update release process to incorporate binary signing
This commit is contained in:
Megan Marsh
parent
ee5e0315d2
commit
e3c0022a8e
|
|
@ -0,0 +1,150 @@
|
|||
#! /usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
# first makes some assertions about the environment and set some shared
|
||||
# variables before starting the script.
|
||||
if ! command -v jq > /dev/null 2>&1; then
|
||||
echo "This script requires jq to work properly."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
PRODUCT_NAME="${PRODUCT_NAME:-""}"
|
||||
if [ -z "$PRODUCT_NAME" ]; then
|
||||
echo "Missing required product name: ${PRODUCT_NAME}"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
TARGET_ZIP="${TARGET_ZIP:-""}"
|
||||
if [ -z "$TARGET_ZIP" ]; then
|
||||
echo "Missing required target path"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Artifactory configuration
|
||||
ARTIFACTORY_ENDPOINT="${ARTIFACTORY_ENDPOINT:-"https://artifactory.hashicorp.engineering/artifactory"}"
|
||||
ARTIFACTORY_INPUT_REPO="${ARTIFACTORY_INPUT_REPO:-"hc-signing-input"}"
|
||||
ARTIFACTORY_OUTPUT_REPO="${ARTIFACTORY_OUTPUT_REPO:-"hc-signing-output"}"
|
||||
|
||||
ARTIFACTORY_TOKEN="${ARTIFACTORY_TOKEN:-""}"
|
||||
ARTIFACTORY_USER="${ARTIFACTORY_USER:-""}"
|
||||
|
||||
if [[ -z "$ARTIFACTORY_TOKEN" || -z "$ARTIFACTORY_USER" ]]; then
|
||||
echo "Missing required Artifactory credentials"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Create the sign/notarize ID "SN_ID"
|
||||
if command -v uuidgen > /dev/null 2>&1; then
|
||||
uuid="$(uuidgen)"
|
||||
elif [ -f /proc/sys/kernel/random/uuid ]; then
|
||||
uuid="$(cat /proc/sys/kernel/random/uuid)"
|
||||
else
|
||||
echo "This script needs some way to generate a uuid."
|
||||
exit 1
|
||||
fi
|
||||
SN_ID="$uuid"
|
||||
|
||||
# CircleCI configuration
|
||||
CIRCLE_ENDPOINT="${CIRCLE_ENDPOINT:-"https://circleci.com/api/v2"}"
|
||||
CIRCLE_PROJECT="${CIRCLE_PROJECT:-"project/github/hashicorp/circle-codesign"}"
|
||||
|
||||
CIRCLE_TOKEN="${CIRCLE_TOKEN:-""}"
|
||||
if [ -z "$CIRCLE_TOKEN" ]; then
|
||||
echo "Missing required CircleCI credentials"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Next, upload an unsigned zip file to the Artifactory at
|
||||
# https://artifactory.hashicorp.engineering/artifactory/hc-signing-input/{PRODUCT}/{ID}.zip
|
||||
echo "Uploading unsigned zip to ${ARTIFACTORY_ENDPOINT}/${ARTIFACTORY_INPUT_REPO}/${PRODUCT_NAME}/${SN_ID}.zip"
|
||||
|
||||
curl --show-error --silent --fail \
|
||||
--user "${ARTIFACTORY_USER}:${ARTIFACTORY_TOKEN}" \
|
||||
--request PUT \
|
||||
"${ARTIFACTORY_ENDPOINT}/${ARTIFACTORY_INPUT_REPO}/${PRODUCT_NAME}/${SN_ID}.zip" \
|
||||
--upload-file "$TARGET_ZIP" > /dev/null
|
||||
|
||||
# Next, start the CircleCI Pipeline, then wait for a Workflow
|
||||
# to start.
|
||||
echo "Executing CircleCI job"
|
||||
|
||||
res="$(curl --show-error --silent --fail --user "${CIRCLE_TOKEN}:" \
|
||||
--request POST \
|
||||
--header 'Content-Type: application/json' \
|
||||
--header 'Accept: application/json' \
|
||||
--data "{ \"branch\": \"master\" ,\"parameters\": { \"PRODUCT\": \"${PRODUCT_NAME}\", \"PKG_NAME\": \"${SN_ID}.zip\" } }" \
|
||||
"${CIRCLE_ENDPOINT}/${CIRCLE_PROJECT}/pipeline")"
|
||||
pipeline_id="$(echo "$res" | jq -r '.id')"
|
||||
echo "CircleCI Pipeline $pipeline_id started"
|
||||
|
||||
echo -n "Retrieving CircleCI Workflow ID"
|
||||
# 24 * 5 seconds = 2 minutes
|
||||
counter=12
|
||||
workflow_id=""
|
||||
# wait until a Workflow ID is found
|
||||
until [ "$workflow_id" != "" ]; do
|
||||
echo -n "."
|
||||
workflow_id=$(curl --silent --fail --user "${CIRCLE_TOKEN}:" \
|
||||
--request GET \
|
||||
--header 'Accept: application/json' \
|
||||
"${CIRCLE_ENDPOINT}/pipeline/${pipeline_id}/workflow" \
|
||||
| jq -r '.items[].id'
|
||||
)
|
||||
if [ "$counter" -eq "0" ]; then
|
||||
echo "Tried too many times, but Pipeline ${pipeline_id} still has no Workflows"
|
||||
exit 1
|
||||
fi
|
||||
counter=$((counter - 1))
|
||||
sleep 5
|
||||
done
|
||||
echo ""
|
||||
|
||||
echo "CircleCI Workflow $workflow_id started"
|
||||
|
||||
# Next, wait for the Workflow to reach a terminal state, then fails if it isn't
|
||||
# "success"
|
||||
echo -n "Waiting for CircleCI Workflow ID: ${workflow_id}"
|
||||
# 360 * 5 seconds = 30 minutes
|
||||
counter=360
|
||||
finished="not_run"
|
||||
# wait for one of the terminal states: ["success", "failed", "error", "canceled"]
|
||||
until [[ "$finished" == "success" || "$finished" == "failed" || "$finished" == "error" || "$finished" == "canceled" ]]; do
|
||||
echo -n "."
|
||||
finished=$(curl --silent --fail --user "${CIRCLE_TOKEN}:" \
|
||||
--header 'Accept: application/json' \
|
||||
"${CIRCLE_ENDPOINT}/workflow/${workflow_id}" \
|
||||
| jq -r '.status'
|
||||
)
|
||||
if [ "$counter" -eq "0" ]; then
|
||||
echo "Tried too many times, but workflow is still in state ${finished}"
|
||||
exit 1
|
||||
fi
|
||||
counter=$((counter - 1))
|
||||
sleep 5
|
||||
done
|
||||
echo ""
|
||||
|
||||
if [ "$finished" != "success" ]; then
|
||||
echo "Workflow ID ${workflow_id} ${finished}"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Next, download the signed zip from Artifactory at
|
||||
# https://artifactory.hashicorp.engineering/artifactory/hc-signing-output/{PRODUCT}/{ID}.zip
|
||||
echo "Retrieving signed zip from ${ARTIFACTORY_ENDPOINT}/${ARTIFACTORY_OUTPUT_REPO}/${PRODUCT_NAME}/${SN_ID}.zip"
|
||||
|
||||
curl --show-error --silent --fail --user "${ARTIFACTORY_USER}:${ARTIFACTORY_TOKEN}" \
|
||||
--request GET \
|
||||
"${ARTIFACTORY_ENDPOINT}/${ARTIFACTORY_OUTPUT_REPO}/${PRODUCT_NAME}/${SN_ID}.zip" \
|
||||
--output "signed_${SN_ID}.zip"
|
||||
|
||||
signed_checksum=$(
|
||||
curl --silent --show-error --fail --user "${ARTIFACTORY_USER}:${ARTIFACTORY_TOKEN}" \
|
||||
--head \
|
||||
"${ARTIFACTORY_ENDPOINT}/${ARTIFACTORY_OUTPUT_REPO}/${PRODUCT_NAME}/${SN_ID}.zip" \
|
||||
| grep -i "x-checksum-sha256" | awk 'gsub("[\r\n]", "", $2) {print $2;}'
|
||||
)
|
||||
|
||||
echo "${signed_checksum} signed_${SN_ID}.zip" | gsha256sum -c
|
||||
|
||||
mv "signed_${SN_ID}.zip" "$TARGET_ZIP"
|
||||
|
|
@ -49,7 +49,7 @@ if [ -z $NOSIGN ]; then
|
|||
fi
|
||||
|
||||
./scripts/sign.sh
|
||||
# hc-releases upload $DIR/pkg/dist/
|
||||
# hc-releases publish
|
||||
hc-releases upload $DIR/pkg/dist/
|
||||
hc-releases publish
|
||||
|
||||
exit 0
|
||||
|
|
|
|||
|
|
@ -0,0 +1,31 @@
|
|||
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# This script uploads the Darwin builds to artifactory, then triggers the
|
||||
# circle ci job that signs them.
|
||||
|
||||
# ARTIFACTORY_USER="sa-circle-codesign"
|
||||
# export PRODUCT_NAME="packer"
|
||||
# export ARTIFACTORY_TOKEN=$ARTIFACTORY_TOKEN
|
||||
|
||||
# Get the parent directory of where this script is.
|
||||
SOURCE="${BASH_SOURCE[0]}"
|
||||
while [ -h "$SOURCE" ] ; do SOURCE="$(readlink "$SOURCE")"; done
|
||||
DIR="$( cd -P "$( dirname "$SOURCE" )/.." && pwd )"
|
||||
# Change into that dir because we expect that
|
||||
cd $DIR
|
||||
|
||||
BIN_UUIDS=()
|
||||
BUILD_NUMBERS=()
|
||||
for DARWIN_BIN in $(find ./pkg/dist/*darwin_*.zip); do
|
||||
echo "signing $DARWIN_BIN"
|
||||
export ARTIFACTORY_USER="sa-circle-codesign"
|
||||
export PRODUCT_NAME="packer"
|
||||
export ARTIFACTORY_TOKEN=$ARTIFACTORY_TOKEN
|
||||
export TARGET_ZIP=$DARWIN_BIN
|
||||
|
||||
echo $TARGET_ZIP
|
||||
./scripts/codesign_example.sh
|
||||
done
|
||||
|
||||
exit 0
|
||||
Loading…
Reference in New Issue