You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@solr.apache.org by ho...@apache.org on 2022/05/18 16:02:27 UTC
[solr] branch main updated: Use full gpg fingerprint when building official dockerfile (#866)
This is an automated email from the ASF dual-hosted git repository.
houston pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/solr.git
The following commit(s) were added to refs/heads/main by this push:
new 814ec57c41c Use full gpg fingerprint when building official dockerfile (#866)
814ec57c41c is described below
commit 814ec57c41c5fa013ad7654ff49029c287b23b30
Author: Houston Putman <ho...@apache.org>
AuthorDate: Wed May 18 12:02:22 2022 -0400
Use full gpg fingerprint when building official dockerfile (#866)
---
dev-tools/scripts/README.md | 34 ++++++++++++++++++++------------
dev-tools/scripts/buildAndPushRelease.py | 6 +++---
dev-tools/scripts/releaseWizard.py | 19 ++++++++++--------
dev-tools/scripts/releaseWizard.yaml | 2 +-
4 files changed, 36 insertions(+), 25 deletions(-)
diff --git a/dev-tools/scripts/README.md b/dev-tools/scripts/README.md
index 77d0da6543d..a4588fd819e 100644
--- a/dev-tools/scripts/README.md
+++ b/dev-tools/scripts/README.md
@@ -72,25 +72,33 @@ of the other tools in this folder.
### buildAndPushRelease.py
- usage: buildAndPushRelease.py [-h] [--no-prepare] [--local-keys PATH]
- [--push-local PATH] [--sign KEYID]
- [--rc-num NUM] [--root PATH] [--logfile PATH]
+ usage: buildAndPushRelease.py [-h] [--no-prepare] [--local-keys PATH] [--push-local PATH] [--sign FINGERPRINT]
+ [--sign-method-gradle] [--gpg-pass-noprompt] [--gpg-home PATH] [--rc-num NUM]
+ [--root PATH] [--logfile PATH] [--dev-mode]
Utility to build, push, and test a release.
optional arguments:
- -h, --help show this help message and exit
- --no-prepare Use the already built release in the provided checkout
- --local-keys PATH Uses local KEYS file to validate presence of RM's gpg key
- --push-local PATH Push the release to the local path
- --sign KEYID Sign the release with the given gpg key
- --rc-num NUM Release Candidate number. Default: 1
- --root PATH Root of Git working tree for solr. Default: "."
- (the current directory)
- --logfile PATH Specify log file path (default /tmp/release.log)
+ -h, --help show this help message and exit
+ --no-prepare Use the already built release in the provided checkout
+ --local-keys PATH Uses local KEYS file to validate presence of RM's gpg key
+ --push-local PATH Push the release to the local path
+ --sign FINGERPRINT Sign the release with the given gpg key. This must be the full GPG fingerprint, not just the
+ last 8 characters.
+ --sign-method-gradle Use Gradle built-in GPG signing instead of gpg command for signing artifacts. This may require
+ --gpg-secring argument if your keychain cannot be resolved automatically.
+ --gpg-pass-noprompt Do not prompt for gpg passphrase. For the default gnupg method, this means your gpg-agent needs
+ a non-TTY pin-entry program. For gradle signing method, passphrase must be provided in
+ gradle.properties or by env.var/sysprop. See ./gradlew helpPublishing for more info
+ --gpg-home PATH Path to gpg home containing your secring.gpg Optional, will use $HOME/.gnupg/secring.gpg by
+ default
+ --rc-num NUM Release Candidate number. Default: 1
+ --root PATH Root of Git working tree for solr. Default: "." (the current directory)
+ --logfile PATH Specify log file path (default /tmp/release.log)
+ --dev-mode Enable development mode, which disables some strict checks
Example usage for a Release Manager:
- python3 -u dev-tools/scripts/buildAndPushRelease.py --push-local /tmp/releases/6.0.1 --sign 6E68DA61 --rc-num 1
+ python3 -u dev-tools/scripts/buildAndPushRelease.py --push-local /tmp/releases/6.0.1 --sign 3782CBB60147010B330523DD26FBCC7836BF353A --rc-num 1
### addVersion.py
diff --git a/dev-tools/scripts/buildAndPushRelease.py b/dev-tools/scripts/buildAndPushRelease.py
index 98437f8c332..a7275490ce5 100755
--- a/dev-tools/scripts/buildAndPushRelease.py
+++ b/dev-tools/scripts/buildAndPushRelease.py
@@ -241,7 +241,7 @@ def read_version(path): # pylint: disable=unused-argument
def parse_config():
epilogue = textwrap.dedent('''
Example usage for a Release Manager:
- python3 -u dev-tools/scripts/buildAndPushRelease.py --push-local /tmp/releases/6.0.1 --sign 6E68DA61 --rc-num 1
+ python3 -u dev-tools/scripts/buildAndPushRelease.py --push-local /tmp/releases/6.0.1 --sign 3782CBB60147010B330523DD26FBCC7836BF353A --rc-num 1
''')
description = 'Utility to build, push, and test a release.'
parser = argparse.ArgumentParser(description=description, epilog=epilogue,
@@ -252,8 +252,8 @@ def parse_config():
help='Uses local KEYS file to validate presence of RM\'s gpg key')
parser.add_argument('--push-local', metavar='PATH',
help='Push the release to the local path')
- parser.add_argument('--sign', metavar='KEYID',
- help='Sign the release with the given gpg key')
+ parser.add_argument('--sign', metavar='FINGERPRINT',
+ help='Sign the release with the given gpg key. This must be the full GPG fingerprint, not just the last 8 characters.')
parser.add_argument('--sign-method-gradle', dest='sign_method_gradle', default=False, action='store_true',
help='Use Gradle built-in GPG signing instead of gpg command for signing artifacts. '
' This may require --gpg-secring argument if your keychain cannot be resolved automatically.')
diff --git a/dev-tools/scripts/releaseWizard.py b/dev-tools/scripts/releaseWizard.py
index 7361c767238..a6b91eff95f 100755
--- a/dev-tools/scripts/releaseWizard.py
+++ b/dev-tools/scripts/releaseWizard.py
@@ -1133,21 +1133,23 @@ def configure_pgp(gpg_todo):
if keyid_linenum:
keyid_line = lines[keyid_linenum]
assert keyid_line.startswith('LDAP PGP key: ')
- gpg_id = keyid_line[14:].replace(" ", "")[-8:]
+ gpg_fingerprint = keyid_line[14:].replace(" ", "")
+ gpg_id = gpg_fingerprint[-8:]
print("Found gpg key id %s on file at Apache (%s)" % (gpg_id, key_url))
else:
print(textwrap.dedent("""\
Could not find your GPG key from Apache servers.
Please make sure you have registered your key ID in
id.apache.org, see links for more info."""))
- gpg_id = str(input("Enter your key ID manually, 8 last characters (ENTER=skip): "))
- if gpg_id.strip() == '':
+ gpg_fingerprint = str(input("Enter your key fingerprint manually, all 40 characters (ENTER=skip): "))
+ if gpg_fingerprint.strip() == '':
return False
- elif len(gpg_id) != 8:
- print("gpg id must be the last 8 characters of your key id")
- gpg_id = gpg_id.upper()
+ elif len(gpg_fingerprint) != 40:
+ print("gpg fingerprint must be 40 characters long, do not just input the last 8")
+ gpg_fingerprint = gpg_fingerprint.upper()
+ gpg_id = gpg_fingerprint[-8:]
try:
- res = run("gpg --list-secret-keys %s" % gpg_id)
+ res = run("gpg --list-secret-keys %s" % gpg_fingerprint)
print("Found key %s on your private gpg keychain" % gpg_id)
# Check rsa and key length >= 4096
match = re.search(r'^sec +((rsa|dsa)(\d{4})) ', res)
@@ -1185,7 +1187,7 @@ def configure_pgp(gpg_todo):
need to fix this, then try again"""))
return False
try:
- lines = run("gpg --check-signatures %s" % gpg_id).splitlines()
+ lines = run("gpg --check-signatures %s" % gpg_fingerprint).splitlines()
sigs = 0
apache_sigs = 0
for line in lines:
@@ -1227,6 +1229,7 @@ def configure_pgp(gpg_todo):
gpg_state['apache_id'] = id
gpg_state['gpg_key'] = gpg_id
+ gpg_state['gpg_fingerprint'] = gpg_fingerprint
print(textwrap.dedent("""\
You can choose between signing the release with the gpg program or with
diff --git a/dev-tools/scripts/releaseWizard.yaml b/dev-tools/scripts/releaseWizard.yaml
index b7238f6abab..3999a8ca2c9 100644
--- a/dev-tools/scripts/releaseWizard.yaml
+++ b/dev-tools/scripts/releaseWizard.yaml
@@ -734,7 +734,7 @@ groups:
cmd: git pull --ff-only
tee: true
- !Command
- cmd: python3 -u dev-tools/scripts/buildAndPushRelease.py {{ local_keys }} --logfile {{ logfile }} --push-local "{{ dist_file_path }}" --rc-num {{ rc_number }} --sign {{ gpg_key | default("<gpg_key_id>", True) }}{% if gpg.use_gradle %} --sign-method-gradle{% endif %}{% if not gpg.prompt_pass %} --gpg-pass-noprompt{% endif %}
+ cmd: python3 -u dev-tools/scripts/buildAndPushRelease.py {{ local_keys }} --logfile {{ logfile }} --push-local "{{ dist_file_path }}" --rc-num {{ rc_number }} --sign {{ gpg.gpg_fingerprint | default("<gpg_fingerprint>", True) }}{% if gpg.use_gradle %} --sign-method-gradle{% endif %}{% if not gpg.prompt_pass %} --gpg-pass-noprompt{% endif %}
comment: "Using {% if gpg.use_gradle %}gradle{% else %}gpg command{% endif %} for signing.{% if gpg.prompt_pass %} Remember to type your GPG pass-phrase at the prompt!{% endif %}"
logfile: build_rc.log
tee: true