diff --git a/Documentation/conf.py b/Documentation/conf.py index d7dd257725..3aa90f2073 100644 --- a/Documentation/conf.py +++ b/Documentation/conf.py @@ -19,7 +19,11 @@ import pathlib import subprocess +import urllib.parse +import docutils.nodes +import docutils.parsers.rst +import docutils.parsers.rst.directives # -- Project information ----------------------------------------------------- @@ -225,6 +229,25 @@ def generate_doxygen(app): '.markdown': 'markdown', }) +class NewIssueDirective(docutils.parsers.rst.Directive): + has_content = True + optional_arguments = float('inf') + option_spec = { + 'url': docutils.parsers.rst.directives.uri, + } + + def run(self): + url = self.options.get('url', 'https://github.com/gramineproject/gramine/issues/new') + qs = urllib.parse.urlencode([ + ('title', ' '.join(self.arguments)), + ('body', '\n'.join(self.content.data)), + ]) + refuri = f'{url}?{qs}' + para = docutils.nodes.paragraph() + para += docutils.nodes.reference('', refuri, refuri=refuri) + return [para] + def setup(app): app.add_css_file('css/gramine.css') app.connect('builder-inited', generate_doxygen) + app.add_directive('new-issue', NewIssueDirective) diff --git a/Documentation/devel/DCO/index.rst b/Documentation/devel/DCO/index.rst index 023eff9474..0d5dad6500 100644 --- a/Documentation/devel/DCO/index.rst +++ b/Documentation/devel/DCO/index.rst @@ -1 +1,6 @@ .. include:: ../../../DCO + +.. note:: + + For cryptographical “code signing”, as opposed to “signing off” your + commits, please refer to :ref:`code-signing`. diff --git a/Documentation/devel/code-signing-and-releasing.rst b/Documentation/devel/code-signing-and-releasing.rst new file mode 100644 index 0000000000..c261cae2b5 --- /dev/null +++ b/Documentation/devel/code-signing-and-releasing.rst @@ -0,0 +1,240 @@ +Code signing and release manual +=============================== + +.. _code-signing: + +Code signing +------------ + +.. note:: + + “Code signing” is not to be confused with “signing off” your commits. + + “Signing off” is (in our project) a |~| legal device for a |~| sort of + signature by which you assert that you are holding copyrights to the code + you're submitting (or your're authorized by copyright holder to submit the + code). “Signing off” is done by writing ``Signed-off-by:`` line to the + commit message (maybe using :command:`git commit -s`) and does not carry + a |~| separate cryptographic signature. For details, please read + :doc:`DCO/index`, and keep in mind that in other projects meaning of the + ``Signed-off-by:`` line might be different. + + “Code signing” refers to the process of cryptographically signing your + contributions (commits and tags), so other people are able to mathematically + prove that the contribution came from the holder of a |~| particular + cryptographic key. It has no legal meaning. It can be done using + :command:`git commit -S` or by configuring :program:`git` (see below). + +Generating key +^^^^^^^^^^^^^^ + +First, you need to generate your own key pair using :program:`gpg`. The key +needs to be "sign only"! Otherwise, if you also add encrypt capability, people +will add your key to their :abbr:`MUA (Mail User Agent)`\ s and will encrypt +e-mail messages to you using code signing key. This is not desired, the key +generated for the purpose of code signing should not be used in any other +context (e.g. e-mail or signing code in other projects). + +In user ID, please write your name and comment saying that the key is meant for +code signing in this project. + +The key needs to be RSA (at least 3072 to match overall security level in SGX) +or Curve25519. 25519 keys are preferred, because they are smaller and faster to +use. In some versions of :program:`gpg` you need to use ``--full-gen-key +--expert`` to be able to choose ECC keys. + +.. code-block:: none + + % gpg --full-gen-key --expert + gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc. + This is free software: you are free to change and redistribute it. + There is NO WARRANTY, to the extent permitted by law. + + Please select what kind of key you want: + (1) RSA and RSA (default) + (2) DSA and Elgamal + (3) DSA (sign only) + (4) RSA (sign only) + (7) DSA (set your own capabilities) + (8) RSA (set your own capabilities) + (9) ECC and ECC + (10) ECC (sign only) + (11) ECC (set your own capabilities) + (13) Existing key + (14) Existing key from card + Your selection? 10 + Please select which elliptic curve you want: + (1) Curve 25519 + (3) NIST P-256 + (4) NIST P-384 + (5) NIST P-521 + (6) Brainpool P-256 + (7) Brainpool P-384 + (8) Brainpool P-512 + (9) secp256k1 + Your selection? 1 + Please specify how long the key should be valid. + 0 = key does not expire + = key expires in n days + w = key expires in n weeks + m = key expires in n months + y = key expires in n years + Key is valid for? (0) + Key does not expire at all + Is this correct? (y/N) y + + GnuPG needs to construct a user ID to identify your key. + + Real name: Wojciech Porczyk + Email address: woju@invisiblethingslab.com + Comment: Gramine code signing key + You selected this USER-ID: + "Wojciech Porczyk (Gramine code signing key) " + + Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o + We need to generate a lot of random bytes. It is a good idea to perform + some other action (type on the keyboard, move the mouse, utilize the + disks) during the prime generation; this gives the random number + generator a better chance to gain enough entropy. + gpg: /home/user/.gnupg/trustdb.gpg: trustdb created + gpg: key 044D9664E7A77E16 marked as ultimately trusted + gpg: directory '/home/user/.gnupg/openpgp-revocs.d' created + gpg: revocation certificate stored as '/home/user/.gnupg/openpgp-revocs.d/9C4D27D9157EF771A4283926044D9664E7A77E16.rev' + public and secret key created and signed. + + pub ed25519 2024-02-22 [SC] + 9C4D27D9157EF771A4283926044D9664E7A77E16 + uid Wojciech Porczyk (Gramine code signing key) + +.. yes, this is actual log from generating my own key! + +Submitting key to GitHub +^^^^^^^^^^^^^^^^^^^^^^^^ + +https://docs.github.com/en/authentication/managing-commit-signature-verification/adding-a-gpg-key-to-your-github-account#adding-a-gpg-key + +Setting up git +^^^^^^^^^^^^^^ + +*(Substitute key ID for your own key. The following example matches key ID from +the example generation listing.)* + +.. code-block:: sh + + git config --global commit.gpgsign true + git config --global user.signingkey 9C4D27D9157EF771A4283926044D9664E7A77E16 + +If you are using Split GPG feature of Qubes OS +(https://www.qubes-os.org/doc/split-gpg/#using-git-with-split-gpg): + +.. code-block:: sh + + git config --global gpg.program qubes-gpg-client-wrapper + +and remember to set ``QUBES_GPG_DOMAIN`` environment variable in your shell +config file. + +Release process +--------------- + +Create new checklist issue (fill all ```` before submitting): + +.. new-issue:: Release checklist + + - [ ] create release PRs (@) + - gramine: # + - gramine-scaffolding: # + - contrib: # + - [ ] draft release notes (@) + - [ ] draft blogpost (@) + - [ ] draft #community announcement (@) + - [ ] update installation instructions (if a distro was released since last release) (@) + + iterate (update version, build and upload unstable packages) + + final stretch: + - [ ] get QA signoff (@) + - [ ] approve PRs (@) + - [ ] update version to final and push commits (@) + - [ ] build final packages (@) + - [ ] upload packages to release notes (@) + - [ ] push tag (@) + - [ ] switch release notes to pushed tag (@) + - [ ] merge PR (@) + - [ ] publish packages (@) + - [ ] publish docker image (@) + - [ ] publish release notes (@) + - [ ] publish blogpost (@) + - [ ] publish on #community (@) + +Draft release notes: + +.. new-issue:: v + :url: https://github.com/gramineproject/gramine/releases/new + + # Important changes + + This change log covers the changes since + [the last release](https://github.com/gramineproject/gramine/releases/tag/). + + ### Breaking changes + + - + + + + ### Security fixes + + - + + ### New features + + - + + ### Performance improvements + + - + + ### Bugfixes, stability and refactoring + + - + + ### Miscellaneous + + - + + + + # Installation instructions + + + + +Create a PR +^^^^^^^^^^^ + +.. code-block:: sh + + git checkout -b /release- + scripts/release.sh ~rc1 + git push -u origin /release- + firefox https://github.com/gramineproject/gramine/pull/new//release- + +Then set the PR on reviewable.io to be reviewed commit-by-commit. + +Update version in the PR +^^^^^^^^^^^^^^^^^^^^^^^^ + +.. code-block:: sh + + git reset --hard HEAD~ + scripts/release.sh X.Y~rcN + git push --force + +Create a tag +^^^^^^^^^^^^ + +.. code-block:: sh + + git tag -m "Gramine " v HEAD~ + git push v diff --git a/Documentation/index.rst b/Documentation/index.rst index 7c977d8e8d..40ceffcf37 100644 --- a/Documentation/index.rst +++ b/Documentation/index.rst @@ -217,6 +217,7 @@ Indices and tables devel/setup devel/coding-style devel/howto-doc + devel/code-signing-and-releasing devel/charter devel/DCO/index @@ -227,6 +228,7 @@ Indices and tables devel/features management-team + verify-sig gramine-users sgx-intro glossary diff --git a/Documentation/installation.rst b/Documentation/installation.rst index ea91982398..09da591f29 100644 --- a/Documentation/installation.rst +++ b/Documentation/installation.rst @@ -25,6 +25,9 @@ option on a dedicated page. Install Gramine packages ------------------------ +For instructions how to verify cryptographic signatures, please see +:ref:`verifying-cryptographic-signatures`. + Debian 12 ^^^^^^^^^ diff --git a/Documentation/verify-sig.rst b/Documentation/verify-sig.rst new file mode 100644 index 0000000000..e77422f29d --- /dev/null +++ b/Documentation/verify-sig.rst @@ -0,0 +1,262 @@ +.. highlight:: none + +.. _verifying-cryptographic-signatures: + +Verifying cryptographic signatures +================================== + +Verifying packages +------------------ + +APT repositories (for Debian and Ubuntu) are signed with the following GPG key:: + + pub ed25519 2021-02-17 [SC] + EA3C2D624681AC968521587A5EE1171912234070 + uid Gramine Project signing key (2021) + uid Graphene Library OS signing key (2021) + +RPM packages (for RHEL derivatives) are signed with the following key:: + + pub rsa4096 2021-10-29 [SC] + F3FFBE5FC0477DB46E4851E737B04F03659B87AF + uid Gramine Project signing key, RPM (2021) + +Verification of the signatures for the packages happens automatically during +repository metadata update or package installation process, and skipping this +verification needs to be done intentionally. :ref:`Package installation +instructions ` describe downloading those keys and +copying them to system's directory, but if you want to trust the key long-term, +you should download this key only once, verify it and keep local, trusted copy +yourself (for example by checking in the file into version control system). For +each reinstall, you should then copy the key from your local store (for example, +in ``Dockerfile`` you should ``COPY`` it, not ``RUN wget -O ...``). + +Verifying releases (git tags) and commits +----------------------------------------- + +Releases of Gramine are marked with `signed tags +`__ by Wojtek +Porczyk:: + + pub ed25519 2024-02-22 [SC] + 9C4D27D9157EF771A4283926044D9664E7A77E16 + uid Wojciech Porczyk (Gramine code signing key) + +(woju's first name is „Wojciech” /ˈvɔj.t͡ɕɛx/; „Wojtek” /ˈvɔj.tɛk/ is a |~| +pronounceable diminutive). + +The key is available in ``keys/`` subdirectory of the main project's tree. + +To verify a |~| tag, you need to import this key into your local trust store: + +.. code-block:: sh + + git clone https://github.com/gramineproject/gramine.git + gpg --import gramine/keys/woju.asc + +Then check the key fingerprint. After ensuring the key is correct, you can mark +it as trusted. + +Trusting the key directly +^^^^^^^^^^^^^^^^^^^^^^^^^ + +If you don't have your own PGP key pair, you can mark the key as ultimately +trusted:: + + % gpg --edit-key 9C4D27D9157EF771A4283926044D9664E7A77E16 + gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc. + This is free software: you are free to change and redistribute it. + There is NO WARRANTY, to the extent permitted by law. + + + pub ed25519/044D9664E7A77E16 + created: 2024-02-22 expires: never usage: SC + trust: full validity: unknown + [ unknown] (1). Wojciech Porczyk (Gramine code signing key) + + gpg> trust + pub ed25519/044D9664E7A77E16 + created: 2024-02-22 expires: never usage: SC + trust: full validity: unknown + [ unknown] (1). Wojciech Porczyk (Gramine code signing key) + + Please decide how far you trust this user to correctly verify other users' keys + (by looking at passports, checking fingerprints from different sources, etc.) + + 1 = I don't know or won't say + 2 = I do NOT trust + 3 = I trust marginally + 4 = I trust fully + 5 = I trust ultimately + m = back to the main menu + + Your decision? 5 + Do you really want to set this key to ultimate trust? (y/N) y + + pub ed25519/044D9664E7A77E16 + created: 2024-02-22 expires: never usage: SC + trust: ultimate validity: unknown + [ unknown] (1). Wojciech Porczyk (Gramine code signing key) + Please note that the shown key validity is not necessarily correct + unless you restart the program. + + gpg> save + Key not changed so no update needed. + +Note it needs to be ``5 = I trust ultimately``, not even ``4 = I trust fully``. +The description of the difference between those options is beyond the scope of +this document. + +.. "beyond the scope" in this context is a politically-correct understatement + +Trusting the key using local private key +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +If you happen to have your own PGP key pair, you can choose to sign the key with +local signature. This is the procedure supported by GPG tool, because it fits +“web of trust” model:: + + % gpg --edit-key 9C4D27D9157EF771A4283926044D9664E7A77E16 + gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc. + This is free software: you are free to change and redistribute it. + There is NO WARRANTY, to the extent permitted by law. + + + pub ed25519/044D9664E7A77E16 + created: 2024-02-22 expires: never usage: SC + trust: unknown validity: unknown + [ unknown] (1). Wojciech Porczyk (Gramine code signing key) + + gpg> ltnrsign + + pub ed25519/044D9664E7A77E16 + created: 2024-02-22 expires: never usage: SC + trust: unknown validity: unknown + Primary key fingerprint: 9C4D 27D9 157E F771 A428 3926 044D 9664 E7A7 7E16 + + Wojciech Porczyk (Gramine code signing key) + + Please decide how far you trust this user to correctly verify other users' keys + (by looking at passports, checking fingerprints from different sources, etc.) + + 1 = I trust marginally + 2 = I trust fully + + Your selection? 2 + + Please enter the depth of this trust signature. + A depth greater than 1 allows the key you are signing to make + trust signatures on your behalf. + + Your selection? 1 + + Please enter a domain to restrict this signature, or enter for none. + + Your selection? + + Are you sure that you want to sign this key with your + key "TEST DO NOT USE" (0000000000000000) + + The signature will be marked as non-exportable. + + The signature will be marked as non-revocable. + + Really sign? (y/N) y + + gpg> save + % gpg -k 9C4D27D9157EF771A4283926044D9664E7A77E16 + gpg: checking the trustdb + gpg: marginals needed: 3 completes needed: 1 trust model: pgp + gpg: depth: 0 valid: 1 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 1u + gpg: depth: 1 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 1f, 0u + pub ed25519 2024-02-22 [SC] + 9C4D27D9157EF771A4283926044D9664E7A77E16 + uid [ full ] Wojciech Porczyk (Gramine code signing key) + +.. no, I don't have "0000000000000000" key + +If you know what you're doing, you can use another signing command in place of +``ltnrsign``. + +Trusting the key directly (from scripts) +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +.. code-block:: sh + + echo 9C4D27D9157EF771A4283926044D9664E7A77E16:6: | gpg --import-ownertrust + +Note this option is not very well documented. + +Verifying tags +^^^^^^^^^^^^^^ + +Use either :command:`git tag --verify ` or :command:`git verify-tag ` +to verify tags:: + + % git tag --verify v1.6.2 + object a971e30f3430b4b8079ec42f5d035ced68130bdc + type commit + tag v1.6.2 + tagger Wojtek Porczyk 1710237857 +0100 + + Gramine 1.6.2 + gpg: Signature made Tue 12 Mar 2024 11:04:18 AM CET + gpg: using EDDSA key 9C4D27D9157EF771A4283926044D9664E7A77E16 + gpg: Good signature from "Wojciech Porczyk (Gramine code signing key) " [full] + +:: + + % git verify-tag v1.6.2 + gpg: Signature made Tue 12 Mar 2024 11:04:18 AM CET + gpg: using EDDSA key 9C4D27D9157EF771A4283926044D9664E7A77E16 + gpg: Good signature from "Wojciech Porczyk (Gramine code signing key) " [full] + +If you fail to mark the key as trusted, you will see instead:: + + % git tag --verify v1.6.2 + object a971e30f3430b4b8079ec42f5d035ced68130bdc + type commit + tag v1.6.2 + tagger Wojtek Porczyk 1710237857 +0100 + + Gramine 1.6.2 + gpg: Signature made Tue 12 Mar 2024 11:04:18 AM CET + gpg: using EDDSA key 9C4D27D9157EF771A4283926044D9664E7A77E16 + gpg: checking the trustdb + gpg: no ultimately trusted keys found + gpg: Good signature from "Wojciech Porczyk (Gramine code signing key) " [unknown] + gpg: WARNING: This key is not certified with a trusted signature! + gpg: There is no indication that the signature belongs to the owner. + Primary key fingerprint: 9C4D 27D9 157E F771 A428 3926 044D 9664 E7A7 7E16 + +Which is **NOT a successful verification**, because the key might be +different. Anyone can generate a |~| key with some first and last name, so +unless you check the fingerprint every single time, you should not trust this +verification with the warning. + +Verifying commits +^^^^^^^^^^^^^^^^^ + +You can use ``--show-signature`` option to ``git log`` command, or ``git +verify-commit`` standalone command:: + + % git log v1.6.2 --show-signature + commit a971e30f3430b4b8079ec42f5d035ced68130bdc (tag: v1.6.2) + gpg: Signature made Tue 12 Mar 2024 09:34:37 AM CET + gpg: using EDDSA key 9C4D27D9157EF771A4283926044D9664E7A77E16 + gpg: Good signature from "Wojciech Porczyk (Gramine code signing key) " [ultimate] + Author: Wojtek Porczyk + Date: Mon Mar 11 10:26:34 2024 +0100 + + Bump version to 1.6.2 + + Signed-off-by: Wojtek Porczyk + + [...] + +:: + + % git verify-commit a971e30f3430b4b8079ec42f5d035ced68130bdc + gpg: Signature made Tue 12 Mar 2024 09:34:37 AM CET + gpg: using EDDSA key 9C4D27D9157EF771A4283926044D9664E7A77E16 + gpg: Good signature from "Wojciech Porczyk (Gramine code signing key) " [ultimate] diff --git a/keys/RPM-GPG-KEY-gramine-2021 b/keys/RPM-GPG-KEY-gramine-2021 new file mode 100644 index 0000000000..6459cd51fe --- /dev/null +++ b/keys/RPM-GPG-KEY-gramine-2021 @@ -0,0 +1,29 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBGF8MKYBEACiozI1ojI7kWOZbVA8tr2lqQzS7cqhqOLxo/+EoajnvYJtCzFb +JwaHczIWLm5bc5FfGWuE0HlqHK2vUi4gkRVrySFJHePnE7dIub1XBGlMTPi95vQj +Y0+jgZjW/Fyqf5Wqh1gSgGZQ/6xYdxpJdsHry7SdvTaQvx+rXbDOj34LQZgHwZet +pwHw8PhKu6RHE4fvL86M6ZWMlnjOQLYUcL2NxSeqFC2TBz2EIm3YtOe196XjuS7n +z3FFRKFsHO4S52VCez8x76e7Aa6rShLNcppIiY7mw9/MXK13t2yiQzW5R0dFYn2o +rsPboeURBc4y9x5Rn59jHFK/ENf52/3nngRe0y/6ZHsl80maX3rEJb3Bv0V4h99h +pyEdqSHIbpNtnFkwpRh9gnkfPCr1rMi32nb5QKkJtjchkSlYbI5wZOCPVwM3SFO2 +vaC+pcD+y9lnlNmYlnK+CB2a4NDAasjhH6rxVPH4T/cpNyoQcFyHJXHpnwjrU6Z2 +q8DKB0Ot7k0fTeclgXOlgi/JVVWUxzQlExhF1pCM7EBhaXEd+XykTAdrV4Fye3qV +hX4vJS28+zZC2cJ+7m20t/aPgDh0m4eVTvwnUHIlv7w8fWoGB2YPlj1qsjM1YVr6 +ZhqEKIWaRzPx4W4gUT0hCh94pPFfzYGxWKpxysfeXRLJLmMPEFC1braS8QARAQAB +tCdHcmFtaW5lIFByb2plY3Qgc2lnbmluZyBrZXksIFJQTSAoMjAyMSmJAk4EEwEK +ADgWIQTz/75fwEd9tG5IUec3sE8DZZuHrwUCYXwwpgIbAwULCQgHAgYVCgkICwIE +FgIDAQIeAQIXgAAKCRA3sE8DZZuHr2+9D/9dUXjNiF56E/h6tZ3EA/GQ3qoL0yTf +kflBaj6jrjLqGugfU3G6GU8YmTe0k5mU15Tfz1Cy0M44XfL1ZGxgyh6VkFC1BZya +hSEeA1F6q/kMzfh+QgKJPSCzv+08UrLeQzDhGOxjHCeuw09ZuXYA+CQxxAvAhmmn +7gjIShtT2agZgWWR1t1z2dxOlLd9c1BKoZWBiBWdNqe7/SeNR9hWerBXmImwGRns +GUCPmjf8UCEf3qnu3z9tDEhtNBVQZfoYngEvFe3gQ33qtAT2XqJfyF6S+KiZeew3 +xHxCKwutB4V+4yZfJI1vbECuq31z2ehpRt3Qtf6d+WBUyvcQQS9WCZa3Zd7jwehV +y+Hn+Rq8+p9eIVGM5IIFhrwpk5Ol6LnLAFLEqsBG8GUfqgEb2Nhbem/JXrrQDWpH +1mqKTwCaq+tyT3X2zG20x+hXZrRaa3hdsIh6itz9BSIDgTbhg849Mt7Gdl67ZYyL +E+BiY1BCScK+ho7Jhrs/dd1VvwlvUvnDEtDMEYiFwwOKxt06OvECswqgRS2I0yiI +lktL6e8tGWJ3ChA88YqIoMlxeGVJjsHujhCxf/go5uywjKU/bOa3BvK1dl4Iqrjs +oNgK/8ma+WaqqBvV5xxQMcAbG5DbBS62yTP7wIo7avC2ysnZ2bvCqPBBOFUALHpo +8Hj+IGSdNBvohA== +=YGIm +-----END PGP PUBLIC KEY BLOCK----- diff --git a/keys/gramine-2021.gpg b/keys/gramine-2021.gpg new file mode 100644 index 0000000000..9b81cc06c8 Binary files /dev/null and b/keys/gramine-2021.gpg differ diff --git a/keys/woju.asc b/keys/woju.asc new file mode 100644 index 0000000000..815daef795 --- /dev/null +++ b/keys/woju.asc @@ -0,0 +1,10 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mDMEZddGHBYJKwYBBAHaRw8BAQdABw5QYoz7eYxTsxB3/p4ZHCUHljSlrv4Te356 +5DdLoFW0SVdvamNpZWNoIFBvcmN6eWsgKEdyYW1pbmUgY29kZSBzaWduaW5nIGtl +eSkgPHdvanVAaW52aXNpYmxldGhpbmdzbGFiLmNvbT6IkAQTFggAOBYhBJxNJ9kV +fvdxpCg5JgRNlmTnp34WBQJl10YcAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheA +AAoJEARNlmTnp34WOo0BANYd2MskFoXouU9Xmy28gtdYCiTwwDvoTs2yqbtLGiVd +AQD1BurfwLT5MPfATJfhJig2UHDipVYk5a800hl50PTzAw== +=tp66 +-----END PGP PUBLIC KEY BLOCK----- diff --git a/scripts/release.sh b/scripts/release.sh new file mode 100755 index 0000000000..9f34aa8be6 --- /dev/null +++ b/scripts/release.sh @@ -0,0 +1,101 @@ +#!/bin/sh +# SPDX-License-Identifier: LGPL-3.0-or-later +# Copyright (C) 2024 Wojtek Porczyk + +set -e + +: ${D:="bookworm bullseye jammy focal"} + +bump() { + v="$1" + test -n "$v" + + find . -name meson.build \( -path \*/subprojects/\* -o -print \) \ + | while read meson_build + do + printf 'patching %s\n' "$meson_build" >&2 + sed -i -e "s/^\(\s*version: '\).*\(',\)$/\1$v\2/" "$meson_build" + git add "$meson_build" + done + + echo patching debian/changelog >&2 + d="$D" + case "$v" in + *~UNRELEASED) + d=UNRELEASED ;; + *~*) + d=$(printf %s "$d" | sed 's/\&2 + sed -i -e "s/^\(Version: \).*$/\1$v/" gramine.spec + git add gramine.spec + fi + + if test -w packaging/alpine/APKBUILD + then + echo patching packaging/alpine/APKBUILD >&2 + sed -i -e "s/^\(_real_pkgver=\).*$/\1$v/" packaging/alpine/APKBUILD + git add packaging/alpine/APKBUILD + fi + + # python version spec forbids ~, it needs after last number "rcN" (without + # a dot) or ".postN" (with a dot): + # https://packaging.python.org/en/latest/specifications/version-specifiers/ + v_py=$(printf %s "$v" | sed -e 's/post~UNRELEASED/.post0/g' -e 's/~//g') + + if test -w pyproject.toml + then + echo patching pyproject.toml >&2 + sed -i -e "s/^\(version\s*=\).*$/version = \"$v_py\"/" pyproject.toml + git add pyproject.toml + fi + + if test -w graminescaffolding/__init__.py + then + echo patching graminescaffolding/__init__.py >&2 + sed -i -e "s/^\(__version__\s*=\).*$/__version__ = \"$v_py\"/" \ + graminescaffolding/__init__.py + git add graminescaffolding/__init__.py + fi +} + +commit() { + v="$1" + test -n "$v" + shift + + git commit --signoff --message "Bump version to $v" "$@" +} + + +if test -z "$1" +then + echo usage: "$0" VERSION >&2 + exit 2 +fi +V="$1" +VP="${1%~*}"post~UNRELEASED + +cd "$(git rev-parse --show-toplevel)" + +bump "$V" + +# to fix a mistake: +# git reset --hard HEAD~ +# release.sh X.Y +case "$(git log -n1 --format=%s)" in +"Bump "*) commit "$V" --amend ;; +*) commit "$V" ;; +esac + +bump "$VP" +commit "$VP"