mirror of
git://git.gnupg.org/gnupg.git
synced 2024-12-22 10:19:57 +01:00
speedo: Allow customizing the release process
--
This commit is contained in:
Werner Koch
parent
fc1a185755
commit
4699911f04
37
Makefile.am
37
Makefile.am
@ -18,14 +18,13 @@
|
|||||||
|
|
||||||
## Process this file with automake to produce Makefile.in
|
## Process this file with automake to produce Makefile.in
|
||||||
|
|
||||||
# Location of the released tarball archives. Note that this is an
|
# Location of the released tarball archives. This is prefixed by
|
||||||
# internal archive and before uploading this to the public server,
|
# the variable RELEASE_ARCHIVE in ~/.gnupg-autogen.rc. For example:
|
||||||
# manual tests should be run and the git release tag set and pushed.
|
# RELEASE_ARCHIVE=user@host:archive/tarballs
|
||||||
# Adjust as needed.
|
RELEASE_ARCHIVE_SUFFIX = gnupg/v2.3
|
||||||
RELEASE_ARCHIVE_DIR = wk@vigenere:tarballs/gnupg/v2.2
|
# The variable RELEASE_SIGNKEY in ~/.gnupg-autogen.rc is used
|
||||||
|
# to specify the key for signing. For example:
|
||||||
# The key used to sign the released sources. Adjust as needed.
|
# RELEASE_SIGNKEY=D8692123C4065DEA5E0F3AB5249B39D24F25E3B6
|
||||||
RELEASE_SIGNING_KEY = D8692123C4065DEA5E0F3AB5249B39D24F25E3B6
|
|
||||||
|
|
||||||
|
|
||||||
# Autoconf flags.
|
# Autoconf flags.
|
||||||
@ -203,6 +202,18 @@ release:
|
|||||||
sign-release:
|
sign-release:
|
||||||
+(set -e; \
|
+(set -e; \
|
||||||
cd dist; \
|
cd dist; \
|
||||||
|
x=$$(grep '^RELEASE_ARCHIVE=' $$HOME/.gnupg-autogen.rc|cut -d= -f2);\
|
||||||
|
if [ -z "$$x" ]; then \
|
||||||
|
echo "error: RELEASE_ARCHIVE missing in ~/.gnupg-autogen.rc">&2; \
|
||||||
|
exit 2;\
|
||||||
|
fi;\
|
||||||
|
myarchive="$$x/$(RELEASE_ARCHIVE_SUFFIX)";\
|
||||||
|
x=$$(grep '^RELEASE_SIGNKEY=' $$HOME/.gnupg-autogen.rc|cut -d= -f2);\
|
||||||
|
if [ -z "$$x" ]; then \
|
||||||
|
echo "error: RELEASE_SIGNKEY missing in ~/.gnupg-autogen.rc">&2; \
|
||||||
|
exit 2;\
|
||||||
|
fi;\
|
||||||
|
mysignkey="$$x";\
|
||||||
release_w32_name="$(RELEASE_W32_STEM_NAME)_$$(date -u +%Y%m%d)" ;\
|
release_w32_name="$(RELEASE_W32_STEM_NAME)_$$(date -u +%Y%m%d)" ;\
|
||||||
files1="$(RELEASE_NAME).tar.bz2 \
|
files1="$(RELEASE_NAME).tar.bz2 \
|
||||||
$${release_w32_name}.tar.xz \
|
$${release_w32_name}.tar.xz \
|
||||||
@ -215,11 +226,11 @@ sign-release:
|
|||||||
$${release_w32_name}.exe.swdb" ;\
|
$${release_w32_name}.exe.swdb" ;\
|
||||||
$(MAKE) -f $(RELEASE_NAME)/build-aux/speedo.mk w32-sign-installer ;\
|
$(MAKE) -f $(RELEASE_NAME)/build-aux/speedo.mk w32-sign-installer ;\
|
||||||
echo "/* Signing the source tarball ..." ;\
|
echo "/* Signing the source tarball ..." ;\
|
||||||
gpg -sbu $(RELEASE_SIGNING_KEY) $(RELEASE_NAME).tar.bz2 ;\
|
gpg -sbu $$mysignkey $(RELEASE_NAME).tar.bz2 ;\
|
||||||
echo "/* Signing the W32 source tarball ..." ;\
|
echo "/* Signing the W32 source tarball ..." ;\
|
||||||
gpg -sbu $(RELEASE_SIGNING_KEY) $${release_w32_name}.tar.xz ;\
|
gpg -sbu $$mysignkey $${release_w32_name}.tar.xz ;\
|
||||||
echo "/* Signing the W32 installer ..." ;\
|
echo "/* Signing the W32 installer ..." ;\
|
||||||
gpg -sbu $(RELEASE_SIGNING_KEY) $${release_w32_name}.exe ;\
|
gpg -sbu $$mysignkey $${release_w32_name}.exe ;\
|
||||||
cat $(RELEASE_NAME).swdb >swdb.snippet;\
|
cat $(RELEASE_NAME).swdb >swdb.snippet;\
|
||||||
echo '#+macro: gnupg22_branch STABLE-BRANCH-2-2' >>swdb.snippet;\
|
echo '#+macro: gnupg22_branch STABLE-BRANCH-2-2' >>swdb.snippet;\
|
||||||
cat $${release_w32_name}.exe.swdb >>swdb.snippet;\
|
cat $${release_w32_name}.exe.swdb >>swdb.snippet;\
|
||||||
@ -227,8 +238,8 @@ sign-release:
|
|||||||
sha1sum $${files1} >>swdb.snippet ;\
|
sha1sum $${files1} >>swdb.snippet ;\
|
||||||
cat "../$(RELEASE_NAME).buildlog" swdb.snippet \
|
cat "../$(RELEASE_NAME).buildlog" swdb.snippet \
|
||||||
| gzip >$(RELEASE_NAME).buildlog ;\
|
| gzip >$(RELEASE_NAME).buildlog ;\
|
||||||
echo "Release created - copying it to the local archive ..." ;\
|
echo "Release created - copying it to the archive ..." ;\
|
||||||
scp -p $${files1} $${files2} $(RELEASE_ARCHIVE_DIR)/ || true;\
|
scp -p $${files1} $${files2} $$myarchive/ || true;\
|
||||||
echo '/*' ;\
|
echo '/*' ;\
|
||||||
echo ' * All done; for checksums see dist/swdb.snippet' ;\
|
echo ' * All done; for checksums see dist/swdb.snippet' ;\
|
||||||
echo ' */' ;\
|
echo ' */' ;\
|
||||||
|
|||||||
@ -41,6 +41,47 @@
|
|||||||
#
|
#
|
||||||
# Lists packages and versions.
|
# Lists packages and versions.
|
||||||
#
|
#
|
||||||
|
# The information reyured to sign the tarballs and binaries
|
||||||
|
# are expected in the developer specific file ~/.gnupg-autogen.rc".
|
||||||
|
# Here is an example:
|
||||||
|
#--8<---------------cut here---------------start------------->8---
|
||||||
|
# # Location of the released tarball archives. Note that this is an
|
||||||
|
# # internal archive and before uploading this to the public server,
|
||||||
|
# # manual tests should be run and the git release tagged and pushed.
|
||||||
|
# # This is greped by the Makefile.
|
||||||
|
# RELEASE_ARCHIVE=foo@somehost:tarball-archive
|
||||||
|
#
|
||||||
|
# # The key used to sign the released sources.
|
||||||
|
# # This is greped by the Makefile.
|
||||||
|
# RELEASE_SIGNKEY=6DAA6E64A76D2840571B4902528897B826403ADA
|
||||||
|
#
|
||||||
|
# # For signing Windows binaries we need to employ a Windows machine.
|
||||||
|
# # We connect to this machine via ssh and take the connection
|
||||||
|
# # parameters via .ssh/config. For example a VM could be specified
|
||||||
|
# # like this:
|
||||||
|
# #
|
||||||
|
# # Host authenticode-signhost
|
||||||
|
# # HostName localhost
|
||||||
|
# # Port 27042
|
||||||
|
# # User gpgsign
|
||||||
|
# #
|
||||||
|
# # Depending on the used token it might be necessary to allow single
|
||||||
|
# # signon and unlock the token before running the make. The following
|
||||||
|
# # variable references this entry. This is greped by the Makefile.
|
||||||
|
# AUTHENTICODE_SIGNHOST=authenticode-signhost
|
||||||
|
#
|
||||||
|
# # The name of the signtool as used on Windows.
|
||||||
|
# # This is greped by the Makefile.
|
||||||
|
# AUTHENTICODE_TOOL="C:\Program Files (x86)\Windows Kits\10\bin\signtool.exe"
|
||||||
|
#
|
||||||
|
# # To use osslsigncode the follwing entries are required and
|
||||||
|
# # an empty string must be given for AUTHENTICODE_SIGNHOST.
|
||||||
|
# # They are greped by the Makefile.
|
||||||
|
# AUTHENTICODE_KEY=/home/foo/.gnupg/my-authenticode-key.p12
|
||||||
|
# AUTHENTICODE_CERTS=/home/foo/.gnupg/my-authenticode-certs.pem
|
||||||
|
#
|
||||||
|
#--8<---------------cut here---------------end--------------->8---
|
||||||
|
|
||||||
|
|
||||||
# We need to know our own name.
|
# We need to know our own name.
|
||||||
SPEEDO_MK := $(realpath $(lastword $(MAKEFILE_LIST)))
|
SPEEDO_MK := $(realpath $(lastword $(MAKEFILE_LIST)))
|
||||||
@ -172,17 +213,17 @@ INSTALL_PREFIX=none
|
|||||||
# Set this to the location of wixtools
|
# Set this to the location of wixtools
|
||||||
WIXPREFIX=
|
WIXPREFIX=
|
||||||
|
|
||||||
# The Authenticode key and cert chain used to sign the Windows
|
# Read signing information from ~/.gnupg-autogen.rc
|
||||||
# installer If AUTHENTICODE_SIGNHOST is specified, signing is done on
|
define READ_AUTOGEN_template
|
||||||
# that host using the Windows signtool. The signhost is usually an
|
$(1) = $$(shell grep '^$(1)=' $$$$HOME/.gnupg-autogen.rc|cut -d= -f2)
|
||||||
# entry in .ssh/config. Depending on the used token it might be
|
endef
|
||||||
# necessary to allow single signon and unlock the token before running
|
$(eval $(call READ_AUTOGEN_template,AUTHENTICODE_SIGNHOST))
|
||||||
# this makefile. All files given in AUTHENTICODE_FILES are signed
|
$(eval $(call READ_AUTOGEN_template,AUTHENTICODE_TOOL))
|
||||||
# before they are put into the installer.
|
$(eval $(call READ_AUTOGEN_template,AUTHENTICODE_KEY))
|
||||||
AUTHENTICODE_SIGNHOST=authenticode-signhost
|
$(eval $(call READ_AUTOGEN_template,AUTHENTICODE_CERTS))
|
||||||
AUTHENTICODE_TOOL='"C:\Program Files (x86)\Windows Kits\10\bin\signtool.exe"'
|
|
||||||
AUTHENTICODE_KEY=${HOME}/.gnupg/g10code-authenticode-key.p12
|
# All files given in AUTHENTICODE_FILES are signed before
|
||||||
AUTHENTICODE_CERTS=${HOME}/.gnupg/g10code-authenticode-certs.pem
|
# they are put into the installer.
|
||||||
AUTHENTICODE_FILES= \
|
AUTHENTICODE_FILES= \
|
||||||
dirmngr.exe \
|
dirmngr.exe \
|
||||||
dirmngr_ldap.exe \
|
dirmngr_ldap.exe \
|
||||||
@ -1362,7 +1403,7 @@ define AUTHENTICODE_sign
|
|||||||
if [ -n "$(AUTHENTICODE_SIGNHOST)" ]; then \
|
if [ -n "$(AUTHENTICODE_SIGNHOST)" ]; then \
|
||||||
echo "speedo: Signing via host $(AUTHENTICODE_SIGNHOST)";\
|
echo "speedo: Signing via host $(AUTHENTICODE_SIGNHOST)";\
|
||||||
scp $(1) "$(AUTHENTICODE_SIGNHOST):a.exe" ;\
|
scp $(1) "$(AUTHENTICODE_SIGNHOST):a.exe" ;\
|
||||||
ssh "$(AUTHENTICODE_SIGNHOST)" $(AUTHENTICODE_TOOL) sign \
|
ssh "$(AUTHENTICODE_SIGNHOST)" '$(AUTHENTICODE_TOOL)' sign \
|
||||||
/n '"g10 Code GmbH"' \
|
/n '"g10 Code GmbH"' \
|
||||||
/tr 'http://rfc3161timestamp.globalsign.com/advanced' /td sha256 \
|
/tr 'http://rfc3161timestamp.globalsign.com/advanced' /td sha256 \
|
||||||
/fd sha256 /du https://gnupg.org a.exe ;\
|
/fd sha256 /du https://gnupg.org a.exe ;\
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user