forked from apache/brpc
-
Notifications
You must be signed in to change notification settings - Fork 0
/
apache-package-validator.sh
executable file
·94 lines (76 loc) · 3 KB
/
apache-package-validator.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
#!/usr/bin/env bash
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#
set -e
g_package_link=${1}
g_package_keys=${2:-https://downloads.apache.org/brpc/KEYS}
g_valid_package_link=' '
g_valid_package_name=' '
g_valid_package_checksum=' '
g_valid_package_sig=' '
g_valid_package_content=' '
g_valid_package_license=' '
g_valid_package_binary=' '
summary() {
cat <<EOF
- [${g_valid_package_link}] the links of the package are valid;
- [${g_valid_package_checksum}] the checksum of the package is valid;
- [${g_valid_package_sig}] the signature of the package is valid;
- [${g_valid_package_content}] RELEASE_VERSION in the source code matches the current release;
- [${g_valid_package_license}] LICENSE and NOTICE are not absent, note that we use CI based on Skywalking-eyes to check the license;
- [${g_valid_package_binary}] no compiled archives bundled in the source archive.
EOF
}
on_exit() {
summary
}
validate_package() {
local ver=$(echo ${g_package_link%/} | rev | cut -d'/' -f1 | rev)
local package_name="apache-brpc-${ver}-src.tar.gz"
for suffix in "" ".asc" ".sha512"; do
wget --quiet -c "${g_package_link%/}/${package_name}${suffix}"
done
g_valid_package_link='x'
sha512sum --status -c ${package_name}.sha512 \
&& g_valid_package_checksum='x'
# Import keys published by the author,
# and verify the package is signed by the author.
# No need to trust the public keys.
wget --quiet ${g_package_keys} -O - | gpg --import \
&& gpg --verify ${package_name}.asc \
&& g_valid_package_sig='x'
tar -xf ${package_name}
(
pushd ${package_name%.tar.gz} > /dev/null 2>&1
[[ -f RELEASE_VERSION ]] \
&& [[ $(cat RELEASE_VERSION) = "${ver}" ]] \
&& grep BRPC_VERSION CMakeLists.txt | grep -q ${ver}
) && g_valid_package_content='x'
(
pushd ${package_name%.tar.gz} > /dev/null 2>&1
[[ -f LICENSE && -f NOTICE ]]
) && g_valid_package_license='x'
local has_unexpected_binary=
for i in $(find ${package_name%.tar.gz} -type f); do
file ${i} | grep -v 'GIF\|JPEG\|PNG\|SVG\|PowerPoint\|Git\|JSON\|PEM\|empty\|text' && has_unexpected_binary=1
done
[[ -z "${has_unexpected_binary}" ]] && g_valid_package_binary='x'
}
trap on_exit EXIT
validate_package