Sign `tini` and `tini-static` binaries

The GPG signing subkey and passphrase are respectively provided through
a Travis encrypted file and a Travis encrypted environment variable.

Signing is only done if there is a signing key present when the build is
complete (so as to not fail when e.g. building a PR that doesn't have
encrypted files available).
pull/33/head
Thomas Orozco 9 years ago
parent 428d960140
commit 44b5675f0e
  1. 2
      .gitignore
  2. 11
      .travis.yml
  3. 2
      Dockerfile
  4. 21
      ci/run_build.sh
  5. 1
      ddist.sh
  6. BIN
      sign.key.enc
  7. 11
      tpl/travis.yml.tpl

2
.gitignore vendored

@ -1 +1,3 @@
dist dist
sign.key
.env

@ -23,6 +23,15 @@ addons:
- python-pip - python-pip
- python-virtualenv - python-virtualenv
- hardening-includes - hardening-includes
- gnupg
env:
global:
- SIGN_BINARIES=1
- secure: "RKF9Z9gLxp6k/xITqn7ma1E9HfpYcDXuJFf4862WeH9EMnK9lDq+TWnGsQfkIlqh8h9goe7U+BvRiTibj9MiD5u7eluLo3dlwsLxPpYtyswYeLeC1wKKdT5LPGAXbRKomvBalRYMI+dDnGIM4w96mHgGGvx2zZXGkiAQhm6fJ3k="
before_install:
- openssl aes-256-cbc -K $encrypted_2893fd5649e7_key -iv $encrypted_2893fd5649e7_iv -in sign.key.enc -out sign.key -d || echo "Encrypted signing key unavailable"
script: ./ci/run_build.sh script: ./ci/run_build.sh
@ -34,7 +43,9 @@ deploy:
secure: Yk90ANpSPv1iJy8QDXCPwfaSmEr/WIJ3bzhQ6X8JvZjfrwTosbh0HrUzQyeac3nyvNwj7YJRssolOFc21IBKPpCFTZqYxSkuLPU6ysG4HGHgN6YJhOMm4mG4KKJ6741q3DJendhZpalBhCEi+NcZK/PCSD97Vl4OqRjBUged0fs= secure: Yk90ANpSPv1iJy8QDXCPwfaSmEr/WIJ3bzhQ6X8JvZjfrwTosbh0HrUzQyeac3nyvNwj7YJRssolOFc21IBKPpCFTZqYxSkuLPU6ysG4HGHgN6YJhOMm4mG4KKJ6741q3DJendhZpalBhCEi+NcZK/PCSD97Vl4OqRjBUged0fs=
file: file:
- "./dist/tini" - "./dist/tini"
- "./dist/tini.asc"
- "./dist/tini-static" - "./dist/tini-static"
- "./dist/tini-static.asc"
- "./dist/tini_0.8.4.deb" - "./dist/tini_0.8.4.deb"
- "./dist/tini_0.8.4.rpm" - "./dist/tini_0.8.4.rpm"
on: on:

@ -1,7 +1,7 @@
FROM ubuntu:precise FROM ubuntu:precise
RUN apt-get update \ RUN apt-get update \
&& apt-get install --no-install-recommends --yes build-essential git gdb valgrind cmake rpm python-dev libcap-dev python-pip python-virtualenv hardening-includes \ && apt-get install --no-install-recommends --yes build-essential git gdb valgrind cmake rpm python-dev libcap-dev python-pip python-virtualenv hardening-includes gnupg \
&& rm -rf /var/lib/apt/lists/* && rm -rf /var/lib/apt/lists/*
# Pre-install those here for faster local builds. # Pre-install those here for faster local builds.

@ -11,6 +11,9 @@ set -o nounset
: ${DIST_DIR:="${SOURCE_DIR}/dist"} : ${DIST_DIR:="${SOURCE_DIR}/dist"}
: ${BUILD_DIR:="/tmp/build"} : ${BUILD_DIR:="/tmp/build"}
# GPG Configuration
: ${GPG_PASSPHRASE:=""}
# Make those paths absolute, and export them for the Python tests to consume. # Make those paths absolute, and export them for the Python tests to consume.
export SOURCE_DIR="$(readlink -f "${SOURCE_DIR}")" export SOURCE_DIR="$(readlink -f "${SOURCE_DIR}")"
@ -44,7 +47,6 @@ pushd "${BUILD_DIR}"
make clean make clean
make make
make package make package
popd popd
# Smoke tests (actual tests need Docker to run; they don't run within the CI environment) # Smoke tests (actual tests need Docker to run; they don't run within the CI environment)
@ -104,3 +106,20 @@ pip install psutil python-prctl bitmap
# Run tests # Run tests
python "${SOURCE_DIR}/test/run_inner_tests.py" python "${SOURCE_DIR}/test/run_inner_tests.py"
# If a signing key is made available, then use it to sign the binaries
if [[ -f "${SOURCE_DIR}/sign.key" ]]; then
echo "Signing binaries"
GPG_SIGN_HOMEDIR="${BUILD_DIR}/gpg-sign"
GPG_VERIFY_HOMEDIR="${BUILD_DIR}/gpg-verify"
mkdir "${GPG_SIGN_HOMEDIR}" "${GPG_VERIFY_HOMEDIR}"
chmod 700 "${GPG_SIGN_HOMEDIR}" "${GPG_VERIFY_HOMEDIR}"
gpg --homedir "${GPG_SIGN_HOMEDIR}" --import "${SOURCE_DIR}/sign.key"
gpg --homedir "${GPG_VERIFY_HOMEDIR}" --keyserver ha.pool.sks-keyservers.net --recv-keys 0527A9B7
for tini in "${DIST_DIR}/tini" "${DIST_DIR}/tini-static"; do
echo "${GPG_PASSPHRASE}" | gpg --homedir "${GPG_SIGN_HOMEDIR}" --passphrase-fd 0 --armor --detach-sign "${tini}"
gpg --homedir "${GPG_VERIFY_HOMEDIR}" --verify "${tini}.asc"
done
fi

@ -22,4 +22,5 @@ docker run -it --rm \
-e BUILD_DIR=/tmp/tini-build \ -e BUILD_DIR=/tmp/tini-build \
-e SOURCE_DIR="${SRC}" \ -e SOURCE_DIR="${SRC}" \
-e FORCE_SUBREAPER="${FORCE_SUBREAPER}" \ -e FORCE_SUBREAPER="${FORCE_SUBREAPER}" \
-e GPG_PASSPHRASE="${GPG_PASSPHRASE}" \
"${IMG}" "${SRC}/ci/run_build.sh" "${IMG}" "${SRC}/ci/run_build.sh"

Binary file not shown.

@ -23,6 +23,15 @@ addons:
- python-pip - python-pip
- python-virtualenv - python-virtualenv
- hardening-includes - hardening-includes
- gnupg
env:
global:
- SIGN_BINARIES=1
- secure: "RKF9Z9gLxp6k/xITqn7ma1E9HfpYcDXuJFf4862WeH9EMnK9lDq+TWnGsQfkIlqh8h9goe7U+BvRiTibj9MiD5u7eluLo3dlwsLxPpYtyswYeLeC1wKKdT5LPGAXbRKomvBalRYMI+dDnGIM4w96mHgGGvx2zZXGkiAQhm6fJ3k="
before_install:
- openssl aes-256-cbc -K $encrypted_2893fd5649e7_key -iv $encrypted_2893fd5649e7_iv -in sign.key.enc -out sign.key -d || echo "Encrypted signing key unavailable"
script: ./ci/run_build.sh script: ./ci/run_build.sh
@ -34,7 +43,9 @@ deploy:
secure: Yk90ANpSPv1iJy8QDXCPwfaSmEr/WIJ3bzhQ6X8JvZjfrwTosbh0HrUzQyeac3nyvNwj7YJRssolOFc21IBKPpCFTZqYxSkuLPU6ysG4HGHgN6YJhOMm4mG4KKJ6741q3DJendhZpalBhCEi+NcZK/PCSD97Vl4OqRjBUged0fs= secure: Yk90ANpSPv1iJy8QDXCPwfaSmEr/WIJ3bzhQ6X8JvZjfrwTosbh0HrUzQyeac3nyvNwj7YJRssolOFc21IBKPpCFTZqYxSkuLPU6ysG4HGHgN6YJhOMm4mG4KKJ6741q3DJendhZpalBhCEi+NcZK/PCSD97Vl4OqRjBUged0fs=
file: file:
- "./dist/tini" - "./dist/tini"
- "./dist/tini.asc"
- "./dist/tini-static" - "./dist/tini-static"
- "./dist/tini-static.asc"
- "./dist/tini_@tini_VERSION_MAJOR@.@tini_VERSION_MINOR@.@tini_VERSION_PATCH@.deb" - "./dist/tini_@tini_VERSION_MAJOR@.@tini_VERSION_MINOR@.@tini_VERSION_PATCH@.deb"
- "./dist/tini_@tini_VERSION_MAJOR@.@tini_VERSION_MINOR@.@tini_VERSION_PATCH@.rpm" - "./dist/tini_@tini_VERSION_MAJOR@.@tini_VERSION_MINOR@.@tini_VERSION_PATCH@.rpm"
on: on:

Loading…
Cancel
Save