You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@openwhisk.apache.org by GitBox <gi...@apache.org> on 2018/02/12 21:12:29 UTC
[GitHub] csantanapr closed pull request #33: Add the support to verify the artifacts with the key
csantanapr closed pull request #33: Add the support to verify the artifacts with the key
URL: https://github.com/apache/incubator-openwhisk-release/pull/33
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git a/tools/clean_remote_stage_artifacts.sh b/tools/clean_remote_stage_artifacts.sh
new file mode 100755
index 0000000..0577f7a
--- /dev/null
+++ b/tools/clean_remote_stage_artifacts.sh
@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+
+set -e
+
+echo "Clean the remote artifacts in staging directory"
+
+SCRIPTDIR="$(cd $(dirname "$0")/ && pwd)"
+source "$SCRIPTDIR/util.sh"
+
+CONFIG=$(read_file $SCRIPTDIR/config.json)
+version_key="version"
+version_major=$(json_by_key "$CONFIG" ${version_key}.major)
+version_minor=$(json_by_key "$CONFIG" ${version_key}.minor)
+
+version=$version_major-$version_minor
+REMOTE_PATH="openwhisk-$version"
+STAGE_URL=$(json_by_key "$CONFIG" "stage_url")
+CURRENT_VERSION_URL="$STAGE_URL/${REMOTE_PATH}/"
+CREDENTIALS=""
+
+SVN_USERNAME=$1
+SVN_PASSWORD=$2
+
+if [ ! -z "$SVN_USERNAME" ] && [ ! -z "$SVN_PASSWORD" ];then
+ CREDENTIALS="--username $SVN_USERNAME --password $SVN_PASSWORD --non-interactive"
+fi
+
+if [[ `wget -S --spider $CURRENT_VERSION_URL 2>&1 | grep 'HTTP/1.1 200 OK'` ]]; then
+ svn delete $CURRENT_VERSION_URL -m "Removing Apache OpenWhisk release ${version} from staging." $CREDENTIALS
+fi
diff --git a/tools/install_dependencies.sh b/tools/install_dependencies.sh
index f48e33f..ca365bc 100755
--- a/tools/install_dependencies.sh
+++ b/tools/install_dependencies.sh
@@ -7,7 +7,6 @@ if [ $sysOS == "Darwin" ];then
echo "This is MacOS."
brew install jq
brew install gpg
- brew install md5sha1sum
elif [ $sysOS == "Linux" ];then
echo "This is Linux."
if [ -f /etc/lsb-release -o -d /etc/lsb-release.d ]; then
diff --git a/tools/key_pub.gpg b/tools/key_pub.gpg
new file mode 100644
index 0000000..febbeaf
--- /dev/null
+++ b/tools/key_pub.gpg
@@ -0,0 +1,29 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFqB+RMBEACeKz2rzESI9Hch8ZUEY2mrTsCumXsFn8YAUkiuMN4g6Q5PvoRU
+k0tkD0wdQDg9Tqd5DlOaJMFaP25rvchR7OCgygf5DaKW4IsUh7FN5uID94ozwNvD
+oznyl5OTwzCB8jdRz5pMTRNx989yi0z0kMhIqXULQeCBWMdbv6wVcRlGmwWO6T42
+b2hi8gPZJjP++577WjGZWTV/NgOLyFPRYIn7phjBLkCfD15fGVzy+icXCxeunTgK
+T0qxD/r+6iTtxyWMkLQxLByZWxRUJCdt03oQVVwrL7SJHdKYvU5ElOUr1J4/axN+
+x43+Z5kz06ZZghewzdCMvnwf3IaEdJmrksY1U3wije1wXGKs7f9Y+eS+E9tVDuI/
+yLrhFs1/A6uNtuvfSqvHzaWWNUUl4/YP8VgPttaWKBBNw/EL2i3di9RQAfTMqRsk
+JBx2bLORu/MjAnH3nBztw3MHI6ll4u2xb03k1iW9Uc+lh76V63DcykVlhL0renCR
+ccZ3cGGi9vrfZ8pQHcPTLxK/l++QRUzewHEUM2nPOSW9DRe1jR128DhTr4p5yaKF
+z5vvtjU+GP+cZFM8HkY1RLrNA2/a4G/gHGQqdPybomSeq7hC0GtX6U5ESHeOqyH1
+hDblT7nldvyw1nb52+yzYjuhiJo/TB/F/7teAmHyDmOIot6EEAx+Onh6/wARAQAB
+tDxWaW5jZW50IEhvdSAoUmVsZWFzZSBtYW5hZ2VyIG9mIE9wZW5XaGlzaykgPHNo
+b3VAdXMuaWJtLmNvbT6JAk4EEwEIADgWIQT2AFplgI3xoq7hv/aeJ0HSiuatCgUC
+WoH5EwIbLwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRCeJ0HSiuatClniD/99
+FDXY/Ju8i7+wmnpQpJof+242KhJEumttKn/SRkU79zCrsV3jT+z9Il8CbpPYyPVl
+BZPcHYs+1goky3yVJm+tDATtxXYmyeLvU+LcmZA2ftufWaakJti6uAt6gl/CvrPN
+Xdu44hcISCZs4b725A3InfGQbBGEppJfa0PxQ8Yx5yktNTom/DuzuaII70DoIffe
+rFIs0Bge4m9RDQ21VLxZGyg5l8xhc/viXzASisCiXGpXnRMiwcXwRgUd11VHsTQ+
+iueFBxkfk7O1whobs232iUy2Db42/OtL39fn8HRlkfhV6fzUieX0Z7lcc+hpzLMc
+HP/1LGxH5I+LnTN0iZpgZzDiv8HS7toQ3DzMDyMDypskKyrQty+Z0FOLuGFOY06y
+rbE6yc9doQBhTugVYQznia+v0G8rrwQwPVsKZnBmEzo1GT16jzGpse2NfPOMpbLk
+WJ3a1SNb8mtGS+XFFGQ/y9QNquBFD5kLjptSDdVbNexyxZ6SDpQFzulByonGDpqe
+Xez7Ho9kklOb3/1sH918zw6SlWWIhf4HOmZeYyucS6bIGBFnu+r+3wzSvhmJ2IlX
+53rX4F/n4PYfS5TEa5rmjxzy+sww1nEdo+/sYF3KiPysLn5h/Y9VtzSh1dsh1mV0
+O/9Ulqw3TsDrGa2k7Kx2PVHVx3KYMvpvskyP51U2EA==
+=/f4p
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/tools/key_sec.gpg.enc b/tools/key_sec.gpg.enc
new file mode 100644
index 0000000..7761b7f
Binary files /dev/null and b/tools/key_sec.gpg.enc differ
diff --git a/tools/export_pgp_key.sh b/tools/load_config.sh
similarity index 63%
rename from tools/export_pgp_key.sh
rename to tools/load_config.sh
index 8eafcac..0d6b2a3 100755
--- a/tools/export_pgp_key.sh
+++ b/tools/load_config.sh
@@ -1,27 +1,31 @@
#!/usr/bin/env bash
-set -e
+WORK_DIR=${1:-"$HOME"}
+SCRIPTDIR="$(cd $(dirname "$0")/ && pwd)"
-echo "Export the PGP key."
+SVN_USERNAME=$2
+SVN_PASSWORD=$3
+CREDENTIALS=""
+
+if [ ! -z "$SVN_USERNAME" ] && [ ! -z "$SVN_PASSWORD" ];then
+ CREDENTIALS="--username $SVN_USERNAME --password $SVN_PASSWORD --non-interactive"
+fi
-WORK_DIR=${1:-"$HOME"}
-PGP_EMAIL=${2:-"shou@us.ibm.com"}
OPENWHISK_SOURCE_DIR="$WORK_DIR/openwhisk_sources"
OPENWHISK_SVN="$OPENWHISK_SOURCE_DIR/openwhisk"
-SCRIPTDIR="$(cd $(dirname "$0")/ && pwd)"
source "$SCRIPTDIR/util.sh"
CONFIG=$(read_file $SCRIPTDIR/config.json)
repos=$(echo $(json_by_key "$CONFIG" "RepoList") | sed 's/[][]//g')
+STAGE_URL=$(json_by_key "$CONFIG" "stage_url")
+
version_key="version"
version_major=$(json_by_key "$CONFIG" ${version_key}.major)
version_minor=$(json_by_key "$CONFIG" ${version_key}.minor)
version=$version_major-$version_minor
-CURRENT_VERSION_DIR="$OPENWHISK_SVN/openwhisk-$version"
+REMOTE_PATH="openwhisk-$version"
-cd $CURRENT_VERSION_DIR
-
-# Output the public key into the file KEYS to be uploaded into the staging directory.
-gpg --yes --output KEYS --armor --export $PGP_EMAIL
+CURRENT_VERSION_URL="$STAGE_URL/${REMOTE_PATH}/"
+CURRENT_VERSION_DIR="$OPENWHISK_SVN/openwhisk-$version"
diff --git a/tools/package_source_code.sh b/tools/package_source_code.sh
index fa1c136..76829e7 100755
--- a/tools/package_source_code.sh
+++ b/tools/package_source_code.sh
@@ -4,34 +4,8 @@ set -e
echo "Package the artifacts."
-SVN_USERNAME=$2
-SVN_PASSWORD=$3
-CREDENTIALS=""
-
-if [ ! -z "$SVN_USERNAME" ] && [ ! -z "$SVN_PASSWORD" ];then
- CREDENTIALS="--username $SVN_USERNAME --password $SVN_PASSWORD --non-interactive"
-fi
-
-WORK_DIR=${1:-"$HOME"}
-
-OPENWHISK_SOURCE_DIR="$WORK_DIR/openwhisk_sources"
-OPENWHISK_SVN="$OPENWHISK_SOURCE_DIR/openwhisk"
-
SCRIPTDIR="$(cd $(dirname "$0")/ && pwd)"
-source "$SCRIPTDIR/util.sh"
-
-CONFIG=$(read_file $SCRIPTDIR/config.json)
-repos=$(echo $(json_by_key "$CONFIG" "RepoList") | sed 's/[][]//g')
-version_key="version"
-version_major=$(json_by_key "$CONFIG" ${version_key}.major)
-version_minor=$(json_by_key "$CONFIG" ${version_key}.minor)
-
-version=$version_major-$version_minor
-CURRENT_VERSION_DIR="$OPENWHISK_SVN/openwhisk-$version"
-echo $version
-
-STAGE_URL=$(json_by_key "$CONFIG" "stage_url")
-echo $STAGE_URL
+source "$SCRIPTDIR/load_config.sh" $1 $2 $3
# Create a subversion directory for openwhisk to stage all the packages
rm -rf $OPENWHISK_SVN
diff --git a/tools/sign_artifacts.sh b/tools/sign_artifacts.sh
index 288985a..8695d11 100755
--- a/tools/sign_artifacts.sh
+++ b/tools/sign_artifacts.sh
@@ -31,10 +31,11 @@ if [ $sysOS == "Darwin" ];then
fi
cd $CURRENT_VERSION_DIR
-
+echo "Sign the artifacts with the private key."
for artifact in *.tar.gz; do
gpg --print-md MD5 ${artifact} > ${artifact}.md5
gpg --print-md SHA512 ${artifact} > ${artifact}.sha512
+
if [ $sysOS == "Darwin" ];then
# The option --passphrase-fd does not work on Mac.
`gpg --yes --armor --output ${artifact}.asc --detach-sig ${artifact}`
diff --git a/tools/travis/import_pgp_key.sh b/tools/travis/import_pgp_key.sh
new file mode 100755
index 0000000..fca5112
--- /dev/null
+++ b/tools/travis/import_pgp_key.sh
@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+set -e
+
+echo "Import the PGP key."
+
+SCRIPTDIR="$(cd $(dirname "$0")/ && pwd)"
+
+# Load the public key located in the repo of openwhisk release.
+echo "Load the public key."
+gpg --import $SCRIPTDIR/key_pub.gpg
+
+echo "Load the private key."
+gpg --allow-secret-key-import --import $SCRIPTDIR/key_sec.gpg
diff --git a/tools/travis/package_source_code.sh b/tools/travis/package_source_code.sh
index e09b021..e14244e 100755
--- a/tools/travis/package_source_code.sh
+++ b/tools/travis/package_source_code.sh
@@ -19,10 +19,10 @@ if [ "$TRAVIS_EVENT_TYPE" == "push" ] ; then
fi
"$PARENTDIR/package_source_code.sh" $WORK_DIR $SVN_USERNAME $SVN_PASSWORD
-"$PARENTDIR/generate_pgp_key.sh"
-"$PARENTDIR/export_pgp_key.sh" $WORK_DIR
-"$PARENTDIR/sign_artifacts.sh" $WORK_DIR
if [ "$TRAVIS_EVENT_TYPE" == "push" ] ; then
+ openssl aes-256-cbc -K $encrypted_2030e681f34a_key -iv $encrypted_2030e681f34a_iv -in $PARENTDIR/key_sec.gpg.enc -out $PARENTDIR/key_sec.gpg -d
+ "$SCRIPTDIR/import_pgp_key.sh"
+ "$PARENTDIR/sign_artifacts.sh" $WORK_DIR
"$PARENTDIR/upload_artifacts.sh" $WORK_DIR $SVN_USERNAME $SVN_PASSWORD
fi
diff --git a/tools/util.sh b/tools/util.sh
index 7654c40..36ddc8b 100755
--- a/tools/util.sh
+++ b/tools/util.sh
@@ -9,3 +9,40 @@ function json_by_key() {
key=$2
echo $input | jq ''.$key'' | sed -e 's/^"//' -e 's/"$//'
}
+
+function import_key_verify_signature() {
+ key_url=$1
+ dir=$2
+ cd $dir
+
+ echo "Importing PGP keys"
+ curl $key_url | gpg --import && \
+ echo "[?] GPG keys imported" \
+ || { echo "[x] Failed to import GPG keys"; exit 1; }
+
+ echo "Checking signatures and hashes of artifacts"
+ for artifact in $(find * -type f \( -name '*.tar.gz' \) ); do
+ # Check md5
+ artifactMD5=$(gpg --print-md MD5 ${artifact})
+ artifactMD5File=$(cat ${artifact}.md5)
+ if [ "$artifactMD5" == "$artifactMD5File" ];then
+ echo "[?] MD5 verified for $artifact"
+ else
+ echo "[x] Unmatched MD5 for $artifact."; exit 1;
+ fi
+
+ # Check sha512
+ artifactSha512=$(gpg --print-md SHA512 ${artifact})
+ artifactSha512File=$(cat ${artifact}.sha512)
+ if [ "$artifactSha512" == "$artifactSha512File" ];then
+ echo "[?] SHA512 verified for $artifact"
+ else
+ echo "[x] Unmatched SHA512 for $artifact."; exit 1;
+ fi
+
+ # Verify the signatures
+ gpg --verify ${artifact}.asc ${artifact} && \
+ echo "[?] Signatures verified for $artifact" \
+ || { echo "[x] Invalid signature for $artifact."; exit 1; }
+ done
+}
\ No newline at end of file
diff --git a/tools/verify_local_artifacts.sh b/tools/verify_local_artifacts.sh
new file mode 100755
index 0000000..3a83484
--- /dev/null
+++ b/tools/verify_local_artifacts.sh
@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+set -e
+
+echo "Verify the local artifacts with the KEYS"
+
+SCRIPTDIR="$(cd $(dirname "$0")/ && pwd)"
+source "$SCRIPTDIR/load_config.sh" $1 $2 $3
+
+mkdir -p $OPENWHISK_SVN
+cd $OPENWHISK_SVN/$REMOTE_PATH
+
+import_key_verify_signature $STAGE_URL/KEYS $OPENWHISK_SVN/$REMOTE_PATH
diff --git a/tools/verify_remote_artifacts.sh b/tools/verify_remote_artifacts.sh
new file mode 100755
index 0000000..ad4f330
--- /dev/null
+++ b/tools/verify_remote_artifacts.sh
@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+
+set -e
+
+echo "Verify the remote artifacts with the KEYS"
+
+SCRIPTDIR="$(cd $(dirname "$0")/ && pwd)"
+source "$SCRIPTDIR/load_config.sh" $1 $2 $3
+
+mkdir -p $OPENWHISK_SVN
+cd $OPENWHISK_SVN
+
+# Remove the local folder, because we are about to download the artifacts from the staging folder.
+rm -rf $REMOTE_PATH
+
+# Check out the artifacts.
+svn co $CURRENT_VERSION_URL $REMOTE_PATH
+
+cd $REMOTE_PATH
+
+import_key_verify_signature $STAGE_URL/KEYS $OPENWHISK_SVN/$REMOTE_PATH
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services