From 966c08d9869b026901318e4b0bac0221524eb8f5 Mon Sep 17 00:00:00 2001 From: Antoine du Hamel Date: Thu, 21 Nov 2024 22:48:46 +0100 Subject: [PATCH 1/3] tools: filter release keys to reduce interactivity --- tools/release.sh | 32 +++++++++++++++++++++++++------- 1 file changed, 25 insertions(+), 7 deletions(-) diff --git a/tools/release.sh b/tools/release.sh index fca6e30a6308f2..519f2968a3adea 100755 --- a/tools/release.sh +++ b/tools/release.sh @@ -15,15 +15,25 @@ webuser=dist promotablecmd=dist-promotable promotecmd=dist-promote signcmd=dist-sign +allPGPKeys="" customsshkey="" # let ssh and scp use default key +readmePath="README.md" signversion="" cloudflare_bucket="r2:dist-prod" -while getopts ":i:s:" option; do +while getopts ":i:r:s:a" option; do case "${option}" in + a) + # With -a, local keys are not filtered based on the one listed in the README + # useful if you want to sign with a subkey. + allPGPKeys="true" + ;; i) customsshkey="-i ${OPTARG}" ;; + r) + readmePath="${OPTARG}" + ;; s) signversion="${OPTARG}" ;; @@ -44,7 +54,16 @@ shift $((OPTIND-1)) echo "# Selecting GPG key ..." -gpgkey=$(gpg --list-secret-keys --keyid-format SHORT | awk -F'( +|/)' '/^(sec|ssb)/{print $3}') + +if [ -z "$allPGPKeys" ]; then + gpgkey="$(awk '{ + if ($1 == "gpg" && $2 == "--keyserver" && $4 == "--recv-keys" && (1 == 2'"$( + gpg --list-secret-keys | grep 'Key fingerprint =' | awk -F' = ' '{ print " || $5 == \"" $2 "\"" }' | tr -d ' ' + )"')) { print substr($5, 33) } + }' "$readmePath")" +else + gpgkey=$(gpg --list-secret-keys --keyid-format SHORT | awk -F'( +|/)' '/^(sec|ssb)/{print $3}') +fi keycount=$(echo "$gpgkey" | wc -w) if [ "$keycount" -eq 0 ]; then @@ -70,11 +89,10 @@ fi gpgfing=$(gpg --keyid-format 0xLONG --fingerprint "$gpgkey" | grep 'Key fingerprint =' | awk -F' = ' '{print $2}' | tr -d ' ') -grep -q "$gpgfing" README.md || (\ - echo 'Error: this GPG key fingerprint is not listed in ./README.md' && \ - exit 1 \ -) - +grep -q "$gpgfing" "$readmePath" || { + echo "Error: this GPG key fingerprint is not listed in $readmePath" + exit 1 +} echo "Using GPG key: $gpgkey" echo " Fingerprint: $gpgfing" From b5cd6f5988d882bc039db398924871012226bfff Mon Sep 17 00:00:00 2001 From: Antoine du Hamel Date: Thu, 21 Nov 2024 23:53:54 +0100 Subject: [PATCH 2/3] fixup! tools: filter release keys to reduce interactivity --- tools/release.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/release.sh b/tools/release.sh index 519f2968a3adea..8cbf7d6dd71aba 100755 --- a/tools/release.sh +++ b/tools/release.sh @@ -58,7 +58,7 @@ echo "# Selecting GPG key ..." if [ -z "$allPGPKeys" ]; then gpgkey="$(awk '{ if ($1 == "gpg" && $2 == "--keyserver" && $4 == "--recv-keys" && (1 == 2'"$( - gpg --list-secret-keys | grep 'Key fingerprint =' | awk -F' = ' '{ print " || $5 == \"" $2 "\"" }' | tr -d ' ' + gpg --list-secret-keys | awk -F' = ' '/^ +Key fingerprint/{ print " || $5 == \"" $2 "\"" }' | tr -d ' ' || true )"')) { print substr($5, 33) } }' "$readmePath")" else From 42ea297733bd2eaf5baaeeead55c2cebc40492fd Mon Sep 17 00:00:00 2001 From: Antoine du Hamel Date: Thu, 21 Nov 2024 23:57:55 +0100 Subject: [PATCH 3/3] fixup! tools: filter release keys to reduce interactivity --- tools/release.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/release.sh b/tools/release.sh index 8cbf7d6dd71aba..a40035cb7427fc 100755 --- a/tools/release.sh +++ b/tools/release.sh @@ -58,7 +58,7 @@ echo "# Selecting GPG key ..." if [ -z "$allPGPKeys" ]; then gpgkey="$(awk '{ if ($1 == "gpg" && $2 == "--keyserver" && $4 == "--recv-keys" && (1 == 2'"$( - gpg --list-secret-keys | awk -F' = ' '/^ +Key fingerprint/{ print " || $5 == \"" $2 "\"" }' | tr -d ' ' || true + gpg --list-secret-keys | awk -F' = ' '/^ +Key fingerprint/{ gsub(/ /,"",$2); print " || $5 == \"" $2 "\"" }' || true )"')) { print substr($5, 33) } }' "$readmePath")" else @@ -87,7 +87,7 @@ elif [ "$keycount" -ne 1 ]; then gpgkey=$(echo "$gpgkey" | sed -n "${keynum}p") fi -gpgfing=$(gpg --keyid-format 0xLONG --fingerprint "$gpgkey" | grep 'Key fingerprint =' | awk -F' = ' '{print $2}' | tr -d ' ') +gpgfing=$(gpg --keyid-format 0xLONG --fingerprint "$gpgkey" | awk -F' = ' '/^ +Key fingerprint/{gsub(/ /,"",$2);print $2}') grep -q "$gpgfing" "$readmePath" || { echo "Error: this GPG key fingerprint is not listed in $readmePath"