all: sign windows

This commit is contained in:
Eugene Burkov 2024-09-10 15:32:31 +03:00
parent 6fe4b9440d
commit f61af53a70
4 changed files with 83 additions and 13 deletions

View File

@ -23,6 +23,7 @@ VERBOSE.MACRO = $${VERBOSE:-0}
CHANNEL = development CHANNEL = development
CLIENT_DIR = client CLIENT_DIR = client
COMMIT = $$( git rev-parse --short HEAD ) COMMIT = $$( git rev-parse --short HEAD )
DEPLOY_SCRIPT_PATH = not/a/real/path
DIST_DIR = dist DIST_DIR = dist
GOAMD64 = v1 GOAMD64 = v1
GOPROXY = https://proxy.golang.org|direct GOPROXY = https://proxy.golang.org|direct
@ -37,6 +38,7 @@ NPM_INSTALL_FLAGS = $(NPM_FLAGS) --quiet --no-progress --ignore-engines\
--ignore-optional --ignore-platform --ignore-scripts --ignore-optional --ignore-platform --ignore-scripts
RACE = 0 RACE = 0
SIGN = 1 SIGN = 1
SIGNER_API_KEY = not-a-real-key
VERSION = v0.0.0 VERSION = v0.0.0
YARN = yarn YARN = yarn
@ -60,6 +62,7 @@ BUILD_RELEASE_DEPS_1 = go-deps
ENV = env\ ENV = env\
CHANNEL='$(CHANNEL)'\ CHANNEL='$(CHANNEL)'\
COMMIT='$(COMMIT)'\ COMMIT='$(COMMIT)'\
DEPLOY_SCRIPT_PATH='$(DEPLOY_SCRIPT_PATH)' \
DIST_DIR='$(DIST_DIR)'\ DIST_DIR='$(DIST_DIR)'\
GO="$(GO.MACRO)"\ GO="$(GO.MACRO)"\
GOAMD64='$(GOAMD64)'\ GOAMD64='$(GOAMD64)'\
@ -72,6 +75,7 @@ ENV = env\
PATH="$${PWD}/bin:$$( "$(GO.MACRO)" env GOPATH )/bin:$${PATH}"\ PATH="$${PWD}/bin:$$( "$(GO.MACRO)" env GOPATH )/bin:$${PATH}"\
RACE='$(RACE)'\ RACE='$(RACE)'\
SIGN='$(SIGN)'\ SIGN='$(SIGN)'\
SIGNER_API_KEY='$(SIGNER_API_KEY)' \
NEXTAPI='$(NEXTAPI)'\ NEXTAPI='$(NEXTAPI)'\
VERBOSE="$(VERBOSE.MACRO)"\ VERBOSE="$(VERBOSE.MACRO)"\
VERSION="$(VERSION)"\ VERSION="$(VERSION)"\

View File

@ -89,6 +89,11 @@
'other': 'other':
'clean-working-dir': true 'clean-working-dir': true
'tasks': 'tasks':
- 'checkout':
'repository': 'bamboo-deploy-publisher'
# The paths are always relative to the working directory.
'path': 'bamboo-deploy-publisher'
'force-clean-build': true
- 'checkout': - 'checkout':
'force-clean-build': true 'force-clean-build': true
- 'script': - 'script':
@ -99,6 +104,12 @@
set -e -f -u -x set -e -f -u -x
# Follow the working repository path.
cd "${bamboo.name}"
# Explicitly checkout the revision that we need.
git checkout "${bamboo.repository.revision.number}"
# Run the build with the specified channel. # Run the build with the specified channel.
echo "${bamboo.gpgSecretKeyPart1}${bamboo.gpgSecretKeyPart2}"\ echo "${bamboo.gpgSecretKeyPart1}${bamboo.gpgSecretKeyPart2}"\
| awk '{ gsub(/\\n/, "\n"); print; }'\ | awk '{ gsub(/\\n/, "\n"); print; }'\
@ -107,6 +118,8 @@
make\ make\
CHANNEL=${bamboo.channel}\ CHANNEL=${bamboo.channel}\
GPG_KEY_PASSPHRASE=${bamboo.gpgPassword}\ GPG_KEY_PASSPHRASE=${bamboo.gpgPassword}\
DEPLOY_SCRIPT_PATH="../bamboo-deploy-publisher/deploy.sh"\
SIGNER_API_KEY="${bamboo.adguardDnsClientWinSignerSecretApiKey}"\
FRONTEND_PREBUILT=1\ FRONTEND_PREBUILT=1\
PARALLELISM=1\ PARALLELISM=1\
VERBOSE=2\ VERBOSE=2\

View File

@ -143,6 +143,11 @@
'other': 'other':
'clean-working-dir': true 'clean-working-dir': true
'tasks': 'tasks':
- 'checkout':
'repository': 'bamboo-deploy-publisher'
# The paths are always relative to the working directory.
'path': 'bamboo-deploy-publisher'
'force-clean-build': true
- 'checkout': - 'checkout':
'force-clean-build': true 'force-clean-build': true
- 'script': - 'script':
@ -153,13 +158,27 @@
set -e -f -u -x set -e -f -u -x
# Follow the working repository path.
cd "${bamboo.name}"
# Explicitly checkout the revision that we need.
git checkout "${bamboo.repository.revision.number}"
# Run the build with the specified channel.
echo "${bamboo.gpgSecretKeyPart1}${bamboo.gpgSecretKeyPart2}"\
| awk '{ gsub(/\\n/, "\n"); print; }'\
| gpg --import --batch --yes
make\ make\
ARCH="amd64"\ ARCH="amd64"\
CHANNEL=${bamboo.channel}\ CHANNEL=${bamboo.channel}\
GPG_KEY_PASSPHRASE=${bamboo.gpgPassword}\
DEPLOY_SCRIPT_PATH="../bamboo-deploy-publisher/deploy.sh"\
SIGNER_API_KEY="${bamboo.adguardDnsClientWinSignerSecretApiKey}"\
FRONTEND_PREBUILT=1\ FRONTEND_PREBUILT=1\
OS="windows darwin linux"\ OS="windows darwin linux"\
PARALLELISM=1\ PARALLELISM=1\
SIGN=0\ SIGN=1\
VERBOSE=2\ VERBOSE=2\
build-release build-release
'requirements': 'requirements':

View File

@ -83,11 +83,15 @@ if [ "$sign" -eq '1' ]
then then
gpg_key_passphrase="${GPG_KEY_PASSPHRASE:?please set GPG_KEY_PASSPHRASE or unset SIGN}" gpg_key_passphrase="${GPG_KEY_PASSPHRASE:?please set GPG_KEY_PASSPHRASE or unset SIGN}"
gpg_key="${GPG_KEY:?please set GPG_KEY or unset SIGN}" gpg_key="${GPG_KEY:?please set GPG_KEY or unset SIGN}"
signer_api_key="${SIGNER_API_KEY:?please set SIGNER_API_KEY or unset SIGN}"
deploy_script_path="${DEPLOY_SCRIPT_PATH:?please set DEPLOY_SCRIPT_PATH or unset SIGN}"
else else
gpg_key_passphrase='' gpg_key_passphrase=''
gpg_key='' gpg_key=''
signer_api_key=''
deploy_script_path=''
fi fi
readonly gpg_key_passphrase gpg_key readonly gpg_key_passphrase gpg_key signer_api_key deploy_script_path
# The default distribution files directory is dist. # The default distribution files directory is dist.
dist="${DIST_DIR:-dist}" dist="${DIST_DIR:-dist}"
@ -149,6 +153,46 @@ windows amd64 - -
windows arm64 - -" windows arm64 - -"
readonly platforms readonly platforms
# Function sign signs the specified build as intended by the target operating
# system.
sign() {
# Only sign if needed.
if [ "$sign" -ne '1' ]
then
return
fi
# Get the arguments. Here and below, use the "sign_" prefix for all
# variables local to function sign.
sign_os="$1"
sign_bin_path="$2"
if [ "$sign_os" != 'windows' ]
then
gpg\
--default-key "$gpg_key"\
--detach-sig\
--passphrase "$gpg_key_passphrase"\
--pinentry-mode loopback\
-q\
"$sign_bin_path"\
;
return
fi
signed_bin_path="${sign_bin_path}.signed"
env\
INPUT_FILE="$sign_bin_path"\
OUTPUT_FILE="$signed_bin_path"\
SIGNER_API_KEY="$signer_api_key"\
"$deploy_script_path" sign-executable\
;
mv "$signed_bin_path" "$sign_bin_path"
}
# Function build builds the release for one platform. It builds a binary and an # Function build builds the release for one platform. It builds a binary and an
# archive. # archive.
build() { build() {
@ -189,17 +233,7 @@ build() {
log "$build_output" log "$build_output"
if [ "$sign" -eq '1' ] sign "$os" "$build_output"
then
gpg\
--default-key "$gpg_key"\
--detach-sig\
--passphrase "$gpg_key_passphrase"\
--pinentry-mode loopback\
-q\
"$build_output"\
;
fi
# Prepare the build directory for archiving. # Prepare the build directory for archiving.
cp ./CHANGELOG.md ./LICENSE.txt ./README.md "$build_dir" cp ./CHANGELOG.md ./LICENSE.txt ./README.md "$build_dir"