This is an automated email from the ASF dual-hosted git repository.
csantanapr pushed a commit to branch master
in repository
https://gitbox.apache.org/repos/asf/incubator-openwhisk-release.git
The following commit(s) were added to refs/heads/master by this push:
new ce99a91 tools: Add the support to verify the artifacts with the key
(#33)
ce99a91 is described below
commit ce99a91282e12e13a5f342c60c03148319a5ec63
Author: Vincent <s...@us.ibm.com>
AuthorDate: Mon Feb 12 16:12:25 2018 -0500
tools: Add the support to verify the artifacts with the key (#33)
---
tools/clean_remote_stage_artifacts.sh | 30 ++++++++++++++++++++++
tools/install_dependencies.sh | 1 -
tools/key_pub.gpg | 29 ++++++++++++++++++++++
tools/key_sec.gpg.enc | Bin 0 -> 3504 bytes
tools/{export_pgp_key.sh => load_config.sh} | 24 ++++++++++--------
tools/package_source_code.sh | 28 +--------------------
tools/sign_artifacts.sh | 3 ++-
tools/travis/import_pgp_key.sh | 14 +++++++++++
tools/travis/package_source_code.sh | 6 ++---
tools/util.sh | 37 ++++++++++++++++++++++++++++
tools/verify_local_artifacts.sh | 13 ++++++++++
tools/verify_remote_artifacts.sh | 21 ++++++++++++++++
12 files changed, 164 insertions(+), 42 deletions(-)
diff --git a/tools/clean_remote_stage_artifacts.sh
b/tools/clean_remote_stage_artifacts.sh
new file mode 100755
index 0000000..0577f7a
--- /dev/null
+++ b/tools/clean_remote_stage_artifacts.sh
@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+
+set -e
+
+echo "Clean the remote artifacts in staging directory"
+
+SCRIPTDIR="$(cd $(dirname "$0")/ && pwd)"
+source "$SCRIPTDIR/util.sh"
+
+CONFIG=$(read_file $SCRIPTDIR/config.json)
+version_key="version"
+version_major=$(json_by_key "$CONFIG" ${version_key}.major)
+version_minor=$(json_by_key "$CONFIG" ${version_key}.minor)
+
+version=$version_major-$version_minor
+REMOTE_PATH="openwhisk-$version"
+STAGE_URL=$(json_by_key "$CONFIG" "stage_url")
+CURRENT_VERSION_URL="$STAGE_URL/${REMOTE_PATH}/"
+CREDENTIALS=""
+
+SVN_USERNAME=$1
+SVN_PASSWORD=$2
+
+if [ ! -z "$SVN_USERNAME" ] && [ ! -z "$SVN_PASSWORD" ];then
+ CREDENTIALS="--username $SVN_USERNAME --password $SVN_PASSWORD
--non-interactive"
+fi
+
+if [[ `wget -S --spider $CURRENT_VERSION_URL 2>&1 | grep 'HTTP/1.1 200 OK'`
]]; then
+ svn delete $CURRENT_VERSION_URL -m "Removing Apache OpenWhisk release
${version} from staging." $CREDENTIALS
+fi
diff --git a/tools/install_dependencies.sh b/tools/install_dependencies.sh
index f48e33f..ca365bc 100755
--- a/tools/install_dependencies.sh
+++ b/tools/install_dependencies.sh
@@ -7,7 +7,6 @@ if [ $sysOS == "Darwin" ];then
echo "This is MacOS."
brew install jq
brew install gpg
- brew install md5sha1sum
elif [ $sysOS == "Linux" ];then
echo "This is Linux."
if [ -f /etc/lsb-release -o -d /etc/lsb-release.d ]; then
diff --git a/tools/key_pub.gpg b/tools/key_pub.gpg
new file mode 100644
index 0000000..febbeaf
--- /dev/null
+++ b/tools/key_pub.gpg
@@ -0,0 +1,29 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFqB+RMBEACeKz2rzESI9Hch8ZUEY2mrTsCumXsFn8YAUkiuMN4g6Q5PvoRU
+k0tkD0wdQDg9Tqd5DlOaJMFaP25rvchR7OCgygf5DaKW4IsUh7FN5uID94ozwNvD
+oznyl5OTwzCB8jdRz5pMTRNx989yi0z0kMhIqXULQeCBWMdbv6wVcRlGmwWO6T42
+b2hi8gPZJjP++577WjGZWTV/NgOLyFPRYIn7phjBLkCfD15fGVzy+icXCxeunTgK
+T0qxD/r+6iTtxyWMkLQxLByZWxRUJCdt03oQVVwrL7SJHdKYvU5ElOUr1J4/axN+
+x43+Z5kz06ZZghewzdCMvnwf3IaEdJmrksY1U3wije1wXGKs7f9Y+eS+E9tVDuI/
+yLrhFs1/A6uNtuvfSqvHzaWWNUUl4/YP8VgPttaWKBBNw/EL2i3di9RQAfTMqRsk
+JBx2bLORu/MjAnH3nBztw3MHI6ll4u2xb03k1iW9Uc+lh76V63DcykVlhL0renCR
+ccZ3cGGi9vrfZ8pQHcPTLxK/l++QRUzewHEUM2nPOSW9DRe1jR128DhTr4p5yaKF
+z5vvtjU+GP+cZFM8HkY1RLrNA2/a4G/gHGQqdPybomSeq7hC0GtX6U5ESHeOqyH1
+hDblT7nldvyw1nb52+yzYjuhiJo/TB/F/7teAmHyDmOIot6EEAx+Onh6/wARAQAB
+tDxWaW5jZW50IEhvdSAoUmVsZWFzZSBtYW5hZ2VyIG9mIE9wZW5XaGlzaykgPHNo
+b3VAdXMuaWJtLmNvbT6JAk4EEwEIADgWIQT2AFplgI3xoq7hv/aeJ0HSiuatCgUC
+WoH5EwIbLwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRCeJ0HSiuatClniD/99
+FDXY/Ju8i7+wmnpQpJof+242KhJEumttKn/SRkU79zCrsV3jT+z9Il8CbpPYyPVl
+BZPcHYs+1goky3yVJm+tDATtxXYmyeLvU+LcmZA2ftufWaakJti6uAt6gl/CvrPN
+Xdu44hcISCZs4b725A3InfGQbBGEppJfa0PxQ8Yx5yktNTom/DuzuaII70DoIffe
+rFIs0Bge4m9RDQ21VLxZGyg5l8xhc/viXzASisCiXGpXnRMiwcXwRgUd11VHsTQ+
+iueFBxkfk7O1whobs232iUy2Db42/OtL39fn8HRlkfhV6fzUieX0Z7lcc+hpzLMc
+HP/1LGxH5I+LnTN0iZpgZzDiv8HS7toQ3DzMDyMDypskKyrQty+Z0FOLuGFOY06y
+rbE6yc9doQBhTugVYQznia+v0G8rrwQwPVsKZnBmEzo1GT16jzGpse2NfPOMpbLk
+WJ3a1SNb8mtGS+XFFGQ/y9QNquBFD5kLjptSDdVbNexyxZ6SDpQFzulByonGDpqe
+Xez7Ho9kklOb3/1sH918zw6SlWWIhf4HOmZeYyucS6bIGBFnu+r+3wzSvhmJ2IlX
+53rX4F/n4PYfS5TEa5rmjxzy+sww1nEdo+/sYF3KiPysLn5h/Y9VtzSh1dsh1mV0
+O/9Ulqw3TsDrGa2k7Kx2PVHVx3KYMvpvskyP51U2EA==
+=/f4p
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/tools/key_sec.gpg.enc b/tools/key_sec.gpg.enc
new file mode 100644
index 0000000..7761b7f
Binary files /dev/null and b/tools/key_sec.gpg.enc differ
diff --git a/tools/export_pgp_key.sh b/tools/load_config.sh
similarity index 63%
rename from tools/export_pgp_key.sh
rename to tools/load_config.sh
index 8eafcac..0d6b2a3 100755
--- a/tools/export_pgp_key.sh
+++ b/tools/load_config.sh
@@ -1,27 +1,31 @@
#!/usr/bin/env bash
-set -e
+WORK_DIR=${1:-"$HOME"}
+SCRIPTDIR="$(cd $(dirname "$0")/ && pwd)"
-echo "Export the PGP key."
+SVN_USERNAME=$2
+SVN_PASSWORD=$3
+CREDENTIALS=""
+
+if [ ! -z "$SVN_USERNAME" ] && [ ! -z "$SVN_PASSWORD" ];then
+ CREDENTIALS="--username $SVN_USERNAME --password $SVN_PASSWORD
--non-interactive"
+fi
-WORK_DIR=${1:-"$HOME"}
-PGP_EMAIL=${2:-"s...@us.ibm.com"}
OPENWHISK_SOURCE_DIR="$WORK_DIR/openwhisk_sources"
OPENWHISK_SVN="$OPENWHISK_SOURCE_DIR/openwhisk"
-SCRIPTDIR="$(cd $(dirname "$0")/ && pwd)"
source "$SCRIPTDIR/util.sh"
CONFIG=$(read_file $SCRIPTDIR/config.json)
repos=$(echo $(json_by_key "$CONFIG" "RepoList") | sed 's/[][]//g')
+STAGE_URL=$(json_by_key "$CONFIG" "stage_url")
+
version_key="version"
version_major=$(json_by_key "$CONFIG" ${version_key}.major)
version_minor=$(json_by_key "$CONFIG" ${version_key}.minor)
version=$version_major-$version_minor
-CURRENT_VERSION_DIR="$OPENWHISK_SVN/openwhisk-$version"
+REMOTE_PATH="openwhisk-$version"
-cd $CURRENT_VERSION_DIR
-
-# Output the public key into the file KEYS to be uploaded into the staging
directory.
-gpg --yes --output KEYS --armor --export $PGP_EMAIL
+CURRENT_VERSION_URL="$STAGE_URL/${REMOTE_PATH}/"
+CURRENT_VERSION_DIR="$OPENWHISK_SVN/openwhisk-$version"
diff --git a/tools/package_source_code.sh b/tools/package_source_code.sh
index fa1c136..76829e7 100755
--- a/tools/package_source_code.sh
+++ b/tools/package_source_code.sh
@@ -4,34 +4,8 @@ set -e
echo "Package the artifacts."
-SVN_USERNAME=$2
-SVN_PASSWORD=$3
-CREDENTIALS=""
-
-if [ ! -z "$SVN_USERNAME" ] && [ ! -z "$SVN_PASSWORD" ];then
- CREDENTIALS="--username $SVN_USERNAME --password $SVN_PASSWORD
--non-interactive"
-fi
-
-WORK_DIR=${1:-"$HOME"}
-
-OPENWHISK_SOURCE_DIR="$WORK_DIR/openwhisk_sources"
-OPENWHISK_SVN="$OPENWHISK_SOURCE_DIR/openwhisk"
-
SCRIPTDIR="$(cd $(dirname "$0")/ && pwd)"
-source "$SCRIPTDIR/util.sh"
-
-CONFIG=$(read_file $SCRIPTDIR/config.json)
-repos=$(echo $(json_by_key "$CONFIG" "RepoList") | sed 's/[][]//g')
-version_key="version"
-version_major=$(json_by_key "$CONFIG" ${version_key}.major)
-version_minor=$(json_by_key "$CONFIG" ${version_key}.minor)
-
-version=$version_major-$version_minor
-CURRENT_VERSION_DIR="$OPENWHISK_SVN/openwhisk-$version"
-echo $version
-
-STAGE_URL=$(json_by_key "$CONFIG" "stage_url")
-echo $STAGE_URL
+source "$SCRIPTDIR/load_config.sh" $1 $2 $3
# Create a subversion directory for openwhisk to stage all the packages
rm -rf $OPENWHISK_SVN
diff --git a/tools/sign_artifacts.sh b/tools/sign_artifacts.sh
index 288985a..8695d11 100755
--- a/tools/sign_artifacts.sh
+++ b/tools/sign_artifacts.sh
@@ -31,10 +31,11 @@ if [ $sysOS == "Darwin" ];then
fi
cd $CURRENT_VERSION_DIR
-
+echo "Sign the artifacts with the private key."
for artifact in *.tar.gz; do
gpg --print-md MD5 ${artifact} > ${artifact}.md5
gpg --print-md SHA512 ${artifact} > ${artifact}.sha512
+
if [ $sysOS == "Darwin" ];then
# The option --passphrase-fd does not work on Mac.
`gpg --yes --armor --output ${artifact}.asc --detach-sig ${artifact}`
diff --git a/tools/travis/import_pgp_key.sh b/tools/travis/import_pgp_key.sh
new file mode 100755
index 0000000..fca5112
--- /dev/null
+++ b/tools/travis/import_pgp_key.sh
@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+set -e
+
+echo "Import the PGP key."
+
+SCRIPTDIR="$(cd $(dirname "$0")/ && pwd)"
+
+# Load the public key located in the repo of openwhisk release.
+echo "Load the public key."
+gpg --import $SCRIPTDIR/key_pub.gpg
+
+echo "Load the private key."
+gpg --allow-secret-key-import --import $SCRIPTDIR/key_sec.gpg
diff --git a/tools/travis/package_source_code.sh
b/tools/travis/package_source_code.sh
index e09b021..e14244e 100755
--- a/tools/travis/package_source_code.sh
+++ b/tools/travis/package_source_code.sh
@@ -19,10 +19,10 @@ if [ "$TRAVIS_EVENT_TYPE" == "push" ] ; then
fi
"$PARENTDIR/package_source_code.sh" $WORK_DIR $SVN_USERNAME $SVN_PASSWORD
-"$PARENTDIR/generate_pgp_key.sh"
-"$PARENTDIR/export_pgp_key.sh" $WORK_DIR
-"$PARENTDIR/sign_artifacts.sh" $WORK_DIR
if [ "$TRAVIS_EVENT_TYPE" == "push" ] ; then
+ openssl aes-256-cbc -K $encrypted_2030e681f34a_key -iv
$encrypted_2030e681f34a_iv -in $PARENTDIR/key_sec.gpg.enc -out
$PARENTDIR/key_sec.gpg -d
+ "$SCRIPTDIR/import_pgp_key.sh"
+ "$PARENTDIR/sign_artifacts.sh" $WORK_DIR
"$PARENTDIR/upload_artifacts.sh" $WORK_DIR $SVN_USERNAME $SVN_PASSWORD
fi
diff --git a/tools/util.sh b/tools/util.sh
index 7654c40..36ddc8b 100755
--- a/tools/util.sh
+++ b/tools/util.sh
@@ -9,3 +9,40 @@ function json_by_key() {
key=$2
echo $input | jq ''.$key'' | sed -e 's/^"//' -e 's/"$//'
}
+
+function import_key_verify_signature() {
+ key_url=$1
+ dir=$2
+ cd $dir
+
+ echo "Importing PGP keys"
+ curl $key_url | gpg --import && \
+ echo "[✓] GPG keys imported" \
+ || { echo "[x] Failed to import GPG keys"; exit 1; }
+
+ echo "Checking signatures and hashes of artifacts"
+ for artifact in $(find * -type f \( -name '*.tar.gz' \) ); do
+ # Check md5
+ artifactMD5=$(gpg --print-md MD5 ${artifact})
+ artifactMD5File=$(cat ${artifact}.md5)
+ if [ "$artifactMD5" == "$artifactMD5File" ];then
+ echo "[✓] MD5 verified for $artifact"
+ else
+ echo "[x] Unmatched MD5 for $artifact."; exit 1;
+ fi
+
+ # Check sha512
+ artifactSha512=$(gpg --print-md SHA512 ${artifact})
+ artifactSha512File=$(cat ${artifact}.sha512)
+ if [ "$artifactSha512" == "$artifactSha512File" ];then
+ echo "[✓] SHA512 verified for $artifact"
+ else
+ echo "[x] Unmatched SHA512 for $artifact."; exit 1;
+ fi
+
+ # Verify the signatures
+ gpg --verify ${artifact}.asc ${artifact} && \
+ echo "[✓] Signatures verified for $artifact" \
+ || { echo "[x] Invalid signature for $artifact."; exit 1; }
+ done
+}
\ No newline at end of file
diff --git a/tools/verify_local_artifacts.sh b/tools/verify_local_artifacts.sh
new file mode 100755
index 0000000..3a83484
--- /dev/null
+++ b/tools/verify_local_artifacts.sh
@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+set -e
+
+echo "Verify the local artifacts with the KEYS"
+
+SCRIPTDIR="$(cd $(dirname "$0")/ && pwd)"
+source "$SCRIPTDIR/load_config.sh" $1 $2 $3
+
+mkdir -p $OPENWHISK_SVN
+cd $OPENWHISK_SVN/$REMOTE_PATH
+
+import_key_verify_signature $STAGE_URL/KEYS $OPENWHISK_SVN/$REMOTE_PATH
diff --git a/tools/verify_remote_artifacts.sh b/tools/verify_remote_artifacts.sh
new file mode 100755
index 0000000..ad4f330
--- /dev/null
+++ b/tools/verify_remote_artifacts.sh
@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+
+set -e
+
+echo "Verify the remote artifacts with the KEYS"
+
+SCRIPTDIR="$(cd $(dirname "$0")/ && pwd)"
+source "$SCRIPTDIR/load_config.sh" $1 $2 $3
+
+mkdir -p $OPENWHISK_SVN
+cd $OPENWHISK_SVN
+
+# Remove the local folder, because we are about to download the artifacts from
the staging folder.
+rm -rf $REMOTE_PATH
+
+# Check out the artifacts.
+svn co $CURRENT_VERSION_URL $REMOTE_PATH
+
+cd $REMOTE_PATH
+
+import_key_verify_signature $STAGE_URL/KEYS $OPENWHISK_SVN/$REMOTE_PATH
--
To stop receiving notification emails like this one, please contact
csantan...@apache.org.
