diff options
author | Daniel Mueller <deso@posteo.net> | 2018-12-24 21:02:17 -0800 |
---|---|---|
committer | Daniel Mueller <deso@posteo.net> | 2018-12-24 21:02:17 -0800 |
commit | 21a68c0cdd6237313a4cfad2de108b3785b75b49 (patch) | |
tree | 3738fac72993856d46cfd4077e34ba1519211f58 | |
parent | ba506bfa085064b9be3e262806d2f5f4ca522aee (diff) | |
download | nitrocli-21a68c0cdd6237313a4cfad2de108b3785b75b49.tar.gz nitrocli-21a68c0cdd6237313a4cfad2de108b3785b75b49.tar.bz2 |
Add recipe for signing Github release source code
Upon creation of a release on Github, the platform publishes the source
code. It is good practice to sign this source code, but it obviously
should be verified first. The procedure is not quite as trivial as it
should be and tedious to do manually.
To aid the process, this change adds a Makefile recipe that contains the
core logic and guides the user through the steps that are necessary.
-rw-r--r-- | nitrocli/Makefile | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/nitrocli/Makefile b/nitrocli/Makefile index d87a09a..e7f7da5 100644 --- a/nitrocli/Makefile +++ b/nitrocli/Makefile @@ -17,6 +17,8 @@ # * along with this program. If not, see <http://www.gnu.org/licenses/>. * # ***************************************************************************/ +SHELL := bash + PS2PDF ?= ps2pdf NITROCLI_MAN := doc/nitrocli.1 @@ -31,3 +33,38 @@ $(NITROCLI_PDF): $(NITROCLI_MAN) @which $(PS2PDF) &> /dev/null || \ (echo "$(PS2PDF) command not found, unable to generate documentation"; false) @man --local-file --troff $(<) | $(PS2PDF) - $(@) + +KEY ?= 0x952DD6F8F34D8B8E + +.PHONY: sign +sign: + @test -n "$(REL)" || \ + (echo "Please set REL environment variable to the release to verify (e.g., '0.2.1')."; false) + @mkdir -p pkg/ + wget --quiet "https://github.com/d-e-s-o/nitrocli/archive/v$(REL).zip" \ + -O "pkg/nitrocli-$(REL).zip" + @set -euo pipefail && DIR1=$$(mktemp -d) && DIR2=$$(mktemp -d) && \ + unzip -q pkg/nitrocli-$(REL).zip -d $${DIR1} && \ + git -C $$(git rev-parse --show-toplevel) archive --prefix=nitrocli-$(REL)/ v$(REL) | \ + tar -x -C $${DIR2} && \ + diff -u -r $${DIR1} $${DIR2} && \ + echo "Github zip archive verified successfully" && \ + (rm -r $${DIR1} && rm -r $${DIR2}) + wget --quiet "https://github.com/d-e-s-o/nitrocli/archive/v$(REL).tar.gz" \ + -O "pkg/nitrocli-$(REL).tar.gz" + @set -euo pipefail && DIR1=$$(mktemp -d) && DIR2=$$(mktemp -d) && \ + tar -xz -C $${DIR1} -f pkg/nitrocli-$(REL).tar.gz && \ + git -C $$(git rev-parse --show-toplevel) archive --prefix=nitrocli-$(REL)/ v$(REL) | \ + tar -x -C $${DIR2} && \ + diff -u -r $${DIR1} $${DIR2} && \ + echo "Github tarball verified successfully" && \ + (rm -r $${DIR1} && rm -r $${DIR2}) + @cd pkg && sha256sum nitrocli-$(REL).tar.gz nitrocli-$(REL).zip > nitrocli-$(REL).sha256.DIGEST + @gpg --sign --armor --detach-sign --default-key=$(KEY) --yes \ + --output pkg/nitrocli-$(REL).sha256.DIGEST.sig pkg/nitrocli-$(REL).sha256.DIGEST + @gpg --verify pkg/nitrocli-$(REL).sha256.DIGEST.sig + @cd pkg && sha256sum --check < nitrocli-$(REL).sha256.DIGEST + @echo "All checks successful. Please attach" + @echo " pkg/nitrocli-$(REL).sha256.DIGEST" + @echo " pkg/nitrocli-$(REL).sha256.DIGEST.sig" + @echo "to https://github.com/d-e-s-o/nitrocli/releases/tag/v$(REL)" |