_tag=''
 	docker_channel_tag="--tag=${docker_image_name}:edge"
 	;;
-('development')
+'development')
 	# Set both tags to an empty string for development builds.
 	docker_version_tag=''
 	docker_channel_tag=''
 	;;
-(*)
+*)
 	echo "invalid channel '$channel', supported values are\
 		'development', 'edge', 'beta', and 'release'" 1>&2
 	exit 1
@ -112,8 +109,9 @@ cp "${dist_dir}/AdGuardHome_linux_ppc64le/AdGuardHome/AdGuardHome"\
 #
 # TODO(a.garipov): Once flag --tag of docker buildx build supports commas, use
 # them instead.
-$sudo_cmd docker\
+#
-	"$debug_flags"\
+# shellcheck disable=SC2086
 $sudo_cmd docker "$debug_flags" \
 	buildx build \
 	--build-arg BUILD_DATE="$build_date" \
 	--build-arg DIST_DIR="$dist_dir" \
@ -121,7 +119,4 @@ $sudo_cmd docker\
 	--build-arg VERSION="$version" \
 	--output "$docker_output" \
 	--platform "$docker_platforms" \
-	$docker_version_tag\
+	$docker_version_tag $docker_channel_tag -f ./docker/Dockerfile .
 	$docker_channel_tag\
 	-f ./docker/Dockerfile\
 	.
--- a/scripts/make/build-release.sh
+++ b/scripts/make/build-release.sh
@ -15,8 +15,7 @@
 verbose="${VERBOSE:-0}"
 readonly verbose
-if [ "$verbose" -gt '1' ]
+if [ "$verbose" -gt '1' ]; then
 then
 	env
 	set -x
 fi
@ -32,8 +31,7 @@ set -e -f -u
 # Function log is an echo wrapper that writes to stderr if the caller requested
 # verbosity level greater than 0.  Otherwise, it does nothing.
 log() {
-	if [ "$verbose" -gt '0' ]
+	if [ "$verbose" -gt '0' ]; then
 	then
 		# Don't use quotes to get word splitting.
 		echo "$1" 1>&2
 	fi
@ -49,8 +47,7 @@ readonly channel
 # Check VERSION against the default value from the Makefile.  If it is that, use
 # the version calculation script.
 version="${VERSION:-}"
-if [ "$version" = 'v0.0.0' ] || [ "$version" = '' ]
+if [ "$version" = 'v0.0.0' ] || [ "$version" = '' ]; then
 then
 	version="$(sh ./scripts/make/version.sh)"
 fi
 readonly version
@ -60,8 +57,7 @@ log "version '$version'"
 # Check architecture and OS limiters.  Add spaces to the local versions for
 # better pattern matching.
-if [ "${ARCH:-}" != '' ]
+if [ "${ARCH:-}" != '' ]; then
 then
 	log "arches: '$ARCH'"
 	arches=" $ARCH "
 else
@ -69,8 +65,7 @@ else
 fi
 readonly arches
-if [ "${OS:-}" != '' ]
+if [ "${OS:-}" != '' ]; then
 then
 	log "oses: '$OS'"
 	oses=" $OS "
 else
@ -79,8 +74,7 @@ fi
 readonly oses
 # Require the gpg key and passphrase to be set if the signing is required.
-if [ "$sign" -eq '1' ]
+if [ "$sign" -eq '1' ]; then
 then
 	gpg_key_passphrase="${GPG_KEY_PASSPHRASE:?please set GPG_KEY_PASSPHRASE or unset SIGN}"
 	gpg_key="${GPG_KEY:?please set GPG_KEY or unset SIGN}"
 	signer_api_key="${SIGNER_API_KEY:?please set SIGNER_API_KEY or unset SIGN}"
@ -102,12 +96,9 @@ log "checking tools"
 # Make sure we fail gracefully if one of the tools we need is missing.  Use
 # alternatives when available.
 use_shasum='0'
-for tool in gpg gzip sed sha256sum tar zip
+for tool in gpg gzip sed sha256sum tar zip; do
-do
+	if ! command -v "$tool" >/dev/null; then
-	if ! command -v "$tool" > /dev/null
+		if [ "$tool" = 'sha256sum' ] && command -v 'shasum' >/dev/null; then
 	then
 		if [ "$tool" = 'sha256sum' ] && command -v 'shasum' > /dev/null
 		then
 			# macOS doesn't have sha256sum installed by default, but it does
 			# have shasum.
 			log 'replacing sha256sum with shasum -a 256'
@ -157,8 +148,7 @@ readonly platforms
 # system.
 sign() {
 	# Only sign if needed.
-	if [ "$sign" -ne '1' ]
+	if [ "$sign" -ne '1' ]; then
 	then
 		return
 	fi
@ -167,34 +157,25 @@ sign() {
 	sign_os="$1"
 	sign_bin_path="$2"
-	if [ "$sign_os" != 'windows' ]
+	if [ "$sign_os" != 'windows' ]; then
 	then
 		gpg \
 			--default-key "$gpg_key" \
 			--detach-sig \
 			--passphrase "$gpg_key_passphrase" \
-			--pinentry-mode loopback\
+			--pinentry-mode loopback -q "$sign_bin_path" \
 			-q\
 			"$sign_bin_path"\
 			;
 		return
-	# TODO(e.burkov):  Enable for all releases.
+	elif [ "$channel" = 'beta' ] || [ "$channel" = 'release' ]; then
 	elif [ "$channel" != 'beta' ]
 	then
 		return
 	fi
 		signed_bin_path="${sign_bin_path}.signed"
-	env\
+		env INPUT_FILE="$sign_bin_path" \
 		INPUT_FILE="$sign_bin_path"\
 			OUTPUT_FILE="$signed_bin_path" \
 			SIGNER_API_KEY="$signer_api_key" \
-		"$deploy_script_path" sign-executable\
+			"$deploy_script_path" sign-executable
 		;
 		mv "$signed_bin_path" "$sign_bin_path"
 	fi
 }
 # Function build builds the release for one platform.  It builds a binary and an
@ -211,8 +192,7 @@ build() {
 		;
 	# Use the ".exe" filename extension if we build a Windows release.
-	if [ "$build_os" = 'windows' ]
+	if [ "$build_os" = 'windows' ]; then
 	then
 		build_output="./${build_dir}/AdGuardHome.exe"
 	else
 		build_output="./${build_dir}/AdGuardHome"
@ -224,16 +204,14 @@ build() {
 	#
 	# Set GOARM and GOMIPS to an empty string if $build_arm and $build_mips are
 	# the zero value by removing the hyphen as if it's a prefix.
-	env\
+	env GOARCH="$build_arch" \
 		GOARCH="$build_arch"\
 		GOARM="${build_arm#-}" \
 		GOMIPS="${build_mips#-}" \
 		GOOS="$os" \
 		VERBOSE="$((verbose - 1))" \
 		VERSION="$version" \
 		OUT="$build_output" \
-		sh ./scripts/make/go-build.sh\
+		sh ./scripts/make/go-build.sh
 		;
 	log "$build_output"
@ -244,15 +222,14 @@ build() {
 	# Make archives.  Windows and macOS prefer ZIP archives; the rest,
 	# gzipped tarballs.
-	case "$build_os"
+	case "$build_os" in
-	in
+	'darwin' | 'windows')
 	('darwin'|'windows')
 		build_archive="./${dist}/${build_ar}.zip"
 		# TODO(a.garipov): Find an option similar to the -C option of tar for
 		# zip.
 		(cd "${dist}/${1}" && zip -9 -q -r "../../${build_archive}" "./AdGuardHome")
 		;;
-	(*)
+	*)
 		build_archive="./${dist}/${build_ar}.tar.gz"
 		tar -C "./${dist}/${1}" -c -f - "./AdGuardHome" | gzip -9 - >"$build_archive"
 		;;
@ -265,8 +242,7 @@ log "starting builds"
 # Go over all platforms defined in the space-separated table above, tweak the
 # values where necessary, and feed to build.
-echo "$platforms" | while read -r os arch arm mips
+echo "$platforms" | while read -r os arch arm mips; do
 do
 	# See if the architecture or the OS is in the allowlist.  To do so, try
 	# removing everything that matches the pattern (well, a prefix, but that
 	# doesn't matter here) containing the arch or the OS.
@ -277,29 +253,28 @@ do
 	# "* windows *", which doesn't match, so nothing is removed.
 	#
 	# See https://stackoverflow.com/a/43912605/1892060.
-	if [ "${arches##* $arch *}" != '' ]
+	#
-	then
+	# shellcheck disable=SC2295
 	if [ "${arches##* $arch *}" != '' ]; then
 		log "$arch excluded, continuing"
 		continue
-	elif [ "${oses##* $os *}" != '' ]
+	elif [ "${oses##* $os *}" != '' ]; then
 	then
 		log "$os excluded, continuing"
 		continue
 	fi
-	case "$arch"
+	case "$arch" in
-	in
+	arm)
 	(arm)
 		dir="AdGuardHome_${os}_${arch}_${arm}"
 		ar="AdGuardHome_${os}_${arch}v${arm}"
 		;;
-	(mips*)
+	mips*)
 		dir="AdGuardHome_${os}_${arch}_${mips}"
 		ar="$dir"
 		;;
-	(*)
+	*)
 		dir="AdGuardHome_${os}_${arch}"
 		ar="$dir"
 		;;
@ -319,8 +294,7 @@ log "calculating checksums"
 # calculate_checksums uses the previously detected SHA-256 tool to calculate
 # checksums.  Do not use find with -exec, since shasum requires arguments.
 calculate_checksums() {
-	if [ "$use_shasum" -eq '0' ]
+	if [ "$use_shasum" -eq '0' ]; then
 	then
 		sha256sum "$@"
 	else
 		shasum -a 256 "$@"
@ -339,12 +313,10 @@ calculate_checksums() {
 	: >./checksums.txt
-	for archive in ./*.zip ./*.tar.gz
+	for archive in ./*.zip ./*.tar.gz; do
 	do
 		# Make sure that we don't try to calculate a checksum for a glob pattern
 		# that matched no files.
-		if [ ! -f "$archive" ]
+		if [ ! -f "$archive" ]; then
 		then
 			continue
 		fi
@ -364,8 +336,7 @@ readonly version_download_url version_json
 # If the channel is edge, point users to the "Platforms" page on the Wiki,
 # because the direct links to the edge packages are listed there.
-if [ "$channel" = 'edge' ]
+if [ "$channel" = 'edge' ]; then
 then
 	announcement_url='https://github.com/AdguardTeam/AdGuardHome/wiki/Platforms'
 else
 	announcement_url="https://github.com/AdguardTeam/AdGuardHome/releases/tag/${version}"
@ -393,14 +364,13 @@ echo "
 # Same as with checksums above, don't use ls, because files matching one of the
 # patterns may be absent.
-ar_files="$( find "./${dist}/" ! -name "${dist}" -prune \( -name '*.tar.gz' -o -name '*.zip' \) )"
+ar_files="$(find "./${dist}" ! -name "${dist}" -prune \( -name '*.tar.gz' -o -name '*.zip' \))"
 ar_files_len="$(echo "$ar_files" | wc -l)"
 readonly ar_files ar_files_len
 i='1'
 # Don't use quotes to get word splitting.
-for f in $ar_files
+for f in $ar_files; do
 do
 	platform="$f"
 	# Remove the prefix.
@ -413,8 +383,7 @@ do
 	# Use the filename's base path.
 	filename="${f#"./${dist}/"}"
-	if [ "$i" -eq "$ar_files_len" ]
+	if [ "$i" -eq "$ar_files_len" ]; then
 	then
 		echo "  \"download_${platform}\": \"${version_download_url}/${filename}\"" >>"$version_json"
 	else
 		echo "  \"download_${platform}\": \"${version_download_url}/${filename}\"," >>"$version_json"
--- a/scripts/make/sh-lint.sh
+++ b/scripts/make/sh-lint.sh
@ -22,18 +22,5 @@ fi
 shellcheck -e 'SC2250' -f 'gcc' -o 'all' -x --\
 	./scripts/hooks/*\
 	./scripts/snap/*\
-	./scripts/make/clean.sh\
+	./scripts/make/*\
 	./scripts/make/go-bench.sh\
 	./scripts/make/go-build.sh\
 	./scripts/make/go-deps.sh\
 	./scripts/make/go-fuzz.sh\
 	./scripts/make/go-lint.sh\
 	./scripts/make/go-test.sh\
 	./scripts/make/go-tools.sh\
 	./scripts/make/go-upd-tools.sh\
 	./scripts/make/helper.sh\
 	./scripts/make/md-lint.sh\
 	./scripts/make/sh-lint.sh\
 	./scripts/make/txt-lint.sh\
 	./scripts/make/version.sh\
 	;