diff options
| author | Werner Koch <wk@gnupg.org> | 2020-08-26 13:57:14 +0200 |
|---|---|---|
| committer | Werner Koch <wk@gnupg.org> | 2020-08-26 13:57:14 +0200 |
| commit | 4699911f047c74565ad0fd5a8e58b21a70e4bbc7 (patch) | |
| tree | 6dc6c71846e2b27597233a43ce831d0a7f0838b1 | |
| parent | gpg: Remove left over debug output from recent change. (diff) | |
| download | gnupg2-4699911f047c74565ad0fd5a8e58b21a70e4bbc7.tar.xz gnupg2-4699911f047c74565ad0fd5a8e58b21a70e4bbc7.zip | |
speedo: Allow customizing the release process
--
| -rw-r--r-- | Makefile.am | 37 | ||||
| -rw-r--r-- | build-aux/speedo.mk | 65 |
2 files changed, 77 insertions, 25 deletions
diff --git a/Makefile.am b/Makefile.am index 405d99d09..064ea88ef 100644 --- a/Makefile.am +++ b/Makefile.am @@ -18,14 +18,13 @@ ## Process this file with automake to produce Makefile.in -# Location of the released tarball archives. Note that this is an -# internal archive and before uploading this to the public server, -# manual tests should be run and the git release tag set and pushed. -# Adjust as needed. -RELEASE_ARCHIVE_DIR = wk@vigenere:tarballs/gnupg/v2.2 - -# The key used to sign the released sources. Adjust as needed. -RELEASE_SIGNING_KEY = D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 +# Location of the released tarball archives. This is prefixed by +# the variable RELEASE_ARCHIVE in ~/.gnupg-autogen.rc. For example: +# RELEASE_ARCHIVE=user@host:archive/tarballs +RELEASE_ARCHIVE_SUFFIX = gnupg/v2.3 +# The variable RELEASE_SIGNKEY in ~/.gnupg-autogen.rc is used +# to specify the key for signing. For example: +# RELEASE_SIGNKEY=D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 # Autoconf flags. @@ -203,6 +202,18 @@ release: sign-release: +(set -e; \ cd dist; \ + x=$$(grep '^RELEASE_ARCHIVE=' $$HOME/.gnupg-autogen.rc|cut -d= -f2);\ + if [ -z "$$x" ]; then \ + echo "error: RELEASE_ARCHIVE missing in ~/.gnupg-autogen.rc">&2; \ + exit 2;\ + fi;\ + myarchive="$$x/$(RELEASE_ARCHIVE_SUFFIX)";\ + x=$$(grep '^RELEASE_SIGNKEY=' $$HOME/.gnupg-autogen.rc|cut -d= -f2);\ + if [ -z "$$x" ]; then \ + echo "error: RELEASE_SIGNKEY missing in ~/.gnupg-autogen.rc">&2; \ + exit 2;\ + fi;\ + mysignkey="$$x";\ release_w32_name="$(RELEASE_W32_STEM_NAME)_$$(date -u +%Y%m%d)" ;\ files1="$(RELEASE_NAME).tar.bz2 \ $${release_w32_name}.tar.xz \ @@ -215,11 +226,11 @@ sign-release: $${release_w32_name}.exe.swdb" ;\ $(MAKE) -f $(RELEASE_NAME)/build-aux/speedo.mk w32-sign-installer ;\ echo "/* Signing the source tarball ..." ;\ - gpg -sbu $(RELEASE_SIGNING_KEY) $(RELEASE_NAME).tar.bz2 ;\ + gpg -sbu $$mysignkey $(RELEASE_NAME).tar.bz2 ;\ echo "/* Signing the W32 source tarball ..." ;\ - gpg -sbu $(RELEASE_SIGNING_KEY) $${release_w32_name}.tar.xz ;\ + gpg -sbu $$mysignkey $${release_w32_name}.tar.xz ;\ echo "/* Signing the W32 installer ..." ;\ - gpg -sbu $(RELEASE_SIGNING_KEY) $${release_w32_name}.exe ;\ + gpg -sbu $$mysignkey $${release_w32_name}.exe ;\ cat $(RELEASE_NAME).swdb >swdb.snippet;\ echo '#+macro: gnupg22_branch STABLE-BRANCH-2-2' >>swdb.snippet;\ cat $${release_w32_name}.exe.swdb >>swdb.snippet;\ @@ -227,8 +238,8 @@ sign-release: sha1sum $${files1} >>swdb.snippet ;\ cat "../$(RELEASE_NAME).buildlog" swdb.snippet \ | gzip >$(RELEASE_NAME).buildlog ;\ - echo "Release created - copying it to the local archive ..." ;\ - scp -p $${files1} $${files2} $(RELEASE_ARCHIVE_DIR)/ || true;\ + echo "Release created - copying it to the archive ..." ;\ + scp -p $${files1} $${files2} $$myarchive/ || true;\ echo '/*' ;\ echo ' * All done; for checksums see dist/swdb.snippet' ;\ echo ' */' ;\ diff --git a/build-aux/speedo.mk b/build-aux/speedo.mk index 8217ef46e..e61f8f40d 100644 --- a/build-aux/speedo.mk +++ b/build-aux/speedo.mk @@ -41,6 +41,47 @@ # # Lists packages and versions. # +# The information reyured to sign the tarballs and binaries +# are expected in the developer specific file ~/.gnupg-autogen.rc". +# Here is an example: +#--8<---------------cut here---------------start------------->8--- +# # Location of the released tarball archives. Note that this is an +# # internal archive and before uploading this to the public server, +# # manual tests should be run and the git release tagged and pushed. +# # This is greped by the Makefile. +# RELEASE_ARCHIVE=foo@somehost:tarball-archive +# +# # The key used to sign the released sources. +# # This is greped by the Makefile. +# RELEASE_SIGNKEY=6DAA6E64A76D2840571B4902528897B826403ADA +# +# # For signing Windows binaries we need to employ a Windows machine. +# # We connect to this machine via ssh and take the connection +# # parameters via .ssh/config. For example a VM could be specified +# # like this: +# # +# # Host authenticode-signhost +# # HostName localhost +# # Port 27042 +# # User gpgsign +# # +# # Depending on the used token it might be necessary to allow single +# # signon and unlock the token before running the make. The following +# # variable references this entry. This is greped by the Makefile. +# AUTHENTICODE_SIGNHOST=authenticode-signhost +# +# # The name of the signtool as used on Windows. +# # This is greped by the Makefile. +# AUTHENTICODE_TOOL="C:\Program Files (x86)\Windows Kits\10\bin\signtool.exe" +# +# # To use osslsigncode the follwing entries are required and +# # an empty string must be given for AUTHENTICODE_SIGNHOST. +# # They are greped by the Makefile. +# AUTHENTICODE_KEY=/home/foo/.gnupg/my-authenticode-key.p12 +# AUTHENTICODE_CERTS=/home/foo/.gnupg/my-authenticode-certs.pem +# +#--8<---------------cut here---------------end--------------->8--- + # We need to know our own name. SPEEDO_MK := $(realpath $(lastword $(MAKEFILE_LIST))) @@ -172,17 +213,17 @@ INSTALL_PREFIX=none # Set this to the location of wixtools WIXPREFIX= -# The Authenticode key and cert chain used to sign the Windows -# installer If AUTHENTICODE_SIGNHOST is specified, signing is done on -# that host using the Windows signtool. The signhost is usually an -# entry in .ssh/config. Depending on the used token it might be -# necessary to allow single signon and unlock the token before running -# this makefile. All files given in AUTHENTICODE_FILES are signed -# before they are put into the installer. -AUTHENTICODE_SIGNHOST=authenticode-signhost -AUTHENTICODE_TOOL='"C:\Program Files (x86)\Windows Kits\10\bin\signtool.exe"' -AUTHENTICODE_KEY=${HOME}/.gnupg/g10code-authenticode-key.p12 -AUTHENTICODE_CERTS=${HOME}/.gnupg/g10code-authenticode-certs.pem +# Read signing information from ~/.gnupg-autogen.rc +define READ_AUTOGEN_template +$(1) = $$(shell grep '^$(1)=' $$$$HOME/.gnupg-autogen.rc|cut -d= -f2) +endef +$(eval $(call READ_AUTOGEN_template,AUTHENTICODE_SIGNHOST)) +$(eval $(call READ_AUTOGEN_template,AUTHENTICODE_TOOL)) +$(eval $(call READ_AUTOGEN_template,AUTHENTICODE_KEY)) +$(eval $(call READ_AUTOGEN_template,AUTHENTICODE_CERTS)) + +# All files given in AUTHENTICODE_FILES are signed before +# they are put into the installer. AUTHENTICODE_FILES= \ dirmngr.exe \ dirmngr_ldap.exe \ @@ -1362,7 +1403,7 @@ define AUTHENTICODE_sign if [ -n "$(AUTHENTICODE_SIGNHOST)" ]; then \ echo "speedo: Signing via host $(AUTHENTICODE_SIGNHOST)";\ scp $(1) "$(AUTHENTICODE_SIGNHOST):a.exe" ;\ - ssh "$(AUTHENTICODE_SIGNHOST)" $(AUTHENTICODE_TOOL) sign \ + ssh "$(AUTHENTICODE_SIGNHOST)" '$(AUTHENTICODE_TOOL)' sign \ /n '"g10 Code GmbH"' \ /tr 'http://rfc3161timestamp.globalsign.com/advanced' /td sha256 \ /fd sha256 /du https://gnupg.org a.exe ;\ |