github.com/opencontainers/runc@v1.2.0-rc.1.0.20240520010911-492dc558cdd6/script/release_sign.sh (about)

     1  #!/bin/bash
     2  # Copyright (C) 2017-2023 SUSE LLC.
     3  # Copyright (C) 2017-2023 Open Containers Authors
     4  #
     5  # Licensed under the Apache License, Version 2.0 (the "License");
     6  # you may not use this file except in compliance with the License.
     7  # You may obtain a copy of the License at
     8  #
     9  #   http://www.apache.org/licenses/LICENSE-2.0
    10  #
    11  # Unless required by applicable law or agreed to in writing, software
    12  # distributed under the License is distributed on an "AS IS" BASIS,
    13  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    14  # See the License for the specific language governing permissions and
    15  # limitations under the License.
    16  
    17  set -Eeuo pipefail
    18  
    19  project="runc"
    20  root="$(readlink -f "$(dirname "${BASH_SOURCE[0]}")/..")"
    21  
    22  # Print usage information.
    23  function usage() {
    24  	echo "usage: release_sign.sh [-S <gpg-key-id>] [-H <hashcmd>]" >&2
    25  	echo "                       [-r <release-dir>] [-v <version>]" >&2
    26  	exit 1
    27  }
    28  
    29  # Log something to stderr.
    30  function log() {
    31  	echo "[*]" "$@" >&2
    32  }
    33  
    34  # Log something to stderr and then exit with 0.
    35  function quit() {
    36  	log "$@"
    37  	exit 0
    38  }
    39  
    40  # Log something to stderr and then exit with 1.
    41  function bail() {
    42  	log "$@"
    43  	exit 1
    44  }
    45  
    46  # Conduct a sanity-check to make sure that GPG provided with the given
    47  # arguments can sign something. Inability to sign things is not a fatal error.
    48  function gpg_cansign() {
    49  	gpg "$@" --clear-sign </dev/null >/dev/null
    50  }
    51  
    52  # When creating releases we need to build static binaries, an archive of the
    53  # current commit, and generate detached signatures for both.
    54  keyid=""
    55  version=""
    56  releasedir=""
    57  hashcmd=""
    58  
    59  while getopts "H:hr:S:v:" opt; do
    60  	case "$opt" in
    61  	H)
    62  		hashcmd="$OPTARG"
    63  		;;
    64  	h)
    65  		usage
    66  		;;
    67  	r)
    68  		releasedir="$OPTARG"
    69  		;;
    70  	S)
    71  		keyid="$OPTARG"
    72  		;;
    73  	v)
    74  		version="$OPTARG"
    75  		;;
    76  	:)
    77  		echo "Missing argument: -$OPTARG" >&2
    78  		usage
    79  		;;
    80  	\?)
    81  		echo "Invalid option: -$OPTARG" >&2
    82  		usage
    83  		;;
    84  	esac
    85  done
    86  
    87  version="${version:-$(<"$root/VERSION")}"
    88  releasedir="${releasedir:-release/$version}"
    89  hashcmd="${hashcmd:-sha256sum}"
    90  
    91  log "signing $project release in '$releasedir'"
    92  log "      key: ${keyid:-DEFAULT}"
    93  log "     hash: $hashcmd"
    94  
    95  # Set up the gpgflags.
    96  gpgflags=()
    97  [[ "$keyid" ]] && gpgflags=(--default-key "$keyid")
    98  gpg_cansign "${gpgflags[@]}" || quit "Could not find suitable GPG key, skipping signing step."
    99  
   100  # Make explicit what we're doing.
   101  set -x
   102  
   103  # Check that the keyid is actually in the $project.keyring by signing a piece
   104  # of dummy text then verifying it against the list of keys in that keyring.
   105  tmp_gpgdir="$(mktemp -d --tmpdir "$project-sign-tmpkeyring.XXXXXX")"
   106  trap 'rm -r "$tmp_gpgdir"' EXIT
   107  
   108  tmp_runc_gpgflags=("--no-default-keyring" "--keyring=$tmp_gpgdir/$project.keyring")
   109  gpg "${tmp_runc_gpgflags[@]}" --import <"$root/$project.keyring"
   110  
   111  tmp_seccomp_gpgflags=("--no-default-keyring" "--keyring=$tmp_gpgdir/seccomp.keyring")
   112  gpg "${tmp_seccomp_gpgflags[@]}" --recv-keys 0x47A68FCE37C7D7024FD65E11356CE62C2B524099
   113  gpg "${tmp_seccomp_gpgflags[@]}" --recv-keys 0x7100AADFAE6E6E940D2E0AD655E45A5AE8CA7C8A
   114  
   115  gpg "${gpgflags[@]}" --clear-sign <<<"[This is test text used for $project release scripts. $(date --rfc-email)]" |
   116  	gpg "${tmp_runc_gpgflags[@]}" --verify || bail "Signing key ${keyid:-DEFAULT} is not in trusted $project.keyring list!"
   117  
   118  # Make sure the signer is okay with the list of keys in the keyring (once this
   119  # release is signed, distributions will trust this keyring).
   120  cat >&2 <<EOF
   121  == PLEASE VERIFY THE FOLLOWING KEYS ==
   122  
   123  The sources for this release will contain the following signing keys as
   124  "trusted", meaning that distributions may trust the keys to sign future
   125  releases. Please make sure that only authorised users' keys are listed.
   126  
   127  $(gpg "${tmp_runc_gpgflags[@]}" --list-keys)
   128  
   129  [ Press ENTER to continue. ]
   130  EOF
   131  read -r
   132  
   133  # Only needed for local signing -- change the owner since by default it's built
   134  # inside a container which means it'll have the wrong owner and permissions.
   135  [ -w "$releasedir" ] || sudo chown -R "$(id -u):$(id -g)" "$releasedir"
   136  
   137  # Sign everything.
   138  for bin in "$releasedir/$project".*; do
   139  	[[ "$(basename "$bin")" == "$project.$hashcmd" ]] && continue # skip hash
   140  	gpg "${gpgflags[@]}" --detach-sign --armor "$bin"
   141  done
   142  gpg "${gpgflags[@]}" --clear-sign --armor \
   143  	--output "$releasedir/$project.$hashcmd"{.tmp,} &&
   144  	mv "$releasedir/$project.$hashcmd"{.tmp,}
   145  
   146  # Verify that all the signatures and shasum are correct.
   147  pushd "$releasedir"
   148  
   149  # Verify project-signed detached signatures.
   150  find . -name "$project.*.asc" -print0 | xargs -0 -L1 gpg "${tmp_runc_gpgflags[@]}" --verify --
   151  
   152  # Verify shasum.
   153  "$hashcmd" -c "$project.$hashcmd"
   154  gpg "${tmp_runc_gpgflags[@]}" --verify "$project.$hashcmd"
   155  
   156  # Verify seccomp tarball.
   157  gpg "${tmp_seccomp_gpgflags[@]}" --verify libseccomp*.asc
   158  
   159  popd