This is an automated email from the ASF dual-hosted git repository. csantanapr pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/incubator-openwhisk-release.git
The following commit(s) were added to refs/heads/master by this push: new ce99a91 tools: Add the support to verify the artifacts with the key (#33) ce99a91 is described below commit ce99a91282e12e13a5f342c60c03148319a5ec63 Author: Vincent <s...@us.ibm.com> AuthorDate: Mon Feb 12 16:12:25 2018 -0500 tools: Add the support to verify the artifacts with the key (#33) --- tools/clean_remote_stage_artifacts.sh | 30 ++++++++++++++++++++++ tools/install_dependencies.sh | 1 - tools/key_pub.gpg | 29 ++++++++++++++++++++++ tools/key_sec.gpg.enc | Bin 0 -> 3504 bytes tools/{export_pgp_key.sh => load_config.sh} | 24 ++++++++++-------- tools/package_source_code.sh | 28 +-------------------- tools/sign_artifacts.sh | 3 ++- tools/travis/import_pgp_key.sh | 14 +++++++++++ tools/travis/package_source_code.sh | 6 ++--- tools/util.sh | 37 ++++++++++++++++++++++++++++ tools/verify_local_artifacts.sh | 13 ++++++++++ tools/verify_remote_artifacts.sh | 21 ++++++++++++++++ 12 files changed, 164 insertions(+), 42 deletions(-) diff --git a/tools/clean_remote_stage_artifacts.sh b/tools/clean_remote_stage_artifacts.sh new file mode 100755 index 0000000..0577f7a --- /dev/null +++ b/tools/clean_remote_stage_artifacts.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env bash + +set -e + +echo "Clean the remote artifacts in staging directory" + +SCRIPTDIR="$(cd $(dirname "$0")/ && pwd)" +source "$SCRIPTDIR/util.sh" + +CONFIG=$(read_file $SCRIPTDIR/config.json) +version_key="version" +version_major=$(json_by_key "$CONFIG" ${version_key}.major) +version_minor=$(json_by_key "$CONFIG" ${version_key}.minor) + +version=$version_major-$version_minor +REMOTE_PATH="openwhisk-$version" +STAGE_URL=$(json_by_key "$CONFIG" "stage_url") +CURRENT_VERSION_URL="$STAGE_URL/${REMOTE_PATH}/" +CREDENTIALS="" + +SVN_USERNAME=$1 +SVN_PASSWORD=$2 + +if [ ! -z "$SVN_USERNAME" ] && [ ! -z "$SVN_PASSWORD" ];then + CREDENTIALS="--username $SVN_USERNAME --password $SVN_PASSWORD --non-interactive" +fi + +if [[ `wget -S --spider $CURRENT_VERSION_URL 2>&1 | grep 'HTTP/1.1 200 OK'` ]]; then + svn delete $CURRENT_VERSION_URL -m "Removing Apache OpenWhisk release ${version} from staging." $CREDENTIALS +fi diff --git a/tools/install_dependencies.sh b/tools/install_dependencies.sh index f48e33f..ca365bc 100755 --- a/tools/install_dependencies.sh +++ b/tools/install_dependencies.sh @@ -7,7 +7,6 @@ if [ $sysOS == "Darwin" ];then echo "This is MacOS." brew install jq brew install gpg - brew install md5sha1sum elif [ $sysOS == "Linux" ];then echo "This is Linux." if [ -f /etc/lsb-release -o -d /etc/lsb-release.d ]; then diff --git a/tools/key_pub.gpg b/tools/key_pub.gpg new file mode 100644 index 0000000..febbeaf --- /dev/null +++ b/tools/key_pub.gpg @@ -0,0 +1,29 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFqB+RMBEACeKz2rzESI9Hch8ZUEY2mrTsCumXsFn8YAUkiuMN4g6Q5PvoRU +k0tkD0wdQDg9Tqd5DlOaJMFaP25rvchR7OCgygf5DaKW4IsUh7FN5uID94ozwNvD +oznyl5OTwzCB8jdRz5pMTRNx989yi0z0kMhIqXULQeCBWMdbv6wVcRlGmwWO6T42 +b2hi8gPZJjP++577WjGZWTV/NgOLyFPRYIn7phjBLkCfD15fGVzy+icXCxeunTgK +T0qxD/r+6iTtxyWMkLQxLByZWxRUJCdt03oQVVwrL7SJHdKYvU5ElOUr1J4/axN+ +x43+Z5kz06ZZghewzdCMvnwf3IaEdJmrksY1U3wije1wXGKs7f9Y+eS+E9tVDuI/ +yLrhFs1/A6uNtuvfSqvHzaWWNUUl4/YP8VgPttaWKBBNw/EL2i3di9RQAfTMqRsk +JBx2bLORu/MjAnH3nBztw3MHI6ll4u2xb03k1iW9Uc+lh76V63DcykVlhL0renCR +ccZ3cGGi9vrfZ8pQHcPTLxK/l++QRUzewHEUM2nPOSW9DRe1jR128DhTr4p5yaKF +z5vvtjU+GP+cZFM8HkY1RLrNA2/a4G/gHGQqdPybomSeq7hC0GtX6U5ESHeOqyH1 +hDblT7nldvyw1nb52+yzYjuhiJo/TB/F/7teAmHyDmOIot6EEAx+Onh6/wARAQAB +tDxWaW5jZW50IEhvdSAoUmVsZWFzZSBtYW5hZ2VyIG9mIE9wZW5XaGlzaykgPHNo +b3VAdXMuaWJtLmNvbT6JAk4EEwEIADgWIQT2AFplgI3xoq7hv/aeJ0HSiuatCgUC +WoH5EwIbLwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRCeJ0HSiuatClniD/99 +FDXY/Ju8i7+wmnpQpJof+242KhJEumttKn/SRkU79zCrsV3jT+z9Il8CbpPYyPVl +BZPcHYs+1goky3yVJm+tDATtxXYmyeLvU+LcmZA2ftufWaakJti6uAt6gl/CvrPN +Xdu44hcISCZs4b725A3InfGQbBGEppJfa0PxQ8Yx5yktNTom/DuzuaII70DoIffe +rFIs0Bge4m9RDQ21VLxZGyg5l8xhc/viXzASisCiXGpXnRMiwcXwRgUd11VHsTQ+ +iueFBxkfk7O1whobs232iUy2Db42/OtL39fn8HRlkfhV6fzUieX0Z7lcc+hpzLMc +HP/1LGxH5I+LnTN0iZpgZzDiv8HS7toQ3DzMDyMDypskKyrQty+Z0FOLuGFOY06y +rbE6yc9doQBhTugVYQznia+v0G8rrwQwPVsKZnBmEzo1GT16jzGpse2NfPOMpbLk +WJ3a1SNb8mtGS+XFFGQ/y9QNquBFD5kLjptSDdVbNexyxZ6SDpQFzulByonGDpqe +Xez7Ho9kklOb3/1sH918zw6SlWWIhf4HOmZeYyucS6bIGBFnu+r+3wzSvhmJ2IlX +53rX4F/n4PYfS5TEa5rmjxzy+sww1nEdo+/sYF3KiPysLn5h/Y9VtzSh1dsh1mV0 +O/9Ulqw3TsDrGa2k7Kx2PVHVx3KYMvpvskyP51U2EA== +=/f4p +-----END PGP PUBLIC KEY BLOCK----- diff --git a/tools/key_sec.gpg.enc b/tools/key_sec.gpg.enc new file mode 100644 index 0000000..7761b7f Binary files /dev/null and b/tools/key_sec.gpg.enc differ diff --git a/tools/export_pgp_key.sh b/tools/load_config.sh similarity index 63% rename from tools/export_pgp_key.sh rename to tools/load_config.sh index 8eafcac..0d6b2a3 100755 --- a/tools/export_pgp_key.sh +++ b/tools/load_config.sh @@ -1,27 +1,31 @@ #!/usr/bin/env bash -set -e +WORK_DIR=${1:-"$HOME"} +SCRIPTDIR="$(cd $(dirname "$0")/ && pwd)" -echo "Export the PGP key." +SVN_USERNAME=$2 +SVN_PASSWORD=$3 +CREDENTIALS="" + +if [ ! -z "$SVN_USERNAME" ] && [ ! -z "$SVN_PASSWORD" ];then + CREDENTIALS="--username $SVN_USERNAME --password $SVN_PASSWORD --non-interactive" +fi -WORK_DIR=${1:-"$HOME"} -PGP_EMAIL=${2:-"s...@us.ibm.com"} OPENWHISK_SOURCE_DIR="$WORK_DIR/openwhisk_sources" OPENWHISK_SVN="$OPENWHISK_SOURCE_DIR/openwhisk" -SCRIPTDIR="$(cd $(dirname "$0")/ && pwd)" source "$SCRIPTDIR/util.sh" CONFIG=$(read_file $SCRIPTDIR/config.json) repos=$(echo $(json_by_key "$CONFIG" "RepoList") | sed 's/[][]//g') +STAGE_URL=$(json_by_key "$CONFIG" "stage_url") + version_key="version" version_major=$(json_by_key "$CONFIG" ${version_key}.major) version_minor=$(json_by_key "$CONFIG" ${version_key}.minor) version=$version_major-$version_minor -CURRENT_VERSION_DIR="$OPENWHISK_SVN/openwhisk-$version" +REMOTE_PATH="openwhisk-$version" -cd $CURRENT_VERSION_DIR - -# Output the public key into the file KEYS to be uploaded into the staging directory. -gpg --yes --output KEYS --armor --export $PGP_EMAIL +CURRENT_VERSION_URL="$STAGE_URL/${REMOTE_PATH}/" +CURRENT_VERSION_DIR="$OPENWHISK_SVN/openwhisk-$version" diff --git a/tools/package_source_code.sh b/tools/package_source_code.sh index fa1c136..76829e7 100755 --- a/tools/package_source_code.sh +++ b/tools/package_source_code.sh @@ -4,34 +4,8 @@ set -e echo "Package the artifacts." -SVN_USERNAME=$2 -SVN_PASSWORD=$3 -CREDENTIALS="" - -if [ ! -z "$SVN_USERNAME" ] && [ ! -z "$SVN_PASSWORD" ];then - CREDENTIALS="--username $SVN_USERNAME --password $SVN_PASSWORD --non-interactive" -fi - -WORK_DIR=${1:-"$HOME"} - -OPENWHISK_SOURCE_DIR="$WORK_DIR/openwhisk_sources" -OPENWHISK_SVN="$OPENWHISK_SOURCE_DIR/openwhisk" - SCRIPTDIR="$(cd $(dirname "$0")/ && pwd)" -source "$SCRIPTDIR/util.sh" - -CONFIG=$(read_file $SCRIPTDIR/config.json) -repos=$(echo $(json_by_key "$CONFIG" "RepoList") | sed 's/[][]//g') -version_key="version" -version_major=$(json_by_key "$CONFIG" ${version_key}.major) -version_minor=$(json_by_key "$CONFIG" ${version_key}.minor) - -version=$version_major-$version_minor -CURRENT_VERSION_DIR="$OPENWHISK_SVN/openwhisk-$version" -echo $version - -STAGE_URL=$(json_by_key "$CONFIG" "stage_url") -echo $STAGE_URL +source "$SCRIPTDIR/load_config.sh" $1 $2 $3 # Create a subversion directory for openwhisk to stage all the packages rm -rf $OPENWHISK_SVN diff --git a/tools/sign_artifacts.sh b/tools/sign_artifacts.sh index 288985a..8695d11 100755 --- a/tools/sign_artifacts.sh +++ b/tools/sign_artifacts.sh @@ -31,10 +31,11 @@ if [ $sysOS == "Darwin" ];then fi cd $CURRENT_VERSION_DIR - +echo "Sign the artifacts with the private key." for artifact in *.tar.gz; do gpg --print-md MD5 ${artifact} > ${artifact}.md5 gpg --print-md SHA512 ${artifact} > ${artifact}.sha512 + if [ $sysOS == "Darwin" ];then # The option --passphrase-fd does not work on Mac. `gpg --yes --armor --output ${artifact}.asc --detach-sig ${artifact}` diff --git a/tools/travis/import_pgp_key.sh b/tools/travis/import_pgp_key.sh new file mode 100755 index 0000000..fca5112 --- /dev/null +++ b/tools/travis/import_pgp_key.sh @@ -0,0 +1,14 @@ +#!/usr/bin/env bash + +set -e + +echo "Import the PGP key." + +SCRIPTDIR="$(cd $(dirname "$0")/ && pwd)" + +# Load the public key located in the repo of openwhisk release. +echo "Load the public key." +gpg --import $SCRIPTDIR/key_pub.gpg + +echo "Load the private key." +gpg --allow-secret-key-import --import $SCRIPTDIR/key_sec.gpg diff --git a/tools/travis/package_source_code.sh b/tools/travis/package_source_code.sh index e09b021..e14244e 100755 --- a/tools/travis/package_source_code.sh +++ b/tools/travis/package_source_code.sh @@ -19,10 +19,10 @@ if [ "$TRAVIS_EVENT_TYPE" == "push" ] ; then fi "$PARENTDIR/package_source_code.sh" $WORK_DIR $SVN_USERNAME $SVN_PASSWORD -"$PARENTDIR/generate_pgp_key.sh" -"$PARENTDIR/export_pgp_key.sh" $WORK_DIR -"$PARENTDIR/sign_artifacts.sh" $WORK_DIR if [ "$TRAVIS_EVENT_TYPE" == "push" ] ; then + openssl aes-256-cbc -K $encrypted_2030e681f34a_key -iv $encrypted_2030e681f34a_iv -in $PARENTDIR/key_sec.gpg.enc -out $PARENTDIR/key_sec.gpg -d + "$SCRIPTDIR/import_pgp_key.sh" + "$PARENTDIR/sign_artifacts.sh" $WORK_DIR "$PARENTDIR/upload_artifacts.sh" $WORK_DIR $SVN_USERNAME $SVN_PASSWORD fi diff --git a/tools/util.sh b/tools/util.sh index 7654c40..36ddc8b 100755 --- a/tools/util.sh +++ b/tools/util.sh @@ -9,3 +9,40 @@ function json_by_key() { key=$2 echo $input | jq ''.$key'' | sed -e 's/^"//' -e 's/"$//' } + +function import_key_verify_signature() { + key_url=$1 + dir=$2 + cd $dir + + echo "Importing PGP keys" + curl $key_url | gpg --import && \ + echo "[✓] GPG keys imported" \ + || { echo "[x] Failed to import GPG keys"; exit 1; } + + echo "Checking signatures and hashes of artifacts" + for artifact in $(find * -type f \( -name '*.tar.gz' \) ); do + # Check md5 + artifactMD5=$(gpg --print-md MD5 ${artifact}) + artifactMD5File=$(cat ${artifact}.md5) + if [ "$artifactMD5" == "$artifactMD5File" ];then + echo "[✓] MD5 verified for $artifact" + else + echo "[x] Unmatched MD5 for $artifact."; exit 1; + fi + + # Check sha512 + artifactSha512=$(gpg --print-md SHA512 ${artifact}) + artifactSha512File=$(cat ${artifact}.sha512) + if [ "$artifactSha512" == "$artifactSha512File" ];then + echo "[✓] SHA512 verified for $artifact" + else + echo "[x] Unmatched SHA512 for $artifact."; exit 1; + fi + + # Verify the signatures + gpg --verify ${artifact}.asc ${artifact} && \ + echo "[✓] Signatures verified for $artifact" \ + || { echo "[x] Invalid signature for $artifact."; exit 1; } + done +} \ No newline at end of file diff --git a/tools/verify_local_artifacts.sh b/tools/verify_local_artifacts.sh new file mode 100755 index 0000000..3a83484 --- /dev/null +++ b/tools/verify_local_artifacts.sh @@ -0,0 +1,13 @@ +#!/usr/bin/env bash + +set -e + +echo "Verify the local artifacts with the KEYS" + +SCRIPTDIR="$(cd $(dirname "$0")/ && pwd)" +source "$SCRIPTDIR/load_config.sh" $1 $2 $3 + +mkdir -p $OPENWHISK_SVN +cd $OPENWHISK_SVN/$REMOTE_PATH + +import_key_verify_signature $STAGE_URL/KEYS $OPENWHISK_SVN/$REMOTE_PATH diff --git a/tools/verify_remote_artifacts.sh b/tools/verify_remote_artifacts.sh new file mode 100755 index 0000000..ad4f330 --- /dev/null +++ b/tools/verify_remote_artifacts.sh @@ -0,0 +1,21 @@ +#!/usr/bin/env bash + +set -e + +echo "Verify the remote artifacts with the KEYS" + +SCRIPTDIR="$(cd $(dirname "$0")/ && pwd)" +source "$SCRIPTDIR/load_config.sh" $1 $2 $3 + +mkdir -p $OPENWHISK_SVN +cd $OPENWHISK_SVN + +# Remove the local folder, because we are about to download the artifacts from the staging folder. +rm -rf $REMOTE_PATH + +# Check out the artifacts. +svn co $CURRENT_VERSION_URL $REMOTE_PATH + +cd $REMOTE_PATH + +import_key_verify_signature $STAGE_URL/KEYS $OPENWHISK_SVN/$REMOTE_PATH -- To stop receiving notification emails like this one, please contact csantan...@apache.org.