1#!/bin/bash
2# Copyright (C) 2017-2023 SUSE LLC.
3# Copyright (C) 2017-2023 Open Containers Authors
4#
5# Licensed under the Apache License, Version 2.0 (the "License");
6# you may not use this file except in compliance with the License.
7# You may obtain a copy of the License at
8#
9# http://www.apache.org/licenses/LICENSE-2.0
10#
11# Unless required by applicable law or agreed to in writing, software
12# distributed under the License is distributed on an "AS IS" BASIS,
13# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14# See the License for the specific language governing permissions and
15# limitations under the License.
16
17set -Eeuo pipefail
18
19project="runc"
20root="$(readlink -f "$(dirname "${BASH_SOURCE[0]}")/..")"
21
22# Print usage information.
23function usage() {
24 echo "usage: release_sign.sh [-S <gpg-key-id>] [-H <hashcmd>]" >&2
25 echo " [-r <release-dir>] [-v <version>]" >&2
26 exit 1
27}
28
29# Log something to stderr.
30function log() {
31 echo "[*]" "$@" >&2
32}
33
34# Log something to stderr and then exit with 0.
35function quit() {
36 log "$@"
37 exit 0
38}
39
40# Log something to stderr and then exit with 1.
41function bail() {
42 log "$@"
43 exit 1
44}
45
46# Conduct a sanity-check to make sure that GPG provided with the given
47# arguments can sign something. Inability to sign things is not a fatal error.
48function gpg_cansign() {
49 gpg "$@" --clear-sign </dev/null >/dev/null
50}
51
52# When creating releases we need to build static binaries, an archive of the
53# current commit, and generate detached signatures for both.
54keyid=""
55version=""
56releasedir=""
57hashcmd=""
58
59while getopts "H:hr:S:v:" opt; do
60 case "$opt" in
61 H)
62 hashcmd="$OPTARG"
63 ;;
64 h)
65 usage
66 ;;
67 r)
68 releasedir="$OPTARG"
69 ;;
70 S)
71 keyid="$OPTARG"
72 ;;
73 v)
74 version="$OPTARG"
75 ;;
76 :)
77 echo "Missing argument: -$OPTARG" >&2
78 usage
79 ;;
80 \?)
81 echo "Invalid option: -$OPTARG" >&2
82 usage
83 ;;
84 esac
85done
86
87version="${version:-$(<"$root/VERSION")}"
88releasedir="${releasedir:-release/$version}"
89hashcmd="${hashcmd:-sha256sum}"
90
91log "signing $project release in '$releasedir'"
92log " key: ${keyid:-DEFAULT}"
93log " hash: $hashcmd"
94
95# Set up the gpgflags.
96gpgflags=()
97[[ "$keyid" ]] && gpgflags=(--default-key "$keyid")
98gpg_cansign "${gpgflags[@]}" || quit "Could not find suitable GPG key, skipping signing step."
99
100# Make explicit what we're doing.
101set -x
102
103# Check that the keyid is actually in the $project.keyring by signing a piece
104# of dummy text then verifying it against the list of keys in that keyring.
105tmp_gpgdir="$(mktemp -d --tmpdir "$project-sign-tmpkeyring.XXXXXX")"
106trap 'rm -r "$tmp_gpgdir"' EXIT
107
108tmp_runc_gpgflags=("--no-default-keyring" "--keyring=$tmp_gpgdir/$project.keyring")
109gpg "${tmp_runc_gpgflags[@]}" --import <"$root/$project.keyring"
110
111tmp_seccomp_gpgflags=("--no-default-keyring" "--keyring=$tmp_gpgdir/seccomp.keyring")
112gpg "${tmp_seccomp_gpgflags[@]}" --recv-keys 0x47A68FCE37C7D7024FD65E11356CE62C2B524099
113gpg "${tmp_seccomp_gpgflags[@]}" --recv-keys 0x7100AADFAE6E6E940D2E0AD655E45A5AE8CA7C8A
114
115gpg "${gpgflags[@]}" --clear-sign <<<"[This is test text used for $project release scripts. $(date --rfc-email)]" |
116 gpg "${tmp_runc_gpgflags[@]}" --verify || bail "Signing key ${keyid:-DEFAULT} is not in trusted $project.keyring list!"
117
118# Make sure the signer is okay with the list of keys in the keyring (once this
119# release is signed, distributions will trust this keyring).
120cat >&2 <<EOF
121== PLEASE VERIFY THE FOLLOWING KEYS ==
122
123The sources for this release will contain the following signing keys as
124"trusted", meaning that distributions may trust the keys to sign future
125releases. Please make sure that only authorised users' keys are listed.
126
127$(gpg "${tmp_runc_gpgflags[@]}" --list-keys)
128
129[ Press ENTER to continue. ]
130EOF
131read -r
132
133# Only needed for local signing -- change the owner since by default it's built
134# inside a container which means it'll have the wrong owner and permissions.
135[ -w "$releasedir" ] || sudo chown -R "$(id -u):$(id -g)" "$releasedir"
136
137# Sign everything.
138for bin in "$releasedir/$project".*; do
139 [[ "$(basename "$bin")" == "$project.$hashcmd" ]] && continue # skip hash
140 gpg "${gpgflags[@]}" --detach-sign --armor "$bin"
141done
142gpg "${gpgflags[@]}" --clear-sign --armor \
143 --output "$releasedir/$project.$hashcmd"{.tmp,} &&
144 mv "$releasedir/$project.$hashcmd"{.tmp,}
145
146# Verify that all the signatures and shasum are correct.
147pushd "$releasedir"
148
149# Verify project-signed detached signatures.
150find . -name "$project.*.asc" -print0 | xargs -0 -L1 gpg "${tmp_runc_gpgflags[@]}" --verify --
151
152# Verify shasum.
153"$hashcmd" -c "$project.$hashcmd"
154gpg "${tmp_runc_gpgflags[@]}" --verify "$project.$hashcmd"
155
156# Verify seccomp tarball.
157gpg "${tmp_seccomp_gpgflags[@]}" --verify libseccomp*.asc
158
159popd
View as plain text