feat: build and sign RPM packages

Passing files to Dom0 is always dangerous:

- Passing a git repository is dangerous as it can have ignored modified
  files and signature verification will pass.
- Passing an archive is troublesome for updates.
- Passing an RPM package depends on the RPM verification to be correct,
  some times it is not.
- Passing a RPM repository definition is less troublesome for the user,
  as it is a small file to verify the contents and update mechanism is
  via the package manager. Trust in RPM verification is still required.

Many improvements were made to the build scripts:

- requires-program: Single function to check if program is installed;
- spec-get: Sort project names for the usage message;
- spec-get: Only running commands that are necessary;
- spec-get: Fix empty summary when readme has copyright header;
- spec-gen: Fix grep warning of escaped symbol;
- spec-build: Sign RPM and verify signature;
- spec-build: Only lint the first SPEC for faster runtime;
- yumrepo-gen: Generate a local yum repository with signed metadata;
- qubesbuilder-gen: Generate a .qubesbuilder based on tracked projects;
- release: Build, sign and push all RPMs to repository.

Goal is to be able to build with qubes-builderv2 Qubes Executor.

For: https://github.com/ben-grande/qusal/issues/37
This commit is contained in:
Ben Grande 2024-06-12 14:44:04 +02:00
parent 10200f609e
commit fc22726ee8
No known key found for this signature in database
GPG key ID: 00C64E14F51F9E56
15 changed files with 339 additions and 115 deletions

View file

@ -8,7 +8,8 @@
set -eu
usage(){
names="$(find salt/ -maxdepth 1 -type d | cut -d "/" -f2 | tr "\n" " ")"
names="$(find salt/ -mindepth 1 -maxdepth 1 -type d -printf '%f\n' \
| sort -d | tr "\n" " ")"
echo "Usage: ${0##*/} <NAME> <KEY>"
echo "Example: ${0##*/} qubes-builder description"
echo "Names: ${names}"
@ -28,29 +29,34 @@ block_max_chars(){
keys="name branch group file_roots requires vendor url version project project_dir changelog readme license_csv license description summary saltfiles"
name=""
key=""
case "${1-}" in
"") usage; exit 1;;
-h|--?help) usage; exit 0;;
*) name="${1}"; shift;;
esac
case "${2-}" in
case "${1-}" in
"") usage; exit 1;;
*) key="${1}"; shift;;
esac
if test -z "${key##* }"; then
echo "Key is emtpy: ${key}" >&2
exit 1
fi
command -v reuse >/dev/null ||
{ printf "Missing program: reuse\n" >&2; exit 1; }
command -v git >/dev/null ||
{ printf "Missing program: git\n" >&2; exit 1; }
command -v git >/dev/null || { echo "Missing program: git" >&2; exit 1; }
cd "$(git rev-parse --show-toplevel)" || exit 1
./scripts/requires-program.sh reuse
if test "${key}" = "branch"; then
branch="$(git branch --show-current)"
fi
name="${1}"
key="${2}"
branch="$(git branch --show-current)"
group="qusal"
block_max_chars group "${group}" 70
file_roots="/srv/salt/${group}"
vendor="Benjamin Grande"
url="https://github.com/ben-grande/qusal"
version="1.0"
@ -68,51 +74,53 @@ if ! test -f "${readme}"; then
exit 1
fi
license_csv="$(reuse --root "${project_dir}" lint |
awk -F ':' '/^* Used licenses:/{print $2}' | tr -d " ")"
license="$(echo "$license_csv" | sed "s/,/ AND /g")"
#license="$(reuse --root "${project_dir}" lint |
# awk -F ':' '/^* Used licenses:/{print $2}' | sed "s|, | AND |g")"
## The problem with %autochangelog is that it will print logs of all projects
## and we separate a project per directory.
## The disadvantage of the changelog below is that it doesn't differentiate
## commits per package release.
changelog="$(TZ=UTC0 git log -n 50 --format=format:"* %cd %an <%ae> - %h%n- %s%n%n" --date=format:"%a %b %d %Y" -- "${project_dir}" | sed -re "s/^- +- */- /;/^$/d")"
#block_max_chars license "${license}" 70
description="$(sed -n '/^## Description/,/^## /p' "${readme}" |
sed '1d;$d' | sed "1{/^$/d}")"
summary="$(sed -n '3p' "${readme}")"
block_max_chars summary "${summary}" 70
saltfiles="$(find "${project_dir}" -maxdepth 1 -name "*.sls")"
# shellcheck disable=SC2086
if test -n "${saltfiles}"; then
requires="$(sed -n '/^include:$/,/^\s*$/p' ${saltfiles} | sed "/^\s*- \./d;/{/d" | grep "^\s*- " | cut -d "." -f1 | sort -u | sed "s/- //")"
if grep -qrn "{%-\? from \('\|\"\)utils" ${saltfiles}; then
if test -n "${requires}"; then
requires="${requires} utils"
else
requires="utils"
fi
fi
else
requires=""
if test "${key}" = "license" || test "${key}" = "license_csv"; then
license_csv="$(reuse --root "${project_dir}" lint |
awk -F ':' '/^* Used licenses:/{print $2}' | tr -d " ")"
license="$(echo "${license_csv}" | sed "s/,/ AND /g")"
fi
requires_valid=""
for r in $(printf %s"${requires}" | tr " " "\n"); do
if ! test -d "salt/${r}"; then
continue
fi
requires_valid="${requires_valid} ${r}"
done
requires="${requires_valid}"
unset requires_valid
if test -z "${key}" || test "$(echo "${key}" | sed "s/ //g")" = ""; then
echo "Key has no value: ${key}" >&2
exit 1
## The macro %autochangelog prints logs of all projects and we separate a
## project per directory. The disadvantage of the changelog below is it
# #doesn't differentiate commits per version and release, but per commit id.
if test "${key}" = "changelog"; then
changelog="$(TZ=UTC0 git log -n 50 --format=format:"* %cd %an <%ae> - %h%n- %s%n%n" --date=format:"%a %b %d %Y" -- "${project_dir}" | sed -re "s/^- +- */- /;/^$/d")"
fi
if test "${key}" = "description"; then
description="$(sed -n '/^## Description/,/^## /p' "${readme}" |
sed '1d;$d' | sed "1{/^$/d}")"
fi
if test "${key}" = "summary"; then
summary="$(sed -n "/^# ${name}$/,/^## Table of Contents$/{/./!d;/^#/d;p}" "${readme}")"
block_max_chars summary "${summary}" 70
fi
if test "${key}" = "saltfiles" || test "${key}" = "requires"; then
saltfiles="$(find "${project_dir}" -maxdepth 1 -name "*.sls")"
# shellcheck disable=SC2086
if test -n "${saltfiles}"; then
requires="$(sed -n '/^include:$/,/^\s*$/p' ${saltfiles} | sed "/^\s*- \./d;/{/d" | grep "^\s*- " | cut -d "." -f1 | sort -u | sed "s/- //")"
if grep -qrn "{%-\? from \('\|\"\)utils" ${saltfiles}; then
if test -n "${requires}"; then
requires="${requires} utils"
else
requires="utils"
fi
fi
else
requires=""
fi
requires_valid=""
for r in $(printf %s"${requires}" | tr " " "\n"); do
if ! test -d "salt/${r}"; then
continue
fi
requires_valid="${requires_valid} ${r}"
done
requires="${requires_valid}"
unset requires_valid
fi
case "${key}" in