summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Mueller <deso@posteo.net>2018-12-24 21:02:17 -0800
committerDaniel Mueller <deso@posteo.net>2018-12-24 21:02:17 -0800
commit21a68c0cdd6237313a4cfad2de108b3785b75b49 (patch)
tree3738fac72993856d46cfd4077e34ba1519211f58
parentba506bfa085064b9be3e262806d2f5f4ca522aee (diff)
downloadnitrocli-21a68c0cdd6237313a4cfad2de108b3785b75b49.tar.gz
nitrocli-21a68c0cdd6237313a4cfad2de108b3785b75b49.tar.bz2
Add recipe for signing Github release source code
Upon creation of a release on Github, the platform publishes the source code. It is good practice to sign this source code, but it obviously should be verified first. The procedure is not quite as trivial as it should be and tedious to do manually. To aid the process, this change adds a Makefile recipe that contains the core logic and guides the user through the steps that are necessary.
-rw-r--r--nitrocli/Makefile37
1 files changed, 37 insertions, 0 deletions
diff --git a/nitrocli/Makefile b/nitrocli/Makefile
index d87a09a..e7f7da5 100644
--- a/nitrocli/Makefile
+++ b/nitrocli/Makefile
@@ -17,6 +17,8 @@
# * along with this program. If not, see <http://www.gnu.org/licenses/>. *
# ***************************************************************************/
+SHELL := bash
+
PS2PDF ?= ps2pdf
NITROCLI_MAN := doc/nitrocli.1
@@ -31,3 +33,38 @@ $(NITROCLI_PDF): $(NITROCLI_MAN)
@which $(PS2PDF) &> /dev/null || \
(echo "$(PS2PDF) command not found, unable to generate documentation"; false)
@man --local-file --troff $(<) | $(PS2PDF) - $(@)
+
+KEY ?= 0x952DD6F8F34D8B8E
+
+.PHONY: sign
+sign:
+ @test -n "$(REL)" || \
+ (echo "Please set REL environment variable to the release to verify (e.g., '0.2.1')."; false)
+ @mkdir -p pkg/
+ wget --quiet "https://github.com/d-e-s-o/nitrocli/archive/v$(REL).zip" \
+ -O "pkg/nitrocli-$(REL).zip"
+ @set -euo pipefail && DIR1=$$(mktemp -d) && DIR2=$$(mktemp -d) && \
+ unzip -q pkg/nitrocli-$(REL).zip -d $${DIR1} && \
+ git -C $$(git rev-parse --show-toplevel) archive --prefix=nitrocli-$(REL)/ v$(REL) | \
+ tar -x -C $${DIR2} && \
+ diff -u -r $${DIR1} $${DIR2} && \
+ echo "Github zip archive verified successfully" && \
+ (rm -r $${DIR1} && rm -r $${DIR2})
+ wget --quiet "https://github.com/d-e-s-o/nitrocli/archive/v$(REL).tar.gz" \
+ -O "pkg/nitrocli-$(REL).tar.gz"
+ @set -euo pipefail && DIR1=$$(mktemp -d) && DIR2=$$(mktemp -d) && \
+ tar -xz -C $${DIR1} -f pkg/nitrocli-$(REL).tar.gz && \
+ git -C $$(git rev-parse --show-toplevel) archive --prefix=nitrocli-$(REL)/ v$(REL) | \
+ tar -x -C $${DIR2} && \
+ diff -u -r $${DIR1} $${DIR2} && \
+ echo "Github tarball verified successfully" && \
+ (rm -r $${DIR1} && rm -r $${DIR2})
+ @cd pkg && sha256sum nitrocli-$(REL).tar.gz nitrocli-$(REL).zip > nitrocli-$(REL).sha256.DIGEST
+ @gpg --sign --armor --detach-sign --default-key=$(KEY) --yes \
+ --output pkg/nitrocli-$(REL).sha256.DIGEST.sig pkg/nitrocli-$(REL).sha256.DIGEST
+ @gpg --verify pkg/nitrocli-$(REL).sha256.DIGEST.sig
+ @cd pkg && sha256sum --check < nitrocli-$(REL).sha256.DIGEST
+ @echo "All checks successful. Please attach"
+ @echo " pkg/nitrocli-$(REL).sha256.DIGEST"
+ @echo " pkg/nitrocli-$(REL).sha256.DIGEST.sig"
+ @echo "to https://github.com/d-e-s-o/nitrocli/releases/tag/v$(REL)"