[releaseme] /: implement signing of archives
Harald Sitter
sitter at kde.org
Sun Jun 5 08:57:03 UTC 2016
Git commit 900d4ba9ec15f06f85721cbe2faad160de32ef87 by Harald Sitter.
Committed on 05/06/2016 at 08:57.
Pushed by sitter into branch 'master'.
implement signing of archives
all release archives are signed by default with the default key of the user
probably could use some improvements WRT specfiying which key to use etc
CCMAIL: release-team at kde.org
CCMAIL: jr at jriddell.org
A +34 -0 lib/archive_signer.rb
M +2 -0 lib/release.rb
M +1 -1 lib/requirement_checker.rb
A +- -- test/data/keyring/private-keys-v1.d/3BF251A99E11FF6775E40E728275619C431E2267.key
A +- -- test/data/keyring/private-keys-v1.d/76257CD89318E4D3DA24CC22055BE47E6D575BF5.key
A +- -- test/data/keyring/pubring.kbx
A +- -- test/data/keyring/trustdb.gpg
M +5 -0 test/lib/testme.rb
A +43 -0 test/test_archive_signer.rb
M +1 -0 test/test_release.rb
http://commits.kde.org/releaseme/900d4ba9ec15f06f85721cbe2faad160de32ef87
diff --git a/lib/archive_signer.rb b/lib/archive_signer.rb
new file mode 100644
index 0000000..4b4f076
--- /dev/null
+++ b/lib/archive_signer.rb
@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+#
+# Copyright (C) 2016 Harald Sitter <sitter at kde.org>
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; either version 2 of
+# the License or (at your option) version 3 or any later version
+# accepted by the membership of KDE e.V. (or its successor approved
+# by the membership of KDE e.V.), which shall act as a proxy
+# defined in Section 14 of version 3 of the license.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+class ArchiveSigner
+ attr_reader :signature
+
+ def initalize
+ @signature = nil
+ end
+
+ def sign(archive)
+ file = archive.filename
+ sigfile = "#{file}.sig"
+ system("gpg2 --armor --detach-sign -o #{sigfile} #{file}") || raise
+ @signature = File.absolute_path(sigfile)
+ end
+end
diff --git a/lib/release.rb b/lib/release.rb
index 4e832d0..8ed9878 100644
--- a/lib/release.rb
+++ b/lib/release.rb
@@ -18,6 +18,7 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#++
+require_relative 'archive_signer'
require_relative 'documentation'
require_relative 'l10n'
require_relative 'logable'
@@ -89,5 +90,6 @@ class Release
source.clean(project.vcs)
@archive_.directory = source.target
@archive_.create
+ ArchiveSigner.new.sign(@archive_)
end
end
diff --git a/lib/requirement_checker.rb b/lib/requirement_checker.rb
index c7995ac..c2ba63c 100644
--- a/lib/requirement_checker.rb
+++ b/lib/requirement_checker.rb
@@ -1,6 +1,6 @@
class RequirementChecker
COMPATIBLE_RUBIES = %w(2.1.0 2.2.0 2.3.0)
- REQUIRED_BINARIES = %w(svn git tar xz msgfmt)
+ REQUIRED_BINARIES = %w(svn git tar xz msgfmt gpg2)
def initialize
@ruby_version = RUBY_VERSION
diff --git a/test/data/keyring/private-keys-v1.d/3BF251A99E11FF6775E40E728275619C431E2267.key b/test/data/keyring/private-keys-v1.d/3BF251A99E11FF6775E40E728275619C431E2267.key
new file mode 100644
index 0000000..fd87924
Binary files /dev/null and b/test/data/keyring/private-keys-v1.d/3BF251A99E11FF6775E40E728275619C431E2267.key differ
diff --git a/test/data/keyring/private-keys-v1.d/76257CD89318E4D3DA24CC22055BE47E6D575BF5.key b/test/data/keyring/private-keys-v1.d/76257CD89318E4D3DA24CC22055BE47E6D575BF5.key
new file mode 100644
index 0000000..c32eda3
Binary files /dev/null and b/test/data/keyring/private-keys-v1.d/76257CD89318E4D3DA24CC22055BE47E6D575BF5.key differ
diff --git a/test/data/keyring/pubring.kbx b/test/data/keyring/pubring.kbx
new file mode 100644
index 0000000..7171e11
Binary files /dev/null and b/test/data/keyring/pubring.kbx differ
diff --git a/test/data/keyring/trustdb.gpg b/test/data/keyring/trustdb.gpg
new file mode 100644
index 0000000..4b0a711
Binary files /dev/null and b/test/data/keyring/trustdb.gpg differ
diff --git a/test/lib/testme.rb b/test/lib/testme.rb
index f1c9da5..4ee3cd2 100644
--- a/test/lib/testme.rb
+++ b/test/lib/testme.rb
@@ -30,6 +30,10 @@ class Testme < Test::Unit::TestCase
`git config --global --unset user.name` unless @git_config_name.nil?
end
+ def setup_env
+ ENV['GNUPGHOME'] = data('keyring')
+ end
+
def priority_setup
ENV['RELEASEME_SHUTUP'] = 'true'
@tmpdir = Dir.mktmpdir("testme-#{self.class}")
@@ -38,6 +42,7 @@ class Testme < Test::Unit::TestCase
@pwdir = Dir.pwd
Dir.chdir(@tmpdir)
setup_git
+ setup_env
end
def priority_teardown
diff --git a/test/test_archive_signer.rb b/test/test_archive_signer.rb
new file mode 100644
index 0000000..7a3dbe2
--- /dev/null
+++ b/test/test_archive_signer.rb
@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+#
+# Copyright (C) 2016 Harald Sitter <sitter at kde.org>
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; either version 2 of
+# the License or (at your option) version 3 or any later version
+# accepted by the membership of KDE e.V. (or its successor approved
+# by the membership of KDE e.V.), which shall act as a proxy
+# defined in Section 14 of version 3 of the license.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+require 'fileutils'
+
+require_relative 'lib/testme'
+require_relative '../lib/archive_signer'
+require_relative '../lib/xzarchive'
+
+class TestArchiveSigner < Testme
+ def test_sign
+ Dir.mkdir('wroom')
+ archive = XzArchive.new
+ archive.directory = 'wroom'
+ archive.create
+ assert_path_exist(archive.filename)
+ Dir.delete('wroom')
+ system("tar -xf #{archive.filename}")
+ assert_path_exist('wroom')
+
+ signer = ArchiveSigner.new
+ signer.sign(archive)
+ assert_path_exist(signer.signature)
+ assert(system("gpg2 --verify #{signer.signature}"))
+ end
+end
diff --git a/test/test_release.rb b/test/test_release.rb
index 8f69a4f..cbb2837 100644
--- a/test/test_release.rb
+++ b/test/test_release.rb
@@ -98,6 +98,7 @@ class TestRelease < Testme
assert(!File.exist?("#{@dir}.tar.xz"))
r.archive
assert(File.exist?("#{@dir}.tar.xz"))
+ assert_path_exist("#{@dir}.tar.xz.sig")
assert(File.exist?(@dir))
r.source.cleanup
More information about the release-team
mailing list