From f61af53a70b3abd15717f341f07b58091eb4a988 Mon Sep 17 00:00:00 2001 From: Eugene Burkov Date: Tue, 10 Sep 2024 15:32:31 +0300 Subject: [PATCH] all: sign windows --- Makefile | 4 +++ bamboo-specs/release.yaml | 13 ++++++++ bamboo-specs/test.yaml | 21 ++++++++++++- scripts/make/build-release.sh | 58 +++++++++++++++++++++++++++-------- 4 files changed, 83 insertions(+), 13 deletions(-) diff --git a/Makefile b/Makefile index 3bb721fc0c9..6501e375871 100644 --- a/Makefile +++ b/Makefile @@ -23,6 +23,7 @@ VERBOSE.MACRO = $${VERBOSE:-0} CHANNEL = development CLIENT_DIR = client COMMIT = $$( git rev-parse --short HEAD ) +DEPLOY_SCRIPT_PATH = not/a/real/path DIST_DIR = dist GOAMD64 = v1 GOPROXY = https://proxy.golang.org|direct @@ -37,6 +38,7 @@ NPM_INSTALL_FLAGS = $(NPM_FLAGS) --quiet --no-progress --ignore-engines\ --ignore-optional --ignore-platform --ignore-scripts RACE = 0 SIGN = 1 +SIGNER_API_KEY = not-a-real-key VERSION = v0.0.0 YARN = yarn @@ -60,6 +62,7 @@ BUILD_RELEASE_DEPS_1 = go-deps ENV = env\ CHANNEL='$(CHANNEL)'\ COMMIT='$(COMMIT)'\ + DEPLOY_SCRIPT_PATH='$(DEPLOY_SCRIPT_PATH)' \ DIST_DIR='$(DIST_DIR)'\ GO="$(GO.MACRO)"\ GOAMD64='$(GOAMD64)'\ @@ -72,6 +75,7 @@ ENV = env\ PATH="$${PWD}/bin:$$( "$(GO.MACRO)" env GOPATH )/bin:$${PATH}"\ RACE='$(RACE)'\ SIGN='$(SIGN)'\ + SIGNER_API_KEY='$(SIGNER_API_KEY)' \ NEXTAPI='$(NEXTAPI)'\ VERBOSE="$(VERBOSE.MACRO)"\ VERSION="$(VERSION)"\ diff --git a/bamboo-specs/release.yaml b/bamboo-specs/release.yaml index d6432c274c1..ff153baab8e 100644 --- a/bamboo-specs/release.yaml +++ b/bamboo-specs/release.yaml @@ -89,6 +89,11 @@ 'other': 'clean-working-dir': true 'tasks': + - 'checkout': + 'repository': 'bamboo-deploy-publisher' + # The paths are always relative to the working directory. + 'path': 'bamboo-deploy-publisher' + 'force-clean-build': true - 'checkout': 'force-clean-build': true - 'script': @@ -99,6 +104,12 @@ set -e -f -u -x + # Follow the working repository path. + cd "${bamboo.name}" + + # Explicitly checkout the revision that we need. + git checkout "${bamboo.repository.revision.number}" + # Run the build with the specified channel. echo "${bamboo.gpgSecretKeyPart1}${bamboo.gpgSecretKeyPart2}"\ | awk '{ gsub(/\\n/, "\n"); print; }'\ @@ -107,6 +118,8 @@ make\ CHANNEL=${bamboo.channel}\ GPG_KEY_PASSPHRASE=${bamboo.gpgPassword}\ + DEPLOY_SCRIPT_PATH="../bamboo-deploy-publisher/deploy.sh"\ + SIGNER_API_KEY="${bamboo.adguardDnsClientWinSignerSecretApiKey}"\ FRONTEND_PREBUILT=1\ PARALLELISM=1\ VERBOSE=2\ diff --git a/bamboo-specs/test.yaml b/bamboo-specs/test.yaml index 29a8bae55f3..565289e9aaa 100644 --- a/bamboo-specs/test.yaml +++ b/bamboo-specs/test.yaml @@ -143,6 +143,11 @@ 'other': 'clean-working-dir': true 'tasks': + - 'checkout': + 'repository': 'bamboo-deploy-publisher' + # The paths are always relative to the working directory. + 'path': 'bamboo-deploy-publisher' + 'force-clean-build': true - 'checkout': 'force-clean-build': true - 'script': @@ -153,13 +158,27 @@ set -e -f -u -x + # Follow the working repository path. + cd "${bamboo.name}" + + # Explicitly checkout the revision that we need. + git checkout "${bamboo.repository.revision.number}" + + # Run the build with the specified channel. + echo "${bamboo.gpgSecretKeyPart1}${bamboo.gpgSecretKeyPart2}"\ + | awk '{ gsub(/\\n/, "\n"); print; }'\ + | gpg --import --batch --yes + make\ ARCH="amd64"\ CHANNEL=${bamboo.channel}\ + GPG_KEY_PASSPHRASE=${bamboo.gpgPassword}\ + DEPLOY_SCRIPT_PATH="../bamboo-deploy-publisher/deploy.sh"\ + SIGNER_API_KEY="${bamboo.adguardDnsClientWinSignerSecretApiKey}"\ FRONTEND_PREBUILT=1\ OS="windows darwin linux"\ PARALLELISM=1\ - SIGN=0\ + SIGN=1\ VERBOSE=2\ build-release 'requirements': diff --git a/scripts/make/build-release.sh b/scripts/make/build-release.sh index 3bc8caf5a62..93e77bec21b 100644 --- a/scripts/make/build-release.sh +++ b/scripts/make/build-release.sh @@ -83,11 +83,15 @@ if [ "$sign" -eq '1' ] then gpg_key_passphrase="${GPG_KEY_PASSPHRASE:?please set GPG_KEY_PASSPHRASE or unset SIGN}" gpg_key="${GPG_KEY:?please set GPG_KEY or unset SIGN}" + signer_api_key="${SIGNER_API_KEY:?please set SIGNER_API_KEY or unset SIGN}" + deploy_script_path="${DEPLOY_SCRIPT_PATH:?please set DEPLOY_SCRIPT_PATH or unset SIGN}" else gpg_key_passphrase='' gpg_key='' + signer_api_key='' + deploy_script_path='' fi -readonly gpg_key_passphrase gpg_key +readonly gpg_key_passphrase gpg_key signer_api_key deploy_script_path # The default distribution files directory is dist. dist="${DIST_DIR:-dist}" @@ -149,6 +153,46 @@ windows amd64 - - windows arm64 - -" readonly platforms +# Function sign signs the specified build as intended by the target operating +# system. +sign() { + # Only sign if needed. + if [ "$sign" -ne '1' ] + then + return + fi + + # Get the arguments. Here and below, use the "sign_" prefix for all + # variables local to function sign. + sign_os="$1" + sign_bin_path="$2" + + if [ "$sign_os" != 'windows' ] + then + gpg\ + --default-key "$gpg_key"\ + --detach-sig\ + --passphrase "$gpg_key_passphrase"\ + --pinentry-mode loopback\ + -q\ + "$sign_bin_path"\ + ; + + return + fi + + signed_bin_path="${sign_bin_path}.signed" + + env\ + INPUT_FILE="$sign_bin_path"\ + OUTPUT_FILE="$signed_bin_path"\ + SIGNER_API_KEY="$signer_api_key"\ + "$deploy_script_path" sign-executable\ + ; + + mv "$signed_bin_path" "$sign_bin_path" +} + # Function build builds the release for one platform. It builds a binary and an # archive. build() { @@ -189,17 +233,7 @@ build() { log "$build_output" - if [ "$sign" -eq '1' ] - then - gpg\ - --default-key "$gpg_key"\ - --detach-sig\ - --passphrase "$gpg_key_passphrase"\ - --pinentry-mode loopback\ - -q\ - "$build_output"\ - ; - fi + sign "$os" "$build_output" # Prepare the build directory for archiving. cp ./CHANGELOG.md ./LICENSE.txt ./README.md "$build_dir"