diff options
author | John Lee <john.lee@algorand.com> | 2024-02-13 12:35:28 -0500 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-02-13 12:35:28 -0500 |
commit | caec33dfe083327994572d77b66a8a0c6d40bc2c (patch) | |
tree | 7313177cd785528c9ba887f7439fc5c9033fccfe | |
parent | e1db9e12612cd0640b9e069e83ac32363c549085 (diff) |
CICD: fix package signing issues (#5934)
-rw-r--r-- | package-deploy.yaml | 1 | ||||
-rwxr-xr-x | scripts/release/mule/common/ensure_centos8_image.sh | 17 | ||||
-rwxr-xr-x | scripts/release/mule/deploy/deb/deploy.sh | 25 | ||||
-rwxr-xr-x | scripts/release/mule/deploy/docker/docker.sh | 6 | ||||
-rwxr-xr-x | scripts/release/mule/deploy/releases_page/generate_releases_page.sh | 9 | ||||
-rwxr-xr-x | scripts/release/mule/deploy/rpm/deploy.sh | 42 | ||||
-rwxr-xr-x | scripts/release/mule/sign/sign.sh | 24 | ||||
-rw-r--r-- | test/muleCI/mule.yaml | 35 |
8 files changed, 64 insertions, 95 deletions
diff --git a/package-deploy.yaml b/package-deploy.yaml index 8daf262ac..9b67a2fe6 100644 --- a/package-deploy.yaml +++ b/package-deploy.yaml @@ -56,7 +56,6 @@ agents: - NETWORK=$NETWORK - NO_DEPLOY=$NO_DEPLOY - PACKAGES_DIR=$PACKAGES_DIR - - S3_SOURCE=$S3_SOURCE - STAGING=$STAGING - VERSION=$VERSION volumes: diff --git a/scripts/release/mule/common/ensure_centos8_image.sh b/scripts/release/mule/common/ensure_centos8_image.sh new file mode 100755 index 000000000..1ebd3475f --- /dev/null +++ b/scripts/release/mule/common/ensure_centos8_image.sh @@ -0,0 +1,17 @@ +#!/usr/bin/env bash + +set -exo pipefail + +# Ensure the centos8 docker image is built and available + +DOCKER_IMAGE="algorand/go-algorand-ci-linux-centos8:amd64-$(sha1sum scripts/configure_dev-deps.sh | cut -f1 -d' ')" +MATCH=${DOCKER_IMAGE/:*/} + +echo "Checking for RPM image" +if docker images $DOCKER_IMAGE | grep -qs $MATCH > /dev/null 2>&1; then + echo "Image exists" +else + echo "RPM image doesn't exist, building" + docker build --platform=linux/amd64 --build-arg ARCH=amd64 \ + --build-arg GOLANG_VERSION=$(./scripts/get_golang_version.sh) -t $DOCKER_IMAGE -f docker/build/cicd.centos8.Dockerfile . +fi diff --git a/scripts/release/mule/deploy/deb/deploy.sh b/scripts/release/mule/deploy/deb/deploy.sh index c9c4b4b6c..2584b8412 100755 --- a/scripts/release/mule/deploy/deb/deploy.sh +++ b/scripts/release/mule/deploy/deb/deploy.sh @@ -2,28 +2,13 @@ set -ex -if [ -z "$NETWORK" ] -then - echo "[$0] Network is a required parameter." - exit 1 -fi - -if [ -z "$STAGING" ] -then - echo "[$0] Staging is a required parameter." - exit 1 -fi - -CHANNEL=$("./scripts/release/mule/common/get_channel.sh" "$NETWORK") +CHANNEL=${CHANNEL:-$("./scripts/release/mule/common/get_channel.sh" "$NETWORK")} VERSION=${VERSION:-$(./scripts/compute_build_number.sh -f)} +PACKAGES_DIR=${PACKAGES_DIR:-~/packages} +SNAPSHOT=${SNAPSHOT:-"${CHANNEL}-${VERSION}"} -if [ -z "$SNAPSHOT" ] -then - SNAPSHOT="$CHANNEL-$VERSION" -fi - -PACKAGES_DIR=/root/packages -mkdir -p /root/packages +mkdir -p $PACKAGES_DIR +rm -f $PACKAGES_DIR/*.deb aptly mirror update stable aptly mirror update beta diff --git a/scripts/release/mule/deploy/docker/docker.sh b/scripts/release/mule/deploy/docker/docker.sh index ee0c55fe0..093922fd3 100755 --- a/scripts/release/mule/deploy/docker/docker.sh +++ b/scripts/release/mule/deploy/docker/docker.sh @@ -13,9 +13,9 @@ if [ -z "$NETWORK" ] || [ -z "$VERSION" ]; then exit 1 fi -if [[ ! "$NETWORK" =~ ^mainnet$|^testnet$|^betanet$|^alphanet$ ]] +if [[ ! "$NETWORK" =~ ^mainnet$|^testnet$|^betanet$ ]] then - echo "[$0] Network values must be either \`mainnet\`, \`testnet\`, \`betanet\`, or \`alphanet\`." + echo "[$0] Network values must be either \`mainnet\`, \`testnet\`, or \`betanet\`." exit 1 fi @@ -28,7 +28,7 @@ then # Build and push testnet. ./build_releases.sh --tagname "$VERSION" --network testnet --cached -elif [ "$NETWORK" = betanet ] || [ "$NETWORK" = alphanet ] +elif [ "$NETWORK" = betanet ] then ./build_releases.sh --tagname "$VERSION" --network "$NETWORK" fi diff --git a/scripts/release/mule/deploy/releases_page/generate_releases_page.sh b/scripts/release/mule/deploy/releases_page/generate_releases_page.sh index 5b6a488ce..75df10d52 100755 --- a/scripts/release/mule/deploy/releases_page/generate_releases_page.sh +++ b/scripts/release/mule/deploy/releases_page/generate_releases_page.sh @@ -8,13 +8,8 @@ set -ex -if [ -z "$NETWORK" ] || [ -z "$VERSION" ] -then - echo "[$0] Network and version are required parameters." - exit 1 -fi - -CHANNEL=$(./scripts/release/mule/common/get_channel.sh "$NETWORK") +CHANNEL=${CHANNEL:-$(./scripts/release/mule/common/get_channel.sh "$NETWORK")} +VERSION=${VERSION:-$(./scripts/compute_build_number.sh -f)} cd scripts/release/mule/deploy/releases_page diff --git a/scripts/release/mule/deploy/rpm/deploy.sh b/scripts/release/mule/deploy/rpm/deploy.sh index f660f1d01..b96cccd6c 100755 --- a/scripts/release/mule/deploy/rpm/deploy.sh +++ b/scripts/release/mule/deploy/rpm/deploy.sh @@ -7,28 +7,25 @@ echo date "+build_release begin DEPLOY rpm stage %Y%m%d_%H%M%S" echo -if [ -z "$NETWORK" ]; then - echo "[$0] NETWORK is missing." - exit 1 -fi - -CHANNEL=$(./scripts/release/mule/common/get_channel.sh "$NETWORK") +CHANNEL=${CHANNEL:-$(./scripts/release/mule/common/get_channel.sh "$NETWORK")} VERSION=${VERSION:-$(./scripts/compute_build_number.sh -f)} NO_DEPLOY=${NO_DEPLOY:-false} -OS_TYPE=$(./scripts/release/mule/common/ostype.sh) -PACKAGES_DIR=${PACKAGES_DIR:-"./tmp/node_pkgs/$OS_TYPE/$ARCH_TYPE"} -STAGING=${STAGING:-"algorand-staging/releases"} +PACKAGES_DIR=${PACKAGES_DIR:-"tmp"} if [ -n "$S3_SOURCE" ] then PREFIX="$S3_SOURCE/$CHANNEL/$VERSION" if [ "$CHANNEL" == "beta" ] then - aws s3 cp "s3://$PREFIX/algorand-beta-$VERSION-1.x86_64.rpm" /root - aws s3 cp "s3://$PREFIX/algorand-devtools-beta-$VERSION-1.x86_64.rpm" /root + aws s3 cp "s3://$PREFIX/algorand-beta-$VERSION-1.x86_64.rpm" $PACKAGES_DIR + aws s3 cp "s3://$PREFIX/algorand-devtools-beta-$VERSION-1.x86_64.rpm" $PACKAGES_DIR + aws s3 cp "s3://$PREFIX/algorand-beta-$VERSION-1.aarch64.rpm" $PACKAGES_DIR + aws s3 cp "s3://$PREFIX/algorand-devtools-beta-$VERSION-1.aarch64.rpm" $PACKAGES_DIR else - aws s3 cp "s3://$PREFIX/algorand-$VERSION-1.x86_64.rpm" /root - aws s3 cp "s3://$PREFIX/algorand-devtools-$VERSION-1.x86_64.rpm" /root + aws s3 cp "s3://$PREFIX/algorand-$VERSION-1.x86_64.rpm" $PACKAGES_DIR + aws s3 cp "s3://$PREFIX/algorand-devtools-$VERSION-1.x86_64.rpm" $PACKAGES_DIR + aws s3 cp "s3://$PREFIX/algorand-$VERSION-1.aarch64.rpm" $PACKAGES_DIR + aws s3 cp "s3://$PREFIX/algorand-devtools-$VERSION-1.aarch64.rpm" $PACKAGES_DIR fi else cp "$PACKAGES_DIR"/*"$VERSION"*.rpm /root @@ -56,11 +53,7 @@ cat << EOF > .rpmmacros EOF mkdir rpmrepo -for rpm in $(ls *"$VERSION"*.rpm) -do - rpmsign --addsign "$rpm" - cp -p "$rpm" rpmrepo -done +mv -f *"$VERSION"*.rpm rpmrepo createrepo --database rpmrepo rm -f rpmrepo/repodata/repomd.xml.asc @@ -72,8 +65,19 @@ then cp -r /root/rpmrepo . else aws s3 sync rpmrepo "s3://algorand-releases/rpm/$CHANNEL/" + # sync signatures to releases so that the .sig files load from there - aws s3 sync s3://$STAGING/releases/$CHANNEL/ s3://algorand-releases/rpm/sigs/$CHANNEL/ --exclude='*' --include='*.rpm.sig' + if [ -n "$S3_SOURCE" ]; then + # if S3_SOURCE exists, we copied files from s3 + echo "Copy signatures from s3 staging to s3 releases" + aws s3 sync s3://algorand-staging/releases/$CHANNEL/ s3://algorand-releases/rpm/sigs/$CHANNEL/ --exclude='*' --include='*.rpm.sig' + + else + # We are working with files locally + popd + echo "Copy local signatures to s3 releases" + aws s3 sync "$PACKAGES_DIR" "s3://algorand-releases/rpm/sigs/$CHANNEL/" --exclude='*' --include='*.rpm.sig' + fi fi echo diff --git a/scripts/release/mule/sign/sign.sh b/scripts/release/mule/sign/sign.sh index e08e2d52d..89baedb9c 100755 --- a/scripts/release/mule/sign/sign.sh +++ b/scripts/release/mule/sign/sign.sh @@ -10,18 +10,13 @@ echo date "+build_release begin SIGN stage %Y%m%d_%H%M%S" echo -if [ -z "$NETWORK" ]; then - echo "[$0] NETWORK is missing." - exit 1 -fi - -CHANNEL=$(./scripts/release/mule/common/get_channel.sh "$NETWORK") +CHANNEL=${CHANNEL:-$(./scripts/release/mule/common/get_channel.sh "$NETWORK")} VERSION=${VERSION:-$(./scripts/compute_build_number.sh -f)} PKG_DIR="./tmp/node_pkgs" SIGNING_KEY_ADDR=dev@algorand.com OS_TYPE=$(./scripts/release/mule/common/ostype.sh) -ARCHS=(amd64 arm arm64) -ARCH_BITS=(x86_64 armv7l aarch64) +ARCHS=(amd64 arm64) +ARCH_BITS=(x86_64 aarch64) # Note that we don't want to use $GNUPGHOME here because that is a documented env var for the gnupg # project and if it's set in the environment mule will automatically pick it up, which could have # unintended consequences and be hard to debug. @@ -40,6 +35,14 @@ then find "$GPG_DIR" -type f -exec chmod 600 {} \; fi +pushd /root +cat << EOF > .rpmmacros +%_gpg_name Algorand RPM <rpm@algorand.com> +%__gpg /usr/bin/gpg2 +%__gpg_check_password_cmd true +EOF +popd + # Note that when downloading from the cloud that we'll get all packages for all architectures. if [ -n "$S3_SOURCE" ] then @@ -87,13 +90,14 @@ for os in "${OS_TYPES[@]}"; do for file in *.rpm do + rpmsign --addsign "$file" gpg -u rpm@algorand.com --detach-sign "$file" done HASHFILE="hashes_${CHANNEL}_${os}_${arch}_${VERSION}" md5sum *.tar.gz *.deb *.rpm >> "$HASHFILE" - shasum -a 256 *.tar.gz *.deb *.rpm >> "$HASHFILE" - shasum -a 512 *.tar.gz *.deb *.rpm >> "$HASHFILE" + sha256sum *.tar.gz *.deb *.rpm >> "$HASHFILE" + sha512sum *.tar.gz *.deb *.rpm >> "$HASHFILE" gpg -u "$SIGNING_KEY_ADDR" --detach-sign "$HASHFILE" gpg -u "$SIGNING_KEY_ADDR" --clearsign "$HASHFILE" diff --git a/test/muleCI/mule.yaml b/test/muleCI/mule.yaml index cb75187db..afa73ae2c 100644 --- a/test/muleCI/mule.yaml +++ b/test/muleCI/mule.yaml @@ -61,22 +61,6 @@ agents: - GOLANG_VERSION=`./scripts/get_golang_version.sh` - ARCH=arm64v8 - GOARCH=arm64 - - name: cicd.ubuntu.arm - dockerFilePath: docker/build/cicd.ubuntu.Dockerfile - image: algorand/go-algorand-ci-linux - version: scripts/configure_dev-deps.sh - arch: arm32v7 - env: - - TRAVIS_BRANCH=${GIT_BRANCH} - - NETWORK=$NETWORK - - VERSION=$VERSION - - BUILD_NUMBER=$BUILD_NUMBER - - GOHOSTARCH=arm - - FULLVERSION=${FULLVERSION} - buildArgs: - - GOLANG_VERSION=`./scripts/get_golang_version.sh` - - ARCH=arm32v7 - - GOARCH=armv6l - name: docker-ubuntu dockerFilePath: docker/build/docker.ubuntu.Dockerfile image: algorand/go-algorand-docker-linux-ubuntu @@ -122,10 +106,6 @@ tasks: name: build.arm64 agent: cicd.ubuntu.arm64 target: ci-build - - task: docker.Make - name: build.arm - agent: cicd.ubuntu.arm - target: ci-build - task: docker.Make name: archive @@ -168,12 +148,6 @@ tasks: globSpecs: - tmp/node_pkgs/**/* - task: stash.Stash - name: linux-arm - bucketName: go-algorand-ci-cache - stashId: ${JENKINS_JOB_CACHE_ID}/linux-arm - globSpecs: - - tmp/node_pkgs/**/* - - task: stash.Stash name: packages bucketName: go-algorand-ci-cache stashId: ${JENKINS_JOB_CACHE_ID}/packages @@ -194,10 +168,6 @@ tasks: bucketName: go-algorand-ci-cache stashId: ${JENKINS_JOB_CACHE_ID}/darwin-amd64 - task: stash.Unstash - name: linux-arm - bucketName: go-algorand-ci-cache - stashId: ${JENKINS_JOB_CACHE_ID}/linux-arm - - task: stash.Unstash name: darwin-arm64 bucketName: go-algorand-ci-cache stashId: ${JENKINS_JOB_CACHE_ID}/darwin-arm64 @@ -233,15 +203,10 @@ jobs: tasks: - docker.Make.build.arm64 - stash.Stash.linux-arm64 - build-linux-arm32: - tasks: - - docker.Make.build.arm - - stash.Stash.linux-arm package-all: tasks: - stash.Unstash.linux-amd64 - stash.Unstash.linux-arm64 - - stash.Unstash.linux-arm - stash.Unstash.darwin-arm64 - stash.Unstash.darwin-amd64 - docker.Make.deb.amd64 |