-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathrelease.sh
executable file
·103 lines (86 loc) · 3.13 KB
/
release.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
#!/bin/bash
# Script to create a software update that will be deployed to CryptoFaxPA
set -euo pipefail
echo "Checking working copy..."
# The checkout must be pristine
if output=$(git status --porcelain) && [ ! -z "$output" ]; then
echo "release.sh must be run only a pristine checkout."
echo
echo "Unexpected contents:"
git status --porcelain
exit 1
fi
# Modules must be pristine. Exit if not
go mod verify >/dev/null
# Build the binaries
GOOS=linux GOARCH=arm GOARM=7 \
go build -ldflags="-s -w" -o "$(pwd)/overlay/home/pi/client" "./client"
GOOS=linux GOARCH=arm GOARM=7 \
packr build -ldflags="-s -w" -o "$(pwd)/overlay/home/pi/wificonf" "./wificonf"
VHASH=$(git log --pretty=format:'%h' -n1)
VDATE=$(git log --pretty=format:'%ci' -n1)
KEYRING="./overlay/home/pi/trusted.gpg" # MUST use explicitly-relative path
ASSET_SWFAX="firmware.swfax"
GHAPI="https://api.github.com/repos/rasky/cryptofaxpa"
# Temporary files
TMP_SWFAX=$(mktemp "${TMPDIR:-/tmp/}$(basename "$0").XXXXXXXXXXXX")
TMP_CURL=$(mktemp "${TMPDIR:-/tmp/}$(basename "$0").XXXXXXXXXXXX")
trap 'rm -f "$TMP_SWFAX" "$TMP_CURL"' EXIT
# Package release
echo "Creating release..."
case $(uname -s) in
Darwin*) TAR=gtar;;
*) TAR=tar
esac
$TAR --mode=a+rw --mtime="$VDATE" --owner=0 --group=0 \
-C overlay --exclude=.KEEPME -cz . | gpg --quiet --sign > "$TMP_SWFAX"
# Verify the release is made with a trusted version
if ! gpg --no-default-keyring --no-auto-key-retrieve --keyring "$KEYRING" --verify "$TMP_SWFAX"; then
echo
echo "FATAL: Cannot gpg-sign the release with a key which is not trusted"
echo "(not present in $KEYRING)"
exit 1
fi
# Latest GitHub release ID
RELID=$(curl -s $GHAPI/releases/latest | jq -r .id)
if [ "$RELID" == "" ]; then
echo "No release found on GitHub in the cryptofax repo (?)"
exit 1
fi
# See if there's already a firmware there, and if so delete it
ASSETID=$(curl -s "$GHAPI/releases/$RELID/assets" | jq -r ".[] | select(.name==\"$ASSET_SWFAX\") | .id")
# Upload the release to GitHub
echo -n "Enter your GitHub username: "
read -r GH_USERNAME
echo -n "Enter your GitHub password: "
read -r -s GH_PASSWORD
echo
echo -n "Enter your GitHub 2FA OTP: "
read -r GH_2FA
if [ "$ASSETID" != "" ]; then
echo "Removing previous asset from GitHub..."
HTTP_RES=$(curl -s -XDELETE \
-u "$GH_USERNAME:$GH_PASSWORD" -H "X-GitHub-OTP: $GH_2FA" \
--write-out "%{http_code}" \
-o "$TMP_CURL" \
"$GHAPI/releases/assets/$ASSETID")
if [ "${HTTP_RES::1}" != "2" ]; then
echo "Deletion failed: HTTP code = $HTTP_RES"
cat "$TMP_CURL"
exit 1
fi
fi
echo "Uploading release asset to GitHub..."
HTTP_RES=$(curl -# -XPOST -H "Content-Type:application/octet-stream" \
-u "$GH_USERNAME:$GH_PASSWORD" -H "X-GitHub-OTP: $GH_2FA" \
--data-binary "@$TMP_SWFAX" \
--write-out "%{http_code}" \
-o "$TMP_CURL" \
"https://uploads.github.com/repos/rasky/cryptofaxpa/releases/$RELID/assets?name=$ASSET_SWFAX&label=Firmware%20built%20at%20$VHASH")
if [ "${HTTP_RES::1}" != "2" ]; then
echo "Upload failed: HTTP code = $HTTP_RES"
cat "$TMP_CURL"
exit 1
fi
echo "Release uploaded successfully"
echo "See the release here: https://github.com/rasky/cryptofaxpa/releases/latest"