mirror of
https://github.com/ben-grande/qusal.git
synced 2025-07-31 18:28:42 -04:00
feat: build and sign RPM packages
Passing files to Dom0 is always dangerous: - Passing a git repository is dangerous as it can have ignored modified files and signature verification will pass. - Passing an archive is troublesome for updates. - Passing an RPM package depends on the RPM verification to be correct, some times it is not. - Passing a RPM repository definition is less troublesome for the user, as it is a small file to verify the contents and update mechanism is via the package manager. Trust in RPM verification is still required. Many improvements were made to the build scripts: - requires-program: Single function to check if program is installed; - spec-get: Sort project names for the usage message; - spec-get: Only running commands that are necessary; - spec-get: Fix empty summary when readme has copyright header; - spec-gen: Fix grep warning of escaped symbol; - spec-build: Sign RPM and verify signature; - spec-build: Only lint the first SPEC for faster runtime; - yumrepo-gen: Generate a local yum repository with signed metadata; - qubesbuilder-gen: Generate a .qubesbuilder based on tracked projects; - release: Build, sign and push all RPMs to repository. Goal is to be able to build with qubes-builderv2 Qubes Executor. For: https://github.com/ben-grande/qusal/issues/37
This commit is contained in:
parent
10200f609e
commit
fc22726ee8
15 changed files with 339 additions and 115 deletions
|
@ -8,7 +8,8 @@
|
|||
set -eu
|
||||
|
||||
usage(){
|
||||
names="$(find salt/ -maxdepth 1 -type d | cut -d "/" -f2 | tr "\n" " ")"
|
||||
names="$(find salt/ -mindepth 1 -maxdepth 1 -type d -printf '%f\n' \
|
||||
| sort -d | tr "\n" " ")"
|
||||
echo "Usage: ${0##*/} <NAME> <KEY>"
|
||||
echo "Example: ${0##*/} qubes-builder description"
|
||||
echo "Names: ${names}"
|
||||
|
@ -28,29 +29,34 @@ block_max_chars(){
|
|||
|
||||
keys="name branch group file_roots requires vendor url version project project_dir changelog readme license_csv license description summary saltfiles"
|
||||
|
||||
name=""
|
||||
key=""
|
||||
case "${1-}" in
|
||||
"") usage; exit 1;;
|
||||
-h|--?help) usage; exit 0;;
|
||||
*) name="${1}"; shift;;
|
||||
esac
|
||||
case "${2-}" in
|
||||
case "${1-}" in
|
||||
"") usage; exit 1;;
|
||||
*) key="${1}"; shift;;
|
||||
esac
|
||||
if test -z "${key##* }"; then
|
||||
echo "Key is emtpy: ${key}" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
command -v reuse >/dev/null ||
|
||||
{ printf "Missing program: reuse\n" >&2; exit 1; }
|
||||
command -v git >/dev/null ||
|
||||
{ printf "Missing program: git\n" >&2; exit 1; }
|
||||
command -v git >/dev/null || { echo "Missing program: git" >&2; exit 1; }
|
||||
cd "$(git rev-parse --show-toplevel)" || exit 1
|
||||
./scripts/requires-program.sh reuse
|
||||
|
||||
if test "${key}" = "branch"; then
|
||||
branch="$(git branch --show-current)"
|
||||
fi
|
||||
|
||||
name="${1}"
|
||||
key="${2}"
|
||||
branch="$(git branch --show-current)"
|
||||
group="qusal"
|
||||
block_max_chars group "${group}" 70
|
||||
|
||||
file_roots="/srv/salt/${group}"
|
||||
vendor="Benjamin Grande"
|
||||
|
||||
url="https://github.com/ben-grande/qusal"
|
||||
version="1.0"
|
||||
|
||||
|
@ -68,51 +74,53 @@ if ! test -f "${readme}"; then
|
|||
exit 1
|
||||
fi
|
||||
|
||||
license_csv="$(reuse --root "${project_dir}" lint |
|
||||
awk -F ':' '/^* Used licenses:/{print $2}' | tr -d " ")"
|
||||
license="$(echo "$license_csv" | sed "s/,/ AND /g")"
|
||||
#license="$(reuse --root "${project_dir}" lint |
|
||||
# awk -F ':' '/^* Used licenses:/{print $2}' | sed "s|, | AND |g")"
|
||||
|
||||
## The problem with %autochangelog is that it will print logs of all projects
|
||||
## and we separate a project per directory.
|
||||
## The disadvantage of the changelog below is that it doesn't differentiate
|
||||
## commits per package release.
|
||||
changelog="$(TZ=UTC0 git log -n 50 --format=format:"* %cd %an <%ae> - %h%n- %s%n%n" --date=format:"%a %b %d %Y" -- "${project_dir}" | sed -re "s/^- +- */- /;/^$/d")"
|
||||
|
||||
#block_max_chars license "${license}" 70
|
||||
description="$(sed -n '/^## Description/,/^## /p' "${readme}" |
|
||||
sed '1d;$d' | sed "1{/^$/d}")"
|
||||
summary="$(sed -n '3p' "${readme}")"
|
||||
block_max_chars summary "${summary}" 70
|
||||
|
||||
saltfiles="$(find "${project_dir}" -maxdepth 1 -name "*.sls")"
|
||||
# shellcheck disable=SC2086
|
||||
if test -n "${saltfiles}"; then
|
||||
requires="$(sed -n '/^include:$/,/^\s*$/p' ${saltfiles} | sed "/^\s*- \./d;/{/d" | grep "^\s*- " | cut -d "." -f1 | sort -u | sed "s/- //")"
|
||||
if grep -qrn "{%-\? from \('\|\"\)utils" ${saltfiles}; then
|
||||
if test -n "${requires}"; then
|
||||
requires="${requires} utils"
|
||||
else
|
||||
requires="utils"
|
||||
fi
|
||||
fi
|
||||
else
|
||||
requires=""
|
||||
if test "${key}" = "license" || test "${key}" = "license_csv"; then
|
||||
license_csv="$(reuse --root "${project_dir}" lint |
|
||||
awk -F ':' '/^* Used licenses:/{print $2}' | tr -d " ")"
|
||||
license="$(echo "${license_csv}" | sed "s/,/ AND /g")"
|
||||
fi
|
||||
requires_valid=""
|
||||
for r in $(printf %s"${requires}" | tr " " "\n"); do
|
||||
if ! test -d "salt/${r}"; then
|
||||
continue
|
||||
fi
|
||||
requires_valid="${requires_valid} ${r}"
|
||||
done
|
||||
requires="${requires_valid}"
|
||||
unset requires_valid
|
||||
|
||||
if test -z "${key}" || test "$(echo "${key}" | sed "s/ //g")" = ""; then
|
||||
echo "Key has no value: ${key}" >&2
|
||||
exit 1
|
||||
## The macro %autochangelog prints logs of all projects and we separate a
|
||||
## project per directory. The disadvantage of the changelog below is it
|
||||
# #doesn't differentiate commits per version and release, but per commit id.
|
||||
if test "${key}" = "changelog"; then
|
||||
changelog="$(TZ=UTC0 git log -n 50 --format=format:"* %cd %an <%ae> - %h%n- %s%n%n" --date=format:"%a %b %d %Y" -- "${project_dir}" | sed -re "s/^- +- */- /;/^$/d")"
|
||||
fi
|
||||
|
||||
if test "${key}" = "description"; then
|
||||
description="$(sed -n '/^## Description/,/^## /p' "${readme}" |
|
||||
sed '1d;$d' | sed "1{/^$/d}")"
|
||||
fi
|
||||
|
||||
if test "${key}" = "summary"; then
|
||||
summary="$(sed -n "/^# ${name}$/,/^## Table of Contents$/{/./!d;/^#/d;p}" "${readme}")"
|
||||
block_max_chars summary "${summary}" 70
|
||||
fi
|
||||
|
||||
if test "${key}" = "saltfiles" || test "${key}" = "requires"; then
|
||||
saltfiles="$(find "${project_dir}" -maxdepth 1 -name "*.sls")"
|
||||
# shellcheck disable=SC2086
|
||||
if test -n "${saltfiles}"; then
|
||||
requires="$(sed -n '/^include:$/,/^\s*$/p' ${saltfiles} | sed "/^\s*- \./d;/{/d" | grep "^\s*- " | cut -d "." -f1 | sort -u | sed "s/- //")"
|
||||
if grep -qrn "{%-\? from \('\|\"\)utils" ${saltfiles}; then
|
||||
if test -n "${requires}"; then
|
||||
requires="${requires} utils"
|
||||
else
|
||||
requires="utils"
|
||||
fi
|
||||
fi
|
||||
else
|
||||
requires=""
|
||||
fi
|
||||
requires_valid=""
|
||||
for r in $(printf %s"${requires}" | tr " " "\n"); do
|
||||
if ! test -d "salt/${r}"; then
|
||||
continue
|
||||
fi
|
||||
requires_valid="${requires_valid} ${r}"
|
||||
done
|
||||
requires="${requires_valid}"
|
||||
unset requires_valid
|
||||
fi
|
||||
|
||||
case "${key}" in
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue