mirror of
https://github.com/ben-grande/qusal.git
synced 2025-07-30 17:58:46 -04:00
feat: build and sign RPM packages
Passing files to Dom0 is always dangerous: - Passing a git repository is dangerous as it can have ignored modified files and signature verification will pass. - Passing an archive is troublesome for updates. - Passing an RPM package depends on the RPM verification to be correct, some times it is not. - Passing a RPM repository definition is less troublesome for the user, as it is a small file to verify the contents and update mechanism is via the package manager. Trust in RPM verification is still required. Many improvements were made to the build scripts: - requires-program: Single function to check if program is installed; - spec-get: Sort project names for the usage message; - spec-get: Only running commands that are necessary; - spec-get: Fix empty summary when readme has copyright header; - spec-gen: Fix grep warning of escaped symbol; - spec-build: Sign RPM and verify signature; - spec-build: Only lint the first SPEC for faster runtime; - yumrepo-gen: Generate a local yum repository with signed metadata; - qubesbuilder-gen: Generate a .qubesbuilder based on tracked projects; - release: Build, sign and push all RPMs to repository. Goal is to be able to build with qubes-builderv2 Qubes Executor. For: https://github.com/ben-grande/qusal/issues/37
This commit is contained in:
Ben Grande
parent
10200f609e
commit
fc22726ee8
15 changed files with 339 additions and 115 deletions
|
|
@ -15,8 +15,8 @@ usage(){
|
|||
## Get scriptlet command, else fail safe.
|
||||
get_scriptlet(){
|
||||
scriptlet="$1"
|
||||
sed -n "/^<\!-- pkg:begin:${scriptlet} -->$/,/^<\!-- pkg:end:${scriptlet} -->$/p" "${readme}" \
|
||||
| grep -v -e '^```\S*$' -e "^<\!-- " | sed "s/^sudo //" || echo "true"
|
||||
sed -n "/^<\!-- pkg:begin:${scriptlet} -->$/,/^<\!-- pkg:end:${scriptlet} -->$/p" \
|
||||
"${readme}" | sed '/^```.*/d;/^<\!-- pkg:/d;s/^sudo //' || echo "true"
|
||||
}
|
||||
|
||||
get_spec(){
|
||||
|
|
@ -68,7 +68,7 @@ gen_spec(){
|
|||
"${template}" | tee "${target}" >/dev/null
|
||||
|
||||
requires_key=""
|
||||
for r in $(printf %s"${requires}" | tr " " "\n"); do
|
||||
for r in $(printf %s"${requires}" | tr " " "\n" | sort -u); do
|
||||
requires_key="${requires_key}\nRequires: ${group}-${r}"
|
||||
done
|
||||
sed -i "s/@REQUIRES@/${requires_key}/" "${target}" >/dev/null
|
||||
|
|
@ -76,15 +76,19 @@ gen_spec(){
|
|||
}
|
||||
|
||||
case "${1-}" in
|
||||
""|-h|--?help) usage; exit 1;;
|
||||
-h|--?help) usage; exit 1;;
|
||||
esac
|
||||
|
||||
command -v git >/dev/null ||
|
||||
{ printf "Missing program: git\n" >&2; exit 1; }
|
||||
command -v git >/dev/null || { echo "Missing program: git" >&2; exit 1; }
|
||||
cd "$(git rev-parse --show-toplevel)"
|
||||
|
||||
spec_get="./scripts/spec-get.sh"
|
||||
|
||||
if test -z "${1-}"; then
|
||||
# shellcheck disable=SC2046
|
||||
set -- $(find salt/ -mindepth 1 -maxdepth 1 -type d -printf '%f\n' \
|
||||
| sort -d | tr "\n" " ")
|
||||
fi
|
||||
for p in "$@"; do
|
||||
gen_spec "${p}"
|
||||
done
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue