blob: cb0cbf42d05d331e81c935d4450d68eaaa527d2e (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
|
#!/usr/bin/env bash
# shellcheck disable=2035,2129
# TODO: This needs to be reworked a bit to support Darwin.
set -exo pipefail
shopt -s nullglob
echo
date "+build_release begin SIGN stage %Y%m%d_%H%M%S"
echo
if [ -z "$NETWORK" ]; then
echo "[$0] NETWORK is missing."
exit 1
fi
CHANNEL=$(./scripts/release/mule/common/get_channel.sh "$NETWORK")
VERSION=${VERSION:-$(./scripts/compute_build_number.sh -f)}
PKG_DIR="./tmp/node_pkgs"
SIGNING_KEY_ADDR=dev@algorand.com
OS_TYPE=$(./scripts/release/mule/common/ostype.sh)
ARCHS=(amd64 arm arm64)
ARCH_BITS=(x86_64 armv7l aarch64)
# Note that we don't want to use $GNUPGHOME here because that is a documented env var for the gnupg
# project and if it's set in the environment mule will automatically pick it up, which could have
# unintended consequences and be hard to debug.
#
# By naming it something other than $GNUPGHOME, it's essentially acting as an opt-in.
GPG_DIR=${GPG_DIR:-/root/.gnupg}
if ./scripts/release/mule/common/running_in_docker.sh
then
# It seems that copying/mounting the gpg dir from another machine can result in insecure
# access privileges, so set the correct permissions to avoid the following warning:
#
# gpg: WARNING: unsafe permissions on homedir '/root/.gnupg'
#
find "$GPG_DIR" -type d -exec chmod 700 {} \;
find "$GPG_DIR" -type f -exec chmod 600 {} \;
fi
# Note that when downloading from the cloud that we'll get all packages for all architectures.
if [ -n "$S3_SOURCE" ]
then
i=0
for arch in "${ARCHS[@]}"; do
arch_bit="${ARCH_BITS[$i]}"
(
mkdir -p "$PKG_DIR/$OS_TYPE/$arch"
cd "$PKG_DIR"
# Note the underscore after ${arch}!
# Recall that rpm packages have the arch bit in the filenames (i.e., "x86_64" rather than "amd64").
# Also, the order of the includes/excludes is important!
aws s3 cp --recursive --exclude "*" --include "*${arch}_*" --include "*$arch_bit.rpm" --exclude "*.sig" --exclude "*.asc" --exclude "*.asc.gz" "s3://$S3_SOURCE/$CHANNEL/$VERSION" .
)
i=$((i + 1))
done
fi
cd "$PKG_DIR"
# TODO: "$PKG_TYPE" == "source"
# https://unix.stackexchange.com/a/46259
# Grab the directories directly underneath (max-depth 1) ./tmp/node_pkgs/ into a space-delimited string.
# This will help us target `linux`, `darwin` and (possibly) `windows` build assets.
# Note the surrounding parens turns the string created by `find` into an array.
OS_TYPES=($(find . -mindepth 1 -maxdepth 1 -type d -printf '%f\n'))
for os in "${OS_TYPES[@]}"; do
if [ "$os" = linux ]
then
for arch in "${ARCHS[@]}"; do
if [ -d "$os/$arch" ]
then
# Only do the subsequent operations in a subshell if the directory is not empty.
if stat -t "$os/$arch/"* > /dev/null 2>&1
then
(
cd "$os/$arch"
# Clean package directory of any previous operations.
rm -rf hashes* *.sig *.asc *.asc.gz
for file in *.tar.gz *.deb
do
gpg -u "$SIGNING_KEY_ADDR" --detach-sign "$file"
done
for file in *.rpm
do
gpg -u rpm@algorand.com --detach-sign "$file"
done
HASHFILE="hashes_${CHANNEL}_${os}_${arch}_${VERSION}"
md5sum *.tar.gz *.deb *.rpm >> "$HASHFILE"
shasum -a 256 *.tar.gz *.deb *.rpm >> "$HASHFILE"
shasum -a 512 *.tar.gz *.deb *.rpm >> "$HASHFILE"
gpg -u "$SIGNING_KEY_ADDR" --detach-sign "$HASHFILE"
gpg -u "$SIGNING_KEY_ADDR" --clearsign "$HASHFILE"
STATUSFILE="build_status_${CHANNEL}_${os}-${arch}_${VERSION}"
if [[ -f "$STATUSFILE" ]]; then
gpg -u "$SIGNING_KEY_ADDR" --clearsign "$STATUSFILE"
gzip -c "$STATUSFILE.asc" > "$STATUSFILE.asc.gz"
fi
)
fi
fi
done
fi
done
echo
date "+build_release end SIGN stage %Y%m%d_%H%M%S"
echo
|
