On Sat, 31 May 2014 16:49:56 -0700, Alan Coopersmith <alan.coopersm...@oracle.com> wrote: > On 05/20/14 01:49 PM, Stephen Kitt wrote: > > Peter Hutterer suggested I send this here; it's a patch to add gpg > > signing to release.sh, both for the git tag and the generated tarballs. > > > > This version tries to use gpg unconditionnally, it might be more useful > > with a parameter to switch the behaviour... > > Thanks for doing this - we keep talking about it, but never got the changes > made.
You're welcome! I noticed the announcement emails were being properly gpg-signed, but not the tarballs. > I'd modified my copy locally to add -m to the git tag flags a couple months > ago, and that seems to have worked fine for me for the few releases I've > done since then. > > The only problem I see with this patch for me is that on the systems I use > (Solaris 12.0 & 11.x development branches) GnuPG 2.x is installed as gpg2, > not gpg, so would appreciate having some way to override the exact path. > > So I dropped my patch, applied yours, and tweaked it to allow setting the > GPG path, and it seemed to work fine for the xcursorgen release I just > pushed, so there are now xcursorgen-1.0.6.tar.bz2.sig & > xcursorgen-1.0.6.tar.gz.sig files the script uploaded alongside the > released tarballs. Excellent! > The one issue I did see is that I made a mistake on the first run (forgot to > push the version changing commit first), so the script aborted and re-ran, > and after re-running make distcheck to create new tarballs, I was then > prompted: > > File `xcursorgen-1.0.6.tar.gz.sig' exists. Overwrite? (y/N) y > File `xcursorgen-1.0.6.tar.bz2.sig' exists. Overwrite? (y/N) y > > Should those files be automatically deleted after rebuilding the tarballs? I think so, otherwise we risk uploading invalid signatures... > I've attached my modified form of your patch for further review/discussion. And I'm attaching an updated version which includes your modifications and deletes the signatures if any before re-generating them. I don't know what the X.org release signing policy is, I haven't found anything in the wiki; the patch as-is works fine if people just use their default key for signing, but if role keys are planned then it might be worth adding an option to specify the key id to use. Perhaps that can come later, it seems to me that the benefit of getting signed releases (which can then be automatically checked, as is done in Debian) outweighs the benefit of key id selection. Regards, Stephen
From 7d967b5ec2122a3f85730587be6d8a424fac9cdc Mon Sep 17 00:00:00 2001
From: Stephen Kitt <sk...@debian.org>
Date: Sun, 1 Jun 2014 14:46:01 +0200
Subject: [PATCH util/modular] Add gpg signing to release.sh
gpg-sign the git tag and the generated tarballs, and upload the signatures
along with the tarballs. Any existing tarball signatures are removed
beforehand.
Signed-off-by: Stephen Kitt <sk...@debian.org>
Modified by Alan Coopersmith to handle gpg vs. gpg2 paths for Solaris.
Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com>
---
release.sh | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/release.sh b/release.sh
index a4a725d..a2879ad 100755
--- a/release.sh
+++ b/release.sh
@@ -299,6 +299,10 @@ process_module() {
return 1
fi
+ [ -n "$targz" ] && rm -f ${targz}.sig && $GPG -b $targz && siggz=${targz}.sig || true
+ [ -n "$tarbz2" ] && rm -f ${tarbz2}.sig && $GPG -b $tarbz2 && sigbz2=${tarbz2}.sig || true
+ [ -n "$tarxz" ] && rm -f ${tarxz}.sig && $GPG -b $tarxz && sigxz=${tarxz}.sig || true
+
# Obtain the top commit SHA which should be the version bump
# It should not have been tagged yet (the script will do it later)
local_top_commit_sha=`git rev-list --max-count=1 HEAD`
@@ -354,7 +358,7 @@ process_module() {
else
# Tag the top commit with the tar name
if [ x"$DRY_RUN" = x ]; then
- git tag -m $tar_name $tar_name
+ git tag -s -m $tar_name $tar_name
if [ $? -ne 0 ]; then
echo "Error: unable to tag module with \"$tar_name\"."
cd $top_src
@@ -501,7 +505,7 @@ process_module() {
# Upload to host using the 'scp' remote file copy program
if [ x"$DRY_RUN" = x ]; then
echo "Info: uploading tarballs to web server:"
- scp $targz $tarbz2 $tarxz $USER_NAME$hostname:$srv_path
+ scp $targz $tarbz2 $tarxz $siggz $sigbz2 $sigxz $USER_NAME$hostname:$srv_path
if [ $? -ne 0 ]; then
echo "Error: the tarballs uploading failed."
cd $top_src
@@ -627,6 +631,14 @@ if [ "x$GREP" = "x" ] ; then
fi
fi
+# Find path for GnuPG v2
+if [ "x$GPG" = "x" ] ; then
+ if [ -x /usr/bin/gpg2 ] ; then
+ GPG=/usr/bin/gpg2
+ else
+ GPG=gpg
+ fi
+fi
# Set the default make tarball creation command
MAKE_DIST_CMD=distcheck
--
2.0.0.rc2
signature.asc
Description: PGP signature
_______________________________________________ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
