commit cb407069ffe0d789dd0ad5d93b5568a66194213f Author: Mike Perry mikeperry-git@torproject.org Date: Thu Nov 21 00:18:10 2013 -0800
Add basic support for predictable sig uploading + checking. --- gitian/Makefile | 12 +++++++++ gitian/README.build | 8 ++++++ gitian/check-match.sh | 62 ++++++++++++++++++++++++++++++++++++++++++++ gitian/gpg/erinn.gpg | Bin 0 -> 17207 bytes gitian/gpg/ln5.gpg | Bin 0 -> 61902 bytes gitian/gpg/mikeperry.gpg | Bin 0 -> 7813 bytes gitian/upload-signature.sh | 32 +++++++++++++++++++++++ 7 files changed, 114 insertions(+)
diff --git a/gitian/Makefile b/gitian/Makefile index bbabc10..b781f34 100644 --- a/gitian/Makefile +++ b/gitian/Makefile @@ -14,6 +14,18 @@ build-alpha: ./mkbundle-mac.sh versions.alpha ./hash-bundles.sh versions.alpha
+sign: + torsocks ./upload-signature.sh versions + +sign-alpha: + torsocks ./upload-signature.sh versions.alpha + +match: + torsocks ./check-match.sh versions + +match-alpha: + torsocks ./check-match.sh versions.alpha + prep: ./check-prerequisites.sh torsocks ./fetch-inputs.sh ../../gitian-builder/inputs/ versions diff --git a/gitian/README.build b/gitian/README.build index 07ea652..157d948 100644 --- a/gitian/README.build +++ b/gitian/README.build @@ -11,6 +11,10 @@ QuickStart: start the build process to produce localized Linux bundles, followed by Windows bundles, followed by Mac bundles.
+ To check your build results against the official builders, run: + + $ make match + By default, the Makefile wraps input downloads in 'torsocks'. This is done to allow unofficial secret verifiers to remain secret by default. Removing the 'torsocks' from the 'prep' Makefile rule should be sufficient to avoid @@ -43,10 +47,14 @@ Detailed Explanation of Scripts: - vmclean: Remove VM base images - distclean: Remove source dependency inputs, and run clean and vmclean - all: The default. It calls clean, prep, and then build. + - sign: Signs your build output and uplodas it to people.torproject.org + - match: Checks your build output against public signed hashes To build alpha bundles, alternate targets are provided: - alpha: The equivalent to the 'all' rule for alpha packages - build-alpha: The equivalent to the 'build' rule for alpha packages - prep-alpha: The equivalent to the 'prep' rule for alpha packages + - sign-alpha: Signs your build output and uplodas it to people.torproject.org + - match-alpha: Checks your build output against public signed hashes
1. check-prerequisites.sh: This script checks if your system is capable of running Gitian, and if it is not, it tells you what you need to do. diff --git a/gitian/check-match.sh b/gitian/check-match.sh new file mode 100755 index 0000000..90f2025 --- /dev/null +++ b/gitian/check-match.sh @@ -0,0 +1,62 @@ +#!/bin/bash + +# XXX: Args? +HOST=people.torproject.org +BASE_DIR=public_html/builds/ +USERS="ln5 mikeperry helix gk" + +set -e +set -u + +WRAPPER_DIR=$(dirname "$0") +WRAPPER_DIR=$(readlink -f "$WRAPPER_DIR") + +if [ -z "$1" ]; +then + VERSIONS_FILE=$WRAPPER_DIR/versions +else + VERSIONS_FILE=$1 +fi + +if ! [ -e $VERSIONS_FILE ]; then + echo >&2 "Error: $VERSIONS_FILE file does not exist" + exit 1 +fi + +. $VERSIONS_FILE + +VALID="" + +for u in $USERS +do + cd $WRAPPER_DIR + + # XXX: Is there a better way to store these and rename them? + mkdir -p $TORBROWSER_VERSION/$u + cd $TORBROWSER_VERSION/$u + + wget https://$HOST/~$u/builds/$TORBROWSER_VERSION/sha256sums.txt || continue + wget https://$HOST/~$u/builds/$TORBROWSER_VERSION/sha256sums.txt.asc || continue + + keyring="../../gpg/$u.gpg" + + # XXX: Remove this dir + gpghome=$(mktemp -d) + GNUPGHOME="$gpghome" gpg --import "$keyring" + GNUPGHOME="$gpghome" gpg sha256sums.txt.asc || exit 1 + + diff -u ../sha256sums.txt sha256sums.txt || exit 1 + + VALID="$u $VALID" +done + +if [ -z $VALID ]; +then + echo "No bundle hashes or sigs published for $TORBROWSER_VERSION." + echo + exit 1 +else + echo "Matching bundles exist from the following users: $VALID" + exit 0 +fi + diff --git a/gitian/gpg/erinn.gpg b/gitian/gpg/erinn.gpg new file mode 100644 index 0000000..2adc455 Binary files /dev/null and b/gitian/gpg/erinn.gpg differ diff --git a/gitian/gpg/ln5.gpg b/gitian/gpg/ln5.gpg new file mode 100644 index 0000000..66a2f68 Binary files /dev/null and b/gitian/gpg/ln5.gpg differ diff --git a/gitian/gpg/mikeperry.gpg b/gitian/gpg/mikeperry.gpg new file mode 100644 index 0000000..ab4acc0 Binary files /dev/null and b/gitian/gpg/mikeperry.gpg differ diff --git a/gitian/upload-signature.sh b/gitian/upload-signature.sh new file mode 100755 index 0000000..87bd05d --- /dev/null +++ b/gitian/upload-signature.sh @@ -0,0 +1,32 @@ +#!/bin/bash + +HOST=people.torproject.org +BASE_DIR=public_html/builds/ + +set -u + +WRAPPER_DIR=$(dirname "$0") +WRAPPER_DIR=$(readlink -f "$WRAPPER_DIR") + +if [ -z "$1" ]; +then + VERSIONS_FILE=$WRAPPER_DIR/versions +else + VERSIONS_FILE=$1 +fi + +if ! [ -e $VERSIONS_FILE ]; then + echo >&2 "Error: $VERSIONS_FILE file does not exist" + exit 1 +fi + +. $VERSIONS_FILE + +if [ ! -f $TORBROWSER_VERSION/sha256sums.txt ]; +then + cd $TORBROWSER_VERSION && gpg -abs sha256sums.txt +fi + +ssh $HOST "mkdir $BASE_DIR/$TORBROWSER_VERSION" +scp $TORBROWSER_VERSION/sha256sums.txt* $HOST:$BASE_DIR/$TORBROWSER_VERSION/ +ssh $HOST "chmod 755 $BASE_DIR/$TORBROWSER_VERSION && chmod 644 $BASE_DIR/$TORBROWSER_VERSION/*"