From 76b85fa4dc93a9d3b55d62720c6236f4dbb0052a Mon Sep 17 00:00:00 2001 From: Rod Vagg Date: Thu, 19 Nov 2015 13:45:00 +1100 Subject: [PATCH] build: backport tools/release.sh MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit PR-URL: https://github.com/nodejs/node/pull/3642 Reviewed-By: Johan Bergström Reviewed-By: Alexis Campailla --- tools/release.sh | 196 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 196 insertions(+) create mode 100755 tools/release.sh diff --git a/tools/release.sh b/tools/release.sh new file mode 100755 index 000000000000..6d0af2a541f4 --- /dev/null +++ b/tools/release.sh @@ -0,0 +1,196 @@ +#!/usr/bin/env bash + +# To promote and sign a release that has been prepared by the build slaves, use: +# release.sh + +# To _only_ sign an existing release, use: +# release.sh -s vx.y.z + +set -e + +webhost=direct.nodejs.org +webuser=dist +promotablecmd=dist-promotable +promotecmd=dist-promote +signcmd=dist-sign + + +################################################################################ +## Select a GPG key to use + +echo "# Selecting GPG key ..." + +gpgkey=$(gpg --list-secret-keys | grep '^sec' | awk -F'( +|/)' '{print $3}') +keycount=$(echo $gpgkey | wc -w) + +if [ $keycount -eq 0 ]; then + echo 'Need at least one GPG key, please make one with `gpg --gen-key`' + echo 'You will also need to submit your key to a public keyserver, e.g.' + echo ' https://sks-keyservers.net/i/#submit' + exit 1 +elif [ $keycount -ne 1 ]; then + echo -e 'You have multiple GPG keys:\n' + + gpg --list-secret-keys + + while true; do + echo $gpgkey | awk '{ for(i = 1; i <= NF; i++) { print i ") " $i; } }' + echo -n 'Select a key: ' + read keynum + + if $(test "$keynum" -eq "$keynum" > /dev/null 2>&1); then + _gpgkey=$(echo $gpgkey | awk '{ print $'${keynum}'}') + keycount=$(echo $_gpgkey | wc -w) + if [ $keycount -eq 1 ]; then + echo "" + gpgkey=$_gpgkey + break + fi + fi + done +fi + +gpgfing=$(gpg --fingerprint $gpgkey | grep 'Key fingerprint =' | awk -F' = ' '{print $2}' | tr -d ' ') + +if ! test "$(grep $gpgfing README.md)"; then + echo 'Error: this GPG key fingerprint is not listed in ./README.md' + exit 1 +fi + +echo "Using GPG key: $gpgkey" +echo " Fingerprint: $gpgfing" + + +################################################################################ +## Create and sign checksums file for a given version + +function sign { + echo -e "\n# Creating SHASUMS256.txt ..." + + local version=$1 + + gpgtagkey=$(git tag -v $version 2>&1 | grep 'key ID' | awk '{print $NF}') + + if [ "X${gpgtagkey}" == "X" ]; then + echo "Could not find signed tag for \"${version}\"" + exit 1 + fi + + if [ "${gpgtagkey}" != "${gpgkey}" ]; then + echo "GPG key for \"${version}\" tag is not yours, cannot sign" + fi + + shapath=$(ssh ${webuser}@${webhost} $signcmd nodejs $version) + + if ! [[ ${shapath} =~ ^/.+/SHASUMS256.txt$ ]]; then + echo 'Error: No SHASUMS file returned by sign!' + exit 1 + fi + + echo -e "\n# Signing SHASUMS for ${version}..." + + shadir=$(dirname $shapath) + tmpdir="/tmp/_node_release.$$" + + mkdir -p $tmpdir + + scp ${webuser}@${webhost}:${shadir}/SHASUMS*.txt ${tmpdir}/ + + for i in $(ls ${tmpdir}/SHASUMS*.txt); do + echo "Signing $i..." + gpg --default-key $gpgkey --clearsign ${i} + if [[ $version =~ ^v[0] ]]; then + echo "Encrpting $i..." + gpg --default-key $gpgkey -s ${i} + fi + done + + echo "Wrote to ${tmpdir}/" + + echo -e "Your signed SHASUMS256.txt.asc:\n" + + cat ${tmpdir}/SHASUMS256.txt.asc + + echo "" + + while true; do + echo -n "Upload files? [y/n] " + yorn="" + read yorn + + if [ "X${yorn}" == "Xn" ]; then + break + fi + + if [ "X${yorn}" == "Xy" ]; then + if [[ $version =~ ^v[0] ]]; then + scp ${tmpdir}/SHASUMS* ${webuser}@${webhost}:${shadir}/ + else + scp ${tmpdir}/SHASUMS256.txt ${tmpdir}/SHASUMS256.txt.asc ${webuser}@${webhost}:${shadir}/ + fi + break + fi + done + + rm -rf $tmpdir +} + + +if [ "X${1}" == "X-s" ]; then + if [ "X${2}" == "X" ]; then + echo "Please supply a version string to sign" + exit 1 + fi + + sign $2 + exit 0 +fi + + +# else: do a normal release & promote + +################################################################################ +## Look for releases to promote + +echo -e "\n# Checking for releases ..." + +promotable=$(ssh ${webuser}@${webhost} $promotablecmd nodejs) + +if [ "X${promotable}" == "X" ]; then + echo "No releases to promote!" + exit 0 +fi + +echo -e "Found the following releases / builds ready to promote:\n" +echo "$promotable" | sed 's/^/ * /' +echo "" + +versions=$(echo "$promotable" | cut -d: -f1) + +################################################################################ +## Promote releases + +for version in $versions; do + while true; do + files=$(echo "$promotable" | grep "^${version}" | sed 's/^'${version}': //') + echo -n "Promote ${version} files (${files})? [y/n] " + yorn="" + read yorn + + if [ "X${yorn}" == "Xn" ]; then + break + fi + + if [ "X${yorn}" != "Xy" ]; then + continue + fi + + echo -e "\n# Promoting ${version}..." + + ssh ${webuser}@${webhost} $promotecmd nodejs $version + + sign $version + + break + done +done