diff options
author | Yun Peng <pcloudy@google.com> | 2016-10-11 13:02:42 +0000 |
---|---|---|
committer | Yue Gan <yueg@google.com> | 2016-10-11 13:27:03 +0000 |
commit | 3d8ae22bcdf42855da3d625465611c33fe257326 (patch) | |
tree | 0cc5203d8347a54965d4476ef6bc202514842b38 | |
parent | c79570cf340e158d5025ccdb1358c4e1548d2558 (diff) |
Sign all Bazel binaries using gpg during release process
Fix https://github.com/bazelbuild/bazel/issues/1668
--
Change-Id: Ibe517744cd55ad5e32420302a081cc72da878bbe
Reviewed-on: https://bazel-review.googlesource.com/#/c/6550
MOS_MIGRATED_REVID=135787988
-rwxr-xr-x | scripts/ci/build.sh | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/scripts/ci/build.sh b/scripts/ci/build.sh index 70e1d895b3..ad3fae4a1d 100755 --- a/scripts/ci/build.sh +++ b/scripts/ci/build.sh @@ -309,6 +309,11 @@ function release_to_gcs() { fi } +function ensure_gpg_secret_key_imported() { + (gpg --list-secret-keys | grep "${APT_GPG_KEY_ID}" > /dev/null) || \ + gpg --allow-secret-key-import --import "${APT_GPG_KEY_PATH}" +} + function create_apt_repository() { mkdir conf cat > conf/distributions <<EOF @@ -342,8 +347,7 @@ EOF touch conf/override.stable touch conf/override.testing - (gpg --list-keys | grep "${APT_GPG_KEY_ID}" > /dev/null) || \ - gpg --allow-secret-key-import --import "${APT_GPG_KEY_PATH}" + ensure_gpg_secret_key_imported local distribution="$1" local deb_pkg_name_jdk8="$2" @@ -416,6 +420,7 @@ function deploy_release() { # A wrapper for the whole release phase: # Compute the SHA-256, and arrange the input +# Sign every binary using gpg and generating .sig files # Deploy the release # Generate the email # Input: $1 $2 [$3 $4 [$5 $6 ...]] @@ -430,6 +435,8 @@ function bazel_release() { local README=$2/README.md tmpdir=$(mktemp -d ${TMPDIR:-/tmp}/tmp.XXXXXXXX) trap 'rm -fr ${tmpdir}' EXIT + ensure_gpg_secret_key_imported + while (( $# > 1 )); do local platform=$1 local folder=$2 @@ -446,6 +453,7 @@ function bazel_release() { fi mv $file $destfile checksum $destfile > $destfile.sha256 + gpg --detach-sign -u "${APT_GPG_KEY_ID}" "$destfile" fi done done |