Chiebot-Mirror
/
tini
mirror of https://github.com/krallin/tini.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity

Sign `tini` and `tini-static` binaries

Browse Source 
The GPG signing subkey and passphrase are respectively provided through
a Travis encrypted file and a Travis encrypted environment variable.

Signing is only done if there is a signing key present when the build is
complete (so as to not fail when e.g. building a PR that doesn't have
encrypted files available).
pull/33/head
Thomas Orozco 9 years ago
parent 428d960140
commit 44b5675f0e
7 changed files with 46 additions and 2 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      .gitignore
  2. 11
      .travis.yml
  3. 2
      Dockerfile
  4. 21
      ci/run_build.sh
  5. 1
      ddist.sh
  6. BIN
      sign.key.enc
  7. 11
      tpl/travis.yml.tpl

2
.gitignore vendored
Unescape View File

@ -1 +1,3 @@
dist
sign.key
.env

11
.travis.yml
Unescape View File

@ -23,6 +23,15 @@ addons:
- python-pip
- python-virtualenv
- hardening-includes
- gnupg
env:
global:
- SIGN_BINARIES=1
- secure: "RKF9Z9gLxp6k/xITqn7ma1E9HfpYcDXuJFf4862WeH9EMnK9lDq+TWnGsQfkIlqh8h9goe7U+BvRiTibj9MiD5u7eluLo3dlwsLxPpYtyswYeLeC1wKKdT5LPGAXbRKomvBalRYMI+dDnGIM4w96mHgGGvx2zZXGkiAQhm6fJ3k="
before_install:
- openssl aes-256-cbc -K $encrypted_2893fd5649e7_key -iv $encrypted_2893fd5649e7_iv -in sign.key.enc -out sign.key -d || echo "Encrypted signing key unavailable"
script: ./ci/run_build.sh
@ -34,7 +43,9 @@ deploy:
secure: Yk90ANpSPv1iJy8QDXCPwfaSmEr/WIJ3bzhQ6X8JvZjfrwTosbh0HrUzQyeac3nyvNwj7YJRssolOFc21IBKPpCFTZqYxSkuLPU6ysG4HGHgN6YJhOMm4mG4KKJ6741q3DJendhZpalBhCEi+NcZK/PCSD97Vl4OqRjBUged0fs=
file:
- "./dist/tini"
- "./dist/tini.asc"
- "./dist/tini-static"
- "./dist/tini-static.asc"
- "./dist/tini_0.8.4.deb"
- "./dist/tini_0.8.4.rpm"
on:

2
Dockerfile
Unescape View File

@ -1,7 +1,7 @@
FROM ubuntu:precise
RUN apt-get update \
&& apt-get install --no-install-recommends --yes build-essential git gdb valgrind cmake rpm python-dev libcap-dev python-pip python-virtualenv hardening-includes \
&& apt-get install --no-install-recommends --yes build-essential git gdb valgrind cmake rpm python-dev libcap-dev python-pip python-virtualenv hardening-includes gnupg \
&& rm -rf /var/lib/apt/lists/*
# Pre-install those here for faster local builds.

21
ci/run_build.sh
Unescape View File

@ -11,6 +11,9 @@ set -o nounset
: ${DIST_DIR:="${SOURCE_DIR}/dist"}
: ${BUILD_DIR:="/tmp/build"}
# GPG Configuration
: ${GPG_PASSPHRASE:=""}
# Make those paths absolute, and export them for the Python tests to consume.
export SOURCE_DIR="$(readlink -f "${SOURCE_DIR}")"
@ -44,7 +47,6 @@ pushd "${BUILD_DIR}"
make clean
make
make package
popd
# Smoke tests (actual tests need Docker to run; they don't run within the CI environment)
@ -104,3 +106,20 @@ pip install psutil python-prctl bitmap
# Run tests
python "${SOURCE_DIR}/test/run_inner_tests.py"
# If a signing key is made available, then use it to sign the binaries
if [[ -f "${SOURCE_DIR}/sign.key" ]]; then
echo "Signing binaries"
GPG_SIGN_HOMEDIR="${BUILD_DIR}/gpg-sign"
GPG_VERIFY_HOMEDIR="${BUILD_DIR}/gpg-verify"
mkdir "${GPG_SIGN_HOMEDIR}" "${GPG_VERIFY_HOMEDIR}"
chmod 700 "${GPG_SIGN_HOMEDIR}" "${GPG_VERIFY_HOMEDIR}"
gpg --homedir "${GPG_SIGN_HOMEDIR}" --import "${SOURCE_DIR}/sign.key"
gpg --homedir "${GPG_VERIFY_HOMEDIR}" --keyserver ha.pool.sks-keyservers.net --recv-keys 0527A9B7
for tini in "${DIST_DIR}/tini" "${DIST_DIR}/tini-static"; do
echo "${GPG_PASSPHRASE}" | gpg --homedir "${GPG_SIGN_HOMEDIR}" --passphrase-fd 0 --armor --detach-sign "${tini}"
gpg --homedir "${GPG_VERIFY_HOMEDIR}" --verify "${tini}.asc"
done
fi

1
ddist.sh
Unescape View File

@ -22,4 +22,5 @@ docker run -it --rm \
-e BUILD_DIR=/tmp/tini-build \
-e SOURCE_DIR="${SRC}" \
-e FORCE_SUBREAPER="${FORCE_SUBREAPER}" \
-e GPG_PASSPHRASE="${GPG_PASSPHRASE}" \
"${IMG}" "${SRC}/ci/run_build.sh"

BIN
sign.key.enc
View File

Binary file not shown.

11
tpl/travis.yml.tpl
Unescape View File

@ -23,6 +23,15 @@ addons:
- python-pip
- python-virtualenv
- hardening-includes
- gnupg
env:
global:
- SIGN_BINARIES=1
- secure: "RKF9Z9gLxp6k/xITqn7ma1E9HfpYcDXuJFf4862WeH9EMnK9lDq+TWnGsQfkIlqh8h9goe7U+BvRiTibj9MiD5u7eluLo3dlwsLxPpYtyswYeLeC1wKKdT5LPGAXbRKomvBalRYMI+dDnGIM4w96mHgGGvx2zZXGkiAQhm6fJ3k="
before_install:
- openssl aes-256-cbc -K $encrypted_2893fd5649e7_key -iv $encrypted_2893fd5649e7_iv -in sign.key.enc -out sign.key -d || echo "Encrypted signing key unavailable"
script: ./ci/run_build.sh
@ -34,7 +43,9 @@ deploy:
secure: Yk90ANpSPv1iJy8QDXCPwfaSmEr/WIJ3bzhQ6X8JvZjfrwTosbh0HrUzQyeac3nyvNwj7YJRssolOFc21IBKPpCFTZqYxSkuLPU6ysG4HGHgN6YJhOMm4mG4KKJ6741q3DJendhZpalBhCEi+NcZK/PCSD97Vl4OqRjBUged0fs=
file:
- "./dist/tini"
- "./dist/tini.asc"
- "./dist/tini-static"
- "./dist/tini-static.asc"
- "./dist/tini_@tini_VERSION_MAJOR@.@tini_VERSION_MINOR@.@tini_VERSION_PATCH@.deb"
- "./dist/tini_@tini_VERSION_MAJOR@.@tini_VERSION_MINOR@.@tini_VERSION_PATCH@.rpm"
on:

Write Preview
Loading…
Cancel
Save