houshengbo closed pull request #39: Validate the secret key URL: https://github.com/apache/incubator-openwhisk-release/pull/39
This is a PR merged from a forked repository. As GitHub hides the original diff on merge, it is displayed below for the sake of provenance: As this is a foreign pull request (from a fork), the diff is supplied below (as it won't show otherwise due to GitHub magic): diff --git a/tools/sign_artifacts.sh b/tools/sign_artifacts.sh index 8695d11..a4b0992 100755 --- a/tools/sign_artifacts.sh +++ b/tools/sign_artifacts.sh @@ -40,6 +40,7 @@ for artifact in *.tar.gz; do # The option --passphrase-fd does not work on Mac. `gpg --yes --armor --output ${artifact}.asc --detach-sig ${artifact}` elif [ $sysOS == "Linux" ];then + echo "started to sign it" `echo $passphrase | gpg -c -q --passphrase-fd 0 --yes --armor --output ${artifact}.asc --detach-sig ${artifact}` fi done diff --git a/tools/travis/import_pgp_key.sh b/tools/travis/import_pgp_key.sh index 2998758..01e64e5 100755 --- a/tools/travis/import_pgp_key.sh +++ b/tools/travis/import_pgp_key.sh @@ -13,3 +13,5 @@ gpg --import $PARENTDIR/key_pub.gpg echo "Load the private key." gpg --allow-secret-key-import --import $PARENTDIR/key_sec.gpg + +gpg --list-keys diff --git a/tools/util.sh b/tools/util.sh index 36ddc8b..17720c6 100755 --- a/tools/util.sh +++ b/tools/util.sh @@ -12,9 +12,6 @@ function json_by_key() { function import_key_verify_signature() { key_url=$1 - dir=$2 - cd $dir - echo "Importing PGP keys" curl $key_url | gpg --import && \ echo "[?] GPG keys imported" \ diff --git a/tools/verify_local_artifacts.sh b/tools/verify_local_artifacts.sh index 3a83484..78a94d7 100755 --- a/tools/verify_local_artifacts.sh +++ b/tools/verify_local_artifacts.sh @@ -7,7 +7,6 @@ echo "Verify the local artifacts with the KEYS" SCRIPTDIR="$(cd $(dirname "$0")/ && pwd)" source "$SCRIPTDIR/load_config.sh" $1 $2 $3 -mkdir -p $OPENWHISK_SVN cd $OPENWHISK_SVN/$REMOTE_PATH -import_key_verify_signature $STAGE_URL/KEYS $OPENWHISK_SVN/$REMOTE_PATH +import_key_verify_signature $STAGE_URL/KEYS diff --git a/tools/verify_remote_artifacts.sh b/tools/verify_remote_artifacts.sh index ad4f330..0d50d24 100755 --- a/tools/verify_remote_artifacts.sh +++ b/tools/verify_remote_artifacts.sh @@ -7,7 +7,8 @@ echo "Verify the remote artifacts with the KEYS" SCRIPTDIR="$(cd $(dirname "$0")/ && pwd)" source "$SCRIPTDIR/load_config.sh" $1 $2 $3 -mkdir -p $OPENWHISK_SVN +rm -rf $OPENWHISK_SVN +mkdir -p $OPENWHISK_SVN/$REMOTE_PATH cd $OPENWHISK_SVN # Remove the local folder, because we are about to download the artifacts from the staging folder. @@ -15,7 +16,6 @@ rm -rf $REMOTE_PATH # Check out the artifacts. svn co $CURRENT_VERSION_URL $REMOTE_PATH - cd $REMOTE_PATH -import_key_verify_signature $STAGE_URL/KEYS $OPENWHISK_SVN/$REMOTE_PATH +import_key_verify_signature $STAGE_URL/KEYS ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services