From 4699911f047c74565ad0fd5a8e58b21a70e4bbc7 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Wed, 26 Aug 2020 13:57:14 +0200
Subject: [PATCH] speedo: Allow customizing the release process

--
---
 Makefile.am         | 37 +++++++++++++++++---------
 build-aux/speedo.mk | 65 ++++++++++++++++++++++++++++++++++++---------
 2 files changed, 77 insertions(+), 25 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index 405d99d09..064ea88ef 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -18,14 +18,13 @@
 
 ## Process this file with automake to produce Makefile.in
 
-# Location of the released tarball archives.  Note that this is an
-# internal archive and before uploading this to the public server,
-# manual tests should be run and the git release tag set and pushed.
-# Adjust as needed.
-RELEASE_ARCHIVE_DIR  = wk@vigenere:tarballs/gnupg/v2.2
-
-# The key used to sign the released sources.  Adjust as needed.
-RELEASE_SIGNING_KEY  = D8692123C4065DEA5E0F3AB5249B39D24F25E3B6
+# Location of the released tarball archives.  This is prefixed by
+# the variable RELEASE_ARCHIVE in ~/.gnupg-autogen.rc.  For example:
+# RELEASE_ARCHIVE=user@host:archive/tarballs
+RELEASE_ARCHIVE_SUFFIX  = gnupg/v2.3
+# The variable RELEASE_SIGNKEY in ~/.gnupg-autogen.rc is used
+# to specify the key for signing.  For example:
+# RELEASE_SIGNKEY=D8692123C4065DEA5E0F3AB5249B39D24F25E3B6
 
 
 # Autoconf flags.
@@ -203,6 +202,18 @@ release:
 sign-release:
 	 +(set -e; \
 	  cd dist; \
+	  x=$$(grep '^RELEASE_ARCHIVE=' $$HOME/.gnupg-autogen.rc|cut -d= -f2);\
+          if [ -z "$$x" ]; then \
+             echo "error: RELEASE_ARCHIVE missing in ~/.gnupg-autogen.rc">&2; \
+             exit 2;\
+          fi;\
+          myarchive="$$x/$(RELEASE_ARCHIVE_SUFFIX)";\
+	  x=$$(grep '^RELEASE_SIGNKEY=' $$HOME/.gnupg-autogen.rc|cut -d= -f2);\
+          if [ -z "$$x" ]; then \
+             echo "error: RELEASE_SIGNKEY missing in ~/.gnupg-autogen.rc">&2; \
+             exit 2;\
+          fi;\
+	  mysignkey="$$x";\
 	  release_w32_name="$(RELEASE_W32_STEM_NAME)_$$(date -u +%Y%m%d)" ;\
 	  files1="$(RELEASE_NAME).tar.bz2 \
                   $${release_w32_name}.tar.xz \
@@ -215,11 +226,11 @@ sign-release:
 		  $${release_w32_name}.exe.swdb" ;\
 	  $(MAKE) -f $(RELEASE_NAME)/build-aux/speedo.mk w32-sign-installer ;\
 	  echo "/* Signing the source tarball ..." ;\
-	  gpg -sbu $(RELEASE_SIGNING_KEY) $(RELEASE_NAME).tar.bz2 ;\
+	  gpg -sbu $$mysignkey $(RELEASE_NAME).tar.bz2 ;\
 	  echo "/* Signing the W32 source tarball ..." ;\
-	  gpg -sbu $(RELEASE_SIGNING_KEY) $${release_w32_name}.tar.xz ;\
+	  gpg -sbu $$mysignkey $${release_w32_name}.tar.xz ;\
 	  echo "/* Signing the W32 installer ..." ;\
-	  gpg -sbu $(RELEASE_SIGNING_KEY) $${release_w32_name}.exe ;\
+	  gpg -sbu $$mysignkey $${release_w32_name}.exe ;\
 	  cat $(RELEASE_NAME).swdb >swdb.snippet;\
 	  echo '#+macro: gnupg22_branch  STABLE-BRANCH-2-2' >>swdb.snippet;\
 	  cat  $${release_w32_name}.exe.swdb >>swdb.snippet;\
@@ -227,8 +238,8 @@ sign-release:
 	  sha1sum $${files1} >>swdb.snippet ;\
           cat "../$(RELEASE_NAME).buildlog" swdb.snippet \
                | gzip >$(RELEASE_NAME).buildlog ;\
-          echo "Release created - copying it to the local archive ..." ;\
-	  scp -p $${files1} $${files2} $(RELEASE_ARCHIVE_DIR)/ || true;\
+          echo "Release created - copying it to the archive ..." ;\
+	  scp -p $${files1} $${files2} $$myarchive/ || true;\
 	  echo '/*' ;\
 	  echo ' * All done; for checksums see dist/swdb.snippet' ;\
 	  echo ' */' ;\
diff --git a/build-aux/speedo.mk b/build-aux/speedo.mk
index 8217ef46e..e61f8f40d 100644
--- a/build-aux/speedo.mk
+++ b/build-aux/speedo.mk
@@ -41,6 +41,47 @@
 #
 # Lists packages and versions.
 #
+# The information reyured to sign the tarballs and binaries
+# are expected in the developer specific file ~/.gnupg-autogen.rc".
+# Here is an example:
+#--8<---------------cut here---------------start------------->8---
+# # Location of the released tarball archives.  Note that this is an
+# # internal archive and before uploading this to the public server,
+# # manual tests should be run and the git release tagged and pushed.
+# # This is greped by the Makefile.
+# RELEASE_ARCHIVE=foo@somehost:tarball-archive
+#
+# # The key used to sign the released sources.
+# # This is greped by the Makefile.
+# RELEASE_SIGNKEY=6DAA6E64A76D2840571B4902528897B826403ADA
+#
+# # For signing Windows binaries we need to employ a Windows machine.
+# # We connect to this machine via ssh and take the connection
+# # parameters via .ssh/config. For example a VM could be specified
+# # like this:
+# #
+# #   Host authenticode-signhost
+# #        HostName localhost
+# #        Port 27042
+# #        User gpgsign
+# #
+# # Depending on the used token it might be necessary to allow single
+# # signon and unlock the token before running the make.  The following
+# # variable references this entry.  This is greped by the Makefile.
+# AUTHENTICODE_SIGNHOST=authenticode-signhost
+#
+# # The name of the signtool as used on Windows.
+# # This is greped by the Makefile.
+# AUTHENTICODE_TOOL="C:\Program Files (x86)\Windows Kits\10\bin\signtool.exe"
+#
+# # To use osslsigncode the follwing entries are required and
+# # an empty string must be given for AUTHENTICODE_SIGNHOST.
+# # They are greped by the Makefile.
+# AUTHENTICODE_KEY=/home/foo/.gnupg/my-authenticode-key.p12
+# AUTHENTICODE_CERTS=/home/foo/.gnupg/my-authenticode-certs.pem
+#
+#--8<---------------cut here---------------end--------------->8---
+
 
 # We need to know our own name.
 SPEEDO_MK := $(realpath $(lastword $(MAKEFILE_LIST)))
@@ -172,17 +213,17 @@ INSTALL_PREFIX=none
 # Set this to the location of wixtools
 WIXPREFIX=
 
-# The Authenticode key and cert chain used to sign the Windows
-# installer If AUTHENTICODE_SIGNHOST is specified, signing is done on
-# that host using the Windows signtool.  The signhost is usually an
-# entry in .ssh/config.  Depending on the used token it might be
-# necessary to allow single signon and unlock the token before running
-# this makefile.  All files given in AUTHENTICODE_FILES are signed
-# before they are put into the installer.
-AUTHENTICODE_SIGNHOST=authenticode-signhost
-AUTHENTICODE_TOOL='"C:\Program Files (x86)\Windows Kits\10\bin\signtool.exe"'
-AUTHENTICODE_KEY=${HOME}/.gnupg/g10code-authenticode-key.p12
-AUTHENTICODE_CERTS=${HOME}/.gnupg/g10code-authenticode-certs.pem
+# Read signing information from ~/.gnupg-autogen.rc
+define READ_AUTOGEN_template
+$(1) = $$(shell grep '^$(1)=' $$$$HOME/.gnupg-autogen.rc|cut -d= -f2)
+endef
+$(eval $(call READ_AUTOGEN_template,AUTHENTICODE_SIGNHOST))
+$(eval $(call READ_AUTOGEN_template,AUTHENTICODE_TOOL))
+$(eval $(call READ_AUTOGEN_template,AUTHENTICODE_KEY))
+$(eval $(call READ_AUTOGEN_template,AUTHENTICODE_CERTS))
+
+# All files given in AUTHENTICODE_FILES are signed before
+# they are put into the installer.
 AUTHENTICODE_FILES= \
                     dirmngr.exe               \
                     dirmngr_ldap.exe          \
@@ -1362,7 +1403,7 @@ define AUTHENTICODE_sign
    if [ -n "$(AUTHENTICODE_SIGNHOST)" ]; then \
      echo "speedo: Signing via host $(AUTHENTICODE_SIGNHOST)";\
      scp $(1) "$(AUTHENTICODE_SIGNHOST):a.exe" ;\
-     ssh "$(AUTHENTICODE_SIGNHOST)" $(AUTHENTICODE_TOOL) sign \
+     ssh "$(AUTHENTICODE_SIGNHOST)" '$(AUTHENTICODE_TOOL)' sign \
         /n '"g10 Code GmbH"' \
         /tr 'http://rfc3161timestamp.globalsign.com/advanced' /td sha256 \
         /fd sha256 /du https://gnupg.org a.exe ;\