feat: build and sign RPM packages

Passing files to Dom0 is always dangerous:

- Passing a git repository is dangerous as it can have ignored modified
  files and signature verification will pass.
- Passing an archive is troublesome for updates.
- Passing an RPM package depends on the RPM verification to be correct,
  some times it is not.
- Passing a RPM repository definition is less troublesome for the user,
  as it is a small file to verify the contents and update mechanism is
  via the package manager. Trust in RPM verification is still required.

Many improvements were made to the build scripts:

- requires-program: Single function to check if program is installed;
- spec-get: Sort project names for the usage message;
- spec-get: Only running commands that are necessary;
- spec-get: Fix empty summary when readme has copyright header;
- spec-gen: Fix grep warning of escaped symbol;
- spec-build: Sign RPM and verify signature;
- spec-build: Only lint the first SPEC for faster runtime;
- yumrepo-gen: Generate a local yum repository with signed metadata;
- qubesbuilder-gen: Generate a .qubesbuilder based on tracked projects;
- release: Build, sign and push all RPMs to repository.

Goal is to be able to build with qubes-builderv2 Qubes Executor.

For: https://github.com/ben-grande/qusal/issues/37

scripts/spec-build.sh

@@ -1,67 +1,96 @@
 #!/bin/sh
 
-## SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+## SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 ##
 ## SPDX-License-Identifier: AGPL-3.0-or-later
 
 set -eu
 
 usage(){
-  printf '%s\n' "Usage: ${0##*/} PROJECT [release]" >&2
+  echo "Usage: ${0##*/} PROJECT [PROJECT ...]" >&2
   exit 1
 }
 
+build_rpm(){
+  counter=$((counter+1))
+  project="${1}"
+  group="$(${spec_get} "${project}" group)"
+  version="$(${spec_get} "${project}" version)"
+  license_csv="$(${spec_get} "${project}" license_csv)"
+  spec="rpm_spec/${group}-${project}.spec"
+
+  "${spec_gen}" "${project}"
+
+  ## All specs have the same format, only lint the first one.
+  if test "${counter}" = "1"; then
+    rpmlint "${spec}"
+  fi
+
+  if grep -q "^BuildRequires: " "${spec}"; then
+    sudo dnf build-dep "${spec}"
+  fi
+
+  mkdir -p \
+    "${build_dir}/BUILD/${group}-${project}/LICENSES/" \
+    "${build_dir}/SOURCES/${group}-${project}/LICENSES"
+
+  cp -r "salt/${project}/"* "${build_dir}/BUILD/${group}-${project}/"
+  cp -r "salt/${project}/"* "${build_dir}/SOURCES/${group}-${project}/"
+  for license in $(echo "${license_csv}" | tr "," " "); do
+    license_dir="LICENSES"
+    if test -d "salt/${project}/LICENSES"; then
+      license_dir="salt/${project}/LICENSES"
+    fi
+    cp "${license_dir}/${license}.txt" "${build_dir}/BUILD/${group}-${project}/LICENSES/"
+  done
+
+  ## TODO: use qubes-builderv2 with mock or qubes executor
+  rpmbuild -ba -- "${spec}"
+  if test -n "${key_id}"; then
+    rpm_basename="${build_dir}/RPMS/noarch/${group}-${project}-${version}-"
+    rpm_suffix=".noarch.rpm"
+    ## TODO: target only the latest release
+    rpmsign --key-id="${key_id}" --digest-algo=sha512 --addsign \
+      -- "${rpm_basename}"*"${rpm_suffix}" </dev/null
+    gpg="$(git config --get gpg.program)" || gpg="gpg"
+    dbpath="$(mktemp -d)"
+    trap 'rm -rf -- "${dbpath}"' EXIT INT HUP QUIT ABRT
+    tmp_file="${dbpath}/${key_id}.asc"
+    "${gpg}" --export --armor "${key_id}" | tee "${tmp_file}" >/dev/null
+    rpmkeys --dbpath="${dbpath}" --import "${tmp_file}"
+    ## TODO: target only the latest relase
+    rpm --dbpath="${dbpath}" --checksig --verbose \
+      -- "${rpm_basename}"*"${rpm_suffix}"
+  fi
+}
+
 case "${1-}" in
-  ""|-*) usage;;
+  -h|--?help) usage;;
 esac
 
-release=""
-case "${2-}" in
-  release) release="1";;
-  "") ;;
-  *) usage;;
-esac
-
-command -v dnf >/dev/null ||
-  { printf "Missing program: dnf\n" >&2; exit 1; }
-command -v rpmlint >/dev/null ||
-  { printf "Missing program: rpmlint\n" >&2; exit 1; }
-## command -v rpmdev-setuptree >/dev/null ||
-##   { printf "Missing program: rpmdev-setuptree\n" >&2; exit 1; }
-command -v rpmbuild >/dev/null ||
-  { printf "Missing program: rpmbuild\n" >&2; exit 1; }
-command -v git >/dev/null ||
-  { printf "Missing program: git\n" >&2; exit 1; }
+command -v git >/dev/null || { echo "Missing program: git" >&2; exit 1; }
 cd "$(git rev-parse --show-toplevel)" || exit 1
-
-project="${1}"
-spec_gen="./scripts/spec-gen.sh"
-spec_get="./scripts/spec-get.sh"
-group="$(${spec_get} "${project}" group)"
-spec="rpm_spec/${group}-${project}.spec"
-
-"${spec_gen}" "${project}"
-rpmlint "${spec}"
-
-if grep -q "^BuildRequires: " "${spec}"; then
-  sudo dnf build-dep "${spec}"
-fi
+./scripts/requires-program.sh dnf rpmlint rpmbuild rpmsign
+build_dir="${HOME}/rpmbuild"
 
 if command -v rpmdev-setuptree >/dev/null; then
   rpmdev-setuptree
 else
-  mkdir -p ~/rpmbuild/BUILD ~/rpmbuild/BUILDROOT ~/rpmbuild/RPMS
-  mkdir -p ~/rpmbuild/SOURCES ~/rpmbuild/SPECS ~/rpmbuild/SRPMS
+  mkdir -p \
+    "${build_dir}/BUILD" "${build_dir}/BUILDROOT" "${build_dir}/RPMS" \
+    "${build_dir}/SOURCES" "${build_dir}/SPECS" "${build_dir}/SRPMS"
 fi
 
-mkdir ~/rpmbuild/BUILD/"${group}-${project}"
-mkdir ~/rpmbuild/SOURCES/"${group}-${project}"
+key_id="$(git config --get user.signingKey)" || true
+spec_gen="./scripts/spec-gen.sh"
+spec_get="./scripts/spec-get.sh"
 
-cp -r "salt/${project}"/* ~/rpmbuild/BUILD/"${group}-${project}"/
-cp -r "salt/${project}"/* ~/rpmbuild/SOURCES/"${group}-${project}"/
-
-if test -n "${release}"; then
-  rpmbuild -ba --sign "${spec}"
-else
-  rpmbuild -ba "${spec}"
+if test -z "${1-}"; then
+  # shellcheck disable=SC2046
+  set -- $(find salt/ -mindepth 1 -maxdepth 1 -type d -printf '%f\n' \
+           | sort -d | tr "\n" " ")
 fi
+counter=0
+for p in "$@"; do
+  build_rpm "${p}"
+done