mirror of
https://git.tartarus.org/simon/putty.git
synced 2025-01-10 09:58:01 +00:00
5cac6013b7
In recent releases we've taken to making the actual release build (or rather, candidates for it) ahead of time so that we can do some slightly more thorough last-minute testing of the exact binaries that we're going to release to everyone. It's time I actually wrote that procedure down in the checklist, so that I remember what it is. In particular, we had the idea that we should not properly GPG-sign the release until the last moment, and use the presence of a set of full GPG signatures as a means of distinguishing the real release build from an RC that accidentally got out into the wild somehow. This checklist update formalises that too, and documents the method I used of ensuring the binaries weren't tampered with between RC building and release signing (by making a signature on just the sha512sums). I also include in this commit an extra command-line option to sign.sh to make that preliminary signature step more convenient.
59 lines
1.4 KiB
Bash
Executable File
59 lines
1.4 KiB
Bash
Executable File
#!/bin/sh
|
|
|
|
# Generate GPG signatures on a PuTTY release/snapshot directory as
|
|
# delivered by Buildscr.
|
|
|
|
# Usage: sh sign.sh [-r] <builddir>
|
|
# e.g. sh sign.sh putty (probably in the build.out directory)
|
|
# or sh sign.sh -r 0.60 (-r means use the release keys)
|
|
|
|
set -e
|
|
|
|
keyname=EEF20295D15F7E8A
|
|
preliminary=false
|
|
|
|
while :; do
|
|
case "$1" in
|
|
-r)
|
|
shift
|
|
keyname=9DFE2648B43434E4
|
|
;;
|
|
-p)
|
|
shift
|
|
preliminary=true
|
|
;;
|
|
-*)
|
|
echo "Unknown option '$1'" >&2
|
|
exit 1
|
|
;;
|
|
*)
|
|
break
|
|
;;
|
|
esac
|
|
done
|
|
|
|
sign() {
|
|
# Check for the prior existence of the signature, so we can
|
|
# re-run this script if it encounters an error part way
|
|
# through.
|
|
echo "----- Signing $2 with key '$keyname'"
|
|
test -f "$3" || \
|
|
gpg --load-extension=idea "$1" -u "$keyname" -o "$3" "$2"
|
|
}
|
|
|
|
cd "$1"
|
|
echo "===== Signing with key '$keyname'"
|
|
if $preliminary; then
|
|
sign --clearsign sha512sums ../sha512sums-preliminary.gpg
|
|
else
|
|
for i in putty*src.zip putty*.tar.gz \
|
|
w32/*.exe w32/*.zip w32/*.msi \
|
|
w64/*.exe w64/*.zip w64/*.msi \
|
|
w32old/*.exe w32old/*.zip; do
|
|
sign --detach-sign "$i" "$i.gpg"
|
|
done
|
|
for i in md5sums sha1sums sha256sums sha512sums; do
|
|
sign --clearsign "$i" "$i.gpg"
|
|
done
|
|
fi
|