jtheoof/swappy
1
1
Fork 0
mirror of https://github.com/jtheoof/swappy.git synced 2024-07-14 18:00:25 +03:00
Code Issues Packages Projects Releases Wiki Activity

fix(release): properly check sha256 remote content

Browse Source 
We need to verify the sources from github match our local content.
We do this by building our own version of the git release (using `git
archive`) and checking the SHA-256 checksums against the local and
remote.

After that it's safe to sign the remote `tar.gz` and upload the
signature file to the release.

One caveat is that if Github upates their git release commmand, this
script will break. We'll worry about it when that happens.

This drops support for `zip` signature. I wish there was a way to
prevent the zip source code when doing a new release.

Closes #90
This commit is contained in:
Jeremy Attali 2021-02-20 16:20:32 -05:00
parent 78ed552039
commit 91985c7994
1 changed files with 25 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
script/sign-post-release
View File

@ -17,7 +17,6 @@ init() {
command -v gh >/dev/null 2>&1 || { echo >&2 "github cli tool required: pacman -S github-cli"; exit 1; }
mkdir -p $release_folder
cd $release_folder
}
get_release_version() {
@ -25,24 +24,41 @@ get_release_version() {
echo "found latest version: $version"
}
build_archives_from_source() {
echo "building source archives..."
cd $git_root
git archive -o "$release_folder/local-$app_name-$version.tar.gz" --format tar.gz --prefix "$app_name-$version/" "v$version"
}
download_source_for_release() {
echo "downloading source assets..."
curl --output $app_name-$version.zip https://github.com/jtheoof/$app_name/archive/v$version.zip
curl --output $app_name-$version.tar.gz https://github.com/jtheoof/$app_name/archive/v$version.tar.gz
cd $release_folder
curl --location --output github-$app_name-$version.tar.gz https://github.com/jtheoof/$app_name/archive/v$version.tar.gz
}
verify_sha256_checksums() {
echo "verifying signatures..."
cd $release_folder
sha256sum local-$app_name-$version.tar.gz | awk '{ print $1 }' > local-$app_name-$version.tar.gz.sha256
# sha256sum --check will exit if the checksums do not match
echo "$(cat local-$app_name-$version.tar.gz.sha256) github-$app_name-$version.tar.gz" | sha256sum --check
}
sign_release_source() {
echo "signing source assets..."
gpg --detach-sign $app_name-$version.zip
gpg --detach-sign $app_name-$version.tar.gz
cd $release_folder
gpg --output $app_name-$version.tar.gz.sig --detach-sign github-$app_name-$version.tar.gz
}
upload_signed_assets_to_release() {
echo "uploading signatures to github release..."
gh release upload v$version $app_name-$version.zip.sig --clobber
gh release upload v$version $app_name-$version.tar.gz.sig --clobber
cd $release_folder
gh release upload v$version $app_name-$version.tar.gz.sig --clobber
}
main() {
init
get_release_version
@ -52,7 +68,9 @@ main() {
die "version not found, is the git tag valid?"
fi
build_archives_from_source
download_source_for_release
verify_sha256_checksums
sign_release_source
upload_signed_assets_to_release
}