[PATCH] submit signed .buildinfo files to buildinfo.debian.net

Fri, 28 Oct 2016 04:31:33 -0700 

Hi,

Attached is the following:

  commit 97857695251a979b31bcf1e6c021c948f206db47
  Author: Chris Lamb <[email protected]>
  Date:   Fri Oct 28 12:25:52 2016 +0100
  
      reproducible Debian: Use our log_info method instead of manual echo calls.
      
      Signed-off-by: Chris Lamb <[email protected]>
  
   bin/reproducible_build.sh | 4 ++--
   1 file changed, 2 insertions(+), 2 deletions(-)
  
  commit b6194456546c300e939b0bfb7c2e0e85a3fd7501
  Author: Chris Lamb <[email protected]>
  Date:   Fri Oct 28 12:29:17 2016 +0100
  
      reproducible Debian: submit signed .buildinfo files to 
buildinfo.debian.net
      
      Signed-off-by: Chris Lamb <[email protected]>
  
   bin/reproducible_build.sh | 29 +++++++++++++++++++++++++++--
   1 file changed, 27 insertions(+), 2 deletions(-)


You can also merge from the "sign-buildinfo-submissions-with-gpg-key" branch of
https://github.com/lamby/jenkins.debian.net if that is more convenient.

Note that I haven't managed to directly test this, but the various "parts" of
it work.


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      [email protected] / chris-lamb.co.uk
       `-

From b6194456546c300e939b0bfb7c2e0e85a3fd7501 Mon Sep 17 00:00:00 2001
From: Chris Lamb <[email protected]>
Date: Fri, 28 Oct 2016 12:29:17 +0100
Subject: [PATCH 2/2] reproducible Debian: submit signed .buildinfo files to
 buildinfo.debian.net

Signed-off-by: Chris Lamb <[email protected]>
---
 bin/reproducible_build.sh | 29 +++++++++++++++++++++++++++--
 1 file changed, 27 insertions(+), 2 deletions(-)

diff --git a/bin/reproducible_build.sh b/bin/reproducible_build.sh
index 7b49886..ae372b7 100755
--- a/bin/reproducible_build.sh
+++ b/bin/reproducible_build.sh
@@ -772,6 +772,30 @@ check_buildinfo() {
 	rm -f $TMPFILE1 $TMPFILE2
 }
 
+sign_buildinfo() {
+	# Greate GPG key if it does not already exist
+	if ! gpg --list-secret-keys | grep -qs '^sec' >/dev/null 2>&1
+	then
+		log_info "Generating GPG key"
+
+		gpg --batch --gen-key <<EOF
+Key-Type: RSA
+Key-Length: 4096
+Subkey-Type: ELG-E
+Subkey-Length: 1024
+Name-Real: $(hostname -f)
+Name-Comment: Automatically generated key
+Expire-Date: 0
+%no-ask-passphrase
+%commit
+EOF
+	fi
+
+	log_info "Signing $BUILDINFO"
+	gpg --output=$BUILDINFO.asc --clearsign $BUILDINFO
+	log_info "Signed $BUILDINFO as $BUILDINFO.asc"
+}
+
 share_buildinfo() {
 	# Submit the -buildinfo files to third-party archives:
 	log_info "Submitting .buildinfo files to external archives."
@@ -780,8 +804,8 @@ share_buildinfo() {
 	mail -s "buildinfo from $NODE1" [email protected] < ./b1/$BUILDINFO || true
 	mail -s "buildinfo from $NODE2" [email protected] < ./b2/$BUILDINFO || true
 	# buildinfo.debian.net administred by Chris Lamb <[email protected]>
-	curl -X PUT --max-time 30 --data-binary @- "http://buildinfo.debian.net/api/submit?node=$NODE1"; < ./b1/$BUILDINFO || true
-	curl -X PUT --max-time 30 --data-binary @- "http://buildinfo.debian.net/api/submit?node=$NODE2"; < ./b2/$BUILDINFO || true
+	curl -X PUT --max-time 30 --data-binary @- "http://buildinfo.debian.net/api/submit?node=$NODE1"; < ./b1/$BUILDINFO.asc || true
+	curl -X PUT --max-time 30 --data-binary @- "http://buildinfo.debian.net/api/submit?node=$NODE2"; < ./b2/$BUILDINFO.asc || true
 
 	log_info "Done submitting .buildinfo files."
 }
@@ -847,6 +871,7 @@ elif [ "$1" = "1" ] || [ "$1" = "2" ] ; then
 	else
 		second_build
 	fi
+	sign_buildinfo
 	echo "$(date -u) - build #$MODE for $SRCPACKAGE/$SUITE/$ARCH on $HOSTNAME done."
 	exit 0
 elif [ "$2" != "" ] ; then
-- 
2.10.1


From 97857695251a979b31bcf1e6c021c948f206db47 Mon Sep 17 00:00:00 2001
From: Chris Lamb <[email protected]>
Date: Fri, 28 Oct 2016 12:25:52 +0100
Subject: [PATCH 1/2] reproducible Debian: Use our log_info method instead of
 manual echo calls.

Signed-off-by: Chris Lamb <[email protected]>
---
 bin/reproducible_build.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/bin/reproducible_build.sh b/bin/reproducible_build.sh
index ef170b6..7b49886 100755
--- a/bin/reproducible_build.sh
+++ b/bin/reproducible_build.sh
@@ -774,7 +774,7 @@ check_buildinfo() {
 
 share_buildinfo() {
 	# Submit the -buildinfo files to third-party archives:
-	echo "$(date -u) - submitting .buildinfo files to external archives."
+	log_info "Submitting .buildinfo files to external archives."
 
 	# buildinfo.kfreebsd.eu administered by Steven Chamberlain <[email protected]>
 	mail -s "buildinfo from $NODE1" [email protected] < ./b1/$BUILDINFO || true
@@ -783,7 +783,7 @@ share_buildinfo() {
 	curl -X PUT --max-time 30 --data-binary @- "http://buildinfo.debian.net/api/submit?node=$NODE1"; < ./b1/$BUILDINFO || true
 	curl -X PUT --max-time 30 --data-binary @- "http://buildinfo.debian.net/api/submit?node=$NODE2"; < ./b2/$BUILDINFO || true
 
-	echo "$(date -u) - done submitting .buildinfo files."
+	log_info "Done submitting .buildinfo files."
 }
 
 build_rebuild() {
-- 
2.10.1


_______________________________________________
Reproducible-builds mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds

Reply via email to