Chiebot-Mirror
/
tini
mirror of https://github.com/krallin/tini.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #33 from krallin/signed-binaries

Browse Source 
Sign `tini` and `tini-static` binaries
pull/34/head
Thomas Orozco 9 years ago
parent 428d960140 2c2bb517b0
commit 9451d6cf50
10 changed files with 79 additions and 7 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      .gitignore
  2. 15
      .travis.yml
  3. 4
      CMakeLists.txt
  4. 2
      Dockerfile
  5. 16
      README.md
  6. 21
      ci/run_build.sh
  7. 1
      ddist.sh
  8. BIN
      sign.key.enc
  9. 14
      tpl/README.md.in
  10. 11
      tpl/travis.yml.tpl

2
.gitignore vendored
Unescape View File

@ -1 +1,3 @@
dist
sign.key
.env

15
.travis.yml
Unescape View File

@ -23,6 +23,15 @@ addons:
- python-pip
- python-virtualenv
- hardening-includes
- gnupg
env:
global:
- SIGN_BINARIES=1
- secure: "RKF9Z9gLxp6k/xITqn7ma1E9HfpYcDXuJFf4862WeH9EMnK9lDq+TWnGsQfkIlqh8h9goe7U+BvRiTibj9MiD5u7eluLo3dlwsLxPpYtyswYeLeC1wKKdT5LPGAXbRKomvBalRYMI+dDnGIM4w96mHgGGvx2zZXGkiAQhm6fJ3k="
before_install:
- openssl aes-256-cbc -K $encrypted_2893fd5649e7_key -iv $encrypted_2893fd5649e7_iv -in sign.key.enc -out sign.key -d || echo "Encrypted signing key unavailable"
script: ./ci/run_build.sh
@ -34,9 +43,11 @@ deploy:
secure: Yk90ANpSPv1iJy8QDXCPwfaSmEr/WIJ3bzhQ6X8JvZjfrwTosbh0HrUzQyeac3nyvNwj7YJRssolOFc21IBKPpCFTZqYxSkuLPU6ysG4HGHgN6YJhOMm4mG4KKJ6741q3DJendhZpalBhCEi+NcZK/PCSD97Vl4OqRjBUged0fs=
file:
- "./dist/tini"
- "./dist/tini.asc"
- "./dist/tini-static"
- "./dist/tini_0.8.4.deb"
- "./dist/tini_0.8.4.rpm"
- "./dist/tini-static.asc"
- "./dist/tini_0.9.0.deb"
- "./dist/tini_0.9.0.rpm"
on:
repo: krallin/tini
tags: true

4
CMakeLists.txt
Unescape View File

@ -3,8 +3,8 @@ project (tini C)
# Config
set (tini_VERSION_MAJOR 0)
set (tini_VERSION_MINOR 8)
set (tini_VERSION_PATCH 4)
set (tini_VERSION_MINOR 9)
set (tini_VERSION_PATCH 0)
# Extract git version and dirty-ness
execute_process (

2
Dockerfile
Unescape View File

@ -1,7 +1,7 @@
FROM ubuntu:precise
RUN apt-get update \
&& apt-get install --no-install-recommends --yes build-essential git gdb valgrind cmake rpm python-dev libcap-dev python-pip python-virtualenv hardening-includes \
&& apt-get install --no-install-recommends --yes build-essential git gdb valgrind cmake rpm python-dev libcap-dev python-pip python-virtualenv hardening-includes gnupg \
&& rm -rf /var/lib/apt/lists/*
# Pre-install those here for faster local builds.

16
README.md
Unescape View File

@ -37,7 +37,7 @@ In Docker, you will want to use an entrypoint so you don't have to remember
to manually invoke Tini:
# Add Tini
ENV TINI_VERSION v0.8.4
ENV TINI_VERSION v0.9.0
ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /tini
RUN chmod +x /tini
ENTRYPOINT ["/tini", "--"]
@ -56,6 +56,20 @@ Arguments for Tini itself should be passed like `-v` in the following example:
*NOTE: The binary linked above is a 64-bit dynamically-linked binary.*
### Signed binaries ###
The `tini` and `tini-static` binaries are signed using the key `0527A9B7`.
You can verify their signatures using `gpg` (which you may install using
your package manager):
ENV TINI_VERSION v0.9.0
ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /tini
ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini.asc /tini.asc
RUN gpg --keyserver ha.pool.sks-keyservers.net --recv-keys 0527A9B7 \
&& gpg --verify /tini.asc
### Alpine Linux Package ###
On Alpine Linux, you can use the following command to install Tini (currently

21
ci/run_build.sh
Unescape View File

@ -11,6 +11,9 @@ set -o nounset
: ${DIST_DIR:="${SOURCE_DIR}/dist"}
: ${BUILD_DIR:="/tmp/build"}
# GPG Configuration
: ${GPG_PASSPHRASE:=""}
# Make those paths absolute, and export them for the Python tests to consume.
export SOURCE_DIR="$(readlink -f "${SOURCE_DIR}")"
@ -44,7 +47,6 @@ pushd "${BUILD_DIR}"
make clean
make
make package
popd
# Smoke tests (actual tests need Docker to run; they don't run within the CI environment)
@ -104,3 +106,20 @@ pip install psutil python-prctl bitmap
# Run tests
python "${SOURCE_DIR}/test/run_inner_tests.py"
# If a signing key is made available, then use it to sign the binaries
if [[ -f "${SOURCE_DIR}/sign.key" ]]; then
echo "Signing binaries"
GPG_SIGN_HOMEDIR="${BUILD_DIR}/gpg-sign"
GPG_VERIFY_HOMEDIR="${BUILD_DIR}/gpg-verify"
mkdir "${GPG_SIGN_HOMEDIR}" "${GPG_VERIFY_HOMEDIR}"
chmod 700 "${GPG_SIGN_HOMEDIR}" "${GPG_VERIFY_HOMEDIR}"
gpg --homedir "${GPG_SIGN_HOMEDIR}" --import "${SOURCE_DIR}/sign.key"
gpg --homedir "${GPG_VERIFY_HOMEDIR}" --keyserver ha.pool.sks-keyservers.net --recv-keys 0527A9B7
for tini in "${DIST_DIR}/tini" "${DIST_DIR}/tini-static"; do
echo "${GPG_PASSPHRASE}" | gpg --homedir "${GPG_SIGN_HOMEDIR}" --passphrase-fd 0 --armor --detach-sign "${tini}"
gpg --homedir "${GPG_VERIFY_HOMEDIR}" --verify "${tini}.asc"
done
fi

1
ddist.sh
Unescape View File

@ -22,4 +22,5 @@ docker run -it --rm \
-e BUILD_DIR=/tmp/tini-build \
-e SOURCE_DIR="${SRC}" \
-e FORCE_SUBREAPER="${FORCE_SUBREAPER}" \
-e GPG_PASSPHRASE="${GPG_PASSPHRASE}" \
"${IMG}" "${SRC}/ci/run_build.sh"

BIN
sign.key.enc
View File

Binary file not shown.

14
tpl/README.md.in
Unescape View File

@ -56,6 +56,20 @@ Arguments for Tini itself should be passed like `-v` in the following example:
*NOTE: The binary linked above is a 64-bit dynamically-linked binary.*
### Signed binaries ###
The `tini` and `tini-static` binaries are signed using the key `0527A9B7`.
You can verify their signatures using `gpg` (which you may install using
your package manager):
ENV TINI_VERSION v@tini_VERSION_MAJOR@.@tini_VERSION_MINOR@.@tini_VERSION_PATCH@
ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /tini
ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini.asc /tini.asc
RUN gpg --keyserver ha.pool.sks-keyservers.net --recv-keys 0527A9B7 \
&& gpg --verify /tini.asc
### Alpine Linux Package ###
On Alpine Linux, you can use the following command to install Tini (currently

11
tpl/travis.yml.tpl
Unescape View File

@ -23,6 +23,15 @@ addons:
- python-pip
- python-virtualenv
- hardening-includes
- gnupg
env:
global:
- SIGN_BINARIES=1
- secure: "RKF9Z9gLxp6k/xITqn7ma1E9HfpYcDXuJFf4862WeH9EMnK9lDq+TWnGsQfkIlqh8h9goe7U+BvRiTibj9MiD5u7eluLo3dlwsLxPpYtyswYeLeC1wKKdT5LPGAXbRKomvBalRYMI+dDnGIM4w96mHgGGvx2zZXGkiAQhm6fJ3k="
before_install:
- openssl aes-256-cbc -K $encrypted_2893fd5649e7_key -iv $encrypted_2893fd5649e7_iv -in sign.key.enc -out sign.key -d || echo "Encrypted signing key unavailable"
script: ./ci/run_build.sh
@ -34,7 +43,9 @@ deploy:
secure: Yk90ANpSPv1iJy8QDXCPwfaSmEr/WIJ3bzhQ6X8JvZjfrwTosbh0HrUzQyeac3nyvNwj7YJRssolOFc21IBKPpCFTZqYxSkuLPU6ysG4HGHgN6YJhOMm4mG4KKJ6741q3DJendhZpalBhCEi+NcZK/PCSD97Vl4OqRjBUged0fs=
file:
- "./dist/tini"
- "./dist/tini.asc"
- "./dist/tini-static"
- "./dist/tini-static.asc"
- "./dist/tini_@tini_VERSION_MAJOR@.@tini_VERSION_MINOR@.@tini_VERSION_PATCH@.deb"
- "./dist/tini_@tini_VERSION_MAJOR@.@tini_VERSION_MINOR@.@tini_VERSION_PATCH@.rpm"
on:

Write Preview
Loading…
Cancel
Save