248 lines
9.8 KiB
Bash
Executable File
248 lines
9.8 KiB
Bash
Executable File
#!/bin/bash -ex
|
|
|
|
[ -f ".publisher-defaults-deb" ] && source .publisher-defaults-deb
|
|
source $(dirname $(readlink -e $0))/functions/publish-functions.sh
|
|
source $(dirname $(readlink -e $0))/functions/locking.sh
|
|
|
|
main() {
|
|
local SIGN_STRING=""
|
|
if check-sigul "$SIGKEYID" "$SIGUL_USER" "$SIGUL_ADMIN_PASSWD" ; then
|
|
USE_SIGUL="true"
|
|
SIGN_STRING="true"
|
|
else
|
|
check-gpg && SIGN_STRING="true"
|
|
fi
|
|
|
|
## Download sources from worker
|
|
[ -d $TMP_DIR ] && rm -rf $TMP_DIR
|
|
mkdir -p $TMP_DIR
|
|
rsync -avPzt \
|
|
-e "ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null ${SSH_OPTS}" \
|
|
${SSH_USER}${BUILD_HOST}:${PKG_PATH}/ ${TMP_DIR}/ || error "Can't download packages"
|
|
|
|
## Resign source package
|
|
## FixMe: disabled for discussion: does it really need to sign
|
|
#[ -n "${SIGN_STRING}" ] && \
|
|
# for _dscfile in $(find ${TMP_DIR} -name "*.dsc") ; do
|
|
# debsign -pgpg --re-sign -k${SIGKEYID} ${_dscfile}
|
|
# done
|
|
|
|
# Create all repositories
|
|
|
|
# Paths
|
|
if [ -n "${CUSTOM_REPO_ID}" ] ; then
|
|
unset LP_BUG
|
|
REQUEST_NUM=${CUSTOM_REPO_ID}
|
|
fi
|
|
local URL_PREFIX=""
|
|
if [ "${GERRIT_CHANGE_STATUS}" = "NEW" ] ; then
|
|
REPO_BASE_PATH=${REPO_BASE_PATH}/${REPO_REQUEST_PATH_PREFIX}
|
|
URL_PREFIX=${REPO_REQUEST_PATH_PREFIX}
|
|
if [ -n "${LP_BUG}" ] ; then
|
|
REPO_BASE_PATH=${REPO_BASE_PATH}${LP_BUG}
|
|
URL_PREFIX=${URL_PREFIX}${LP_BUG}/
|
|
else
|
|
REPO_BASE_PATH=${REPO_BASE_PATH}${REQUEST_NUM}
|
|
URL_PREFIX=${URL_PREFIX}${REQUEST_NUM}/
|
|
fi
|
|
fi
|
|
|
|
# Repos
|
|
DEB_UPDATES_DIST_NAME=${DEB_UPDATES_DIST_NAME:-$EB_DIST_NAME}
|
|
DEB_PROPOSED_DIST_NAME=${DEB_PROPOSED_DIST_NAME:-$DEB_DIST_NAME}
|
|
DEB_SECURITY_DIST_NAME=${DEB_SECURITY_DIST_NAME:-$DEB_DIST_NAME}
|
|
DEB_HOLDBACK_DIST_NAME=${DEB_HOLDBACK_DIST_NAME:-$DEB_DIST_NAME}
|
|
DEB_HOTFIX_DIST_NAME=${DEB_HOTFIX_DIST_NAME:-hotfix}
|
|
DEB_UPDATES_COMPONENT=${DEB_UPDATES_COMPONENT:-$DEB_COMPONENT}
|
|
DEB_PROPOSED_COMPONENT=${DEB_PROPOSED_COMPONENT:-$DEB_COMPONENT}
|
|
DEB_SECURITY_COMPONENT=${DEB_SECURITY_COMPONENT:-$DEB_COMPONENT}
|
|
DEB_HOLDBACK_COMPONENT=${DEB_HOLDBACK_COMPONENT:-$DEB_COMPONENT}
|
|
DEB_HOTFIX_COMPONENT=${DEB_HOTFIX_COMPONENT:-$DEB_COMPONENT}
|
|
|
|
local LOCAL_REPO_PATH=${REPO_BASE_PATH}/${DEB_REPO_PATH}
|
|
local DBDIR="+b/db"
|
|
local CONFIGDIR="${LOCAL_REPO_PATH}/conf"
|
|
local DISTDIR="${LOCAL_REPO_PATH}/public/dists/"
|
|
local OUTDIR="+b/public/"
|
|
if [ ! -d "${CONFIGDIR}" ] ; then
|
|
mkdir -p ${CONFIGDIR}
|
|
job_lock ${CONFIGDIR}.lock wait 3600
|
|
for dist_name in ${DEB_DIST_NAME} ${DEB_PROPOSED_DIST_NAME} \
|
|
${DEB_UPDATES_DIST_NAME} ${DEB_SECURITY_DIST_NAME} \
|
|
${DEB_HOLDBACK_DIST_NAME} ${DEB_HOTFIX_DIST_NAME} ; do
|
|
cat >> ${CONFIGDIR}/distributions <<- EOF
|
|
Origin: ${ORIGIN}
|
|
Label: ${DEB_DIST_NAME}
|
|
Suite: ${dist_name}
|
|
Codename: ${dist_name}
|
|
Version: ${PRODUCT_VERSION}
|
|
Architectures: amd64 i386 source
|
|
Components: main restricted
|
|
UDebComponents: main restricted
|
|
Contents: . .gz .bz2
|
|
|
|
EOF
|
|
|
|
reprepro --basedir ${LOCAL_REPO_PATH} --dbdir ${DBDIR} \
|
|
--outdir ${OUTDIR} --distdir ${DISTDIR} --confdir ${CONFIGDIR} \
|
|
export ${dist_name}
|
|
# Fix Codename field
|
|
local release_file="${DISTDIR}/${dist_name}/Release"
|
|
sed "s|^Codename:.*$|Codename: ${DEB_DIST_NAME}|" \
|
|
-i ${release_file}
|
|
rm -f ${release_file}.gpg
|
|
# ReSign Release file
|
|
[ -n "${SIGN_STRING}" ] \
|
|
&& gpg --sign --local-user ${SIGKEYID} -ba \
|
|
-o ${release_file}.gpg ${release_file}
|
|
done
|
|
job_lock ${CONFIGDIR}.lock unset
|
|
fi
|
|
|
|
DEB_BASE_DIST_NAME=${DEB_DIST_NAME}
|
|
|
|
if [ "${IS_UPDATES}" = 'true' ] ; then
|
|
DEB_DIST_NAME=${DEB_PROPOSED_DIST_NAME}
|
|
DEB_COMPONENT=${DEB_PROPOSED_COMPONENT}
|
|
fi
|
|
if [ "${IS_HOLDBACK}" = 'true' ] ; then
|
|
DEB_DIST_NAME=${DEB_HOLDBACK_DIST_NAME}
|
|
DEB_COMPONENT=${DEB_HOLDBACK_COMPONENT}
|
|
fi
|
|
if [ "${IS_SECURITY}" = 'true' ] ; then
|
|
DEB_DIST_NAME=${DEB_SECURITY_DIST_NAME}
|
|
DEB_COMPONENT=${DEB_SECURITY_COMPONENT}
|
|
fi
|
|
if [ "${IS_HOTFIX}" = 'true' ] ; then
|
|
DEB_DIST_NAME=${DEB_HOTFIX_DIST_NAME}
|
|
DEB_COMPONENT=${DEB_HOTFIX_COMPONENT}
|
|
fi
|
|
|
|
[ -z "${DEB_COMPONENT}" ] && local DEB_COMPONENT=main
|
|
[ "${IS_RESTRICTED}" = 'true' ] && DEB_COMPONENT=restricted
|
|
|
|
local LOCAL_REPO_PATH=${REPO_BASE_PATH}/${DEB_REPO_PATH}
|
|
local CONFIGDIR="${LOCAL_REPO_PATH}/conf"
|
|
local DBDIR="+b/db"
|
|
local DISTDIR="${LOCAL_REPO_PATH}/public/dists/"
|
|
local OUTDIR="${LOCAL_REPO_PATH}/public/"
|
|
local REPREPRO_OPTS="--verbose --basedir ${LOCAL_REPO_PATH} --dbdir ${DBDIR} \
|
|
--outdir ${OUTDIR} --distdir ${DISTDIR} --confdir ${CONFIGDIR}"
|
|
local REPREPRO_COMP_OPTS="${REPREPRO_OPTS} --component ${DEB_COMPONENT}"
|
|
|
|
# Parse incoming files
|
|
local BINDEBLIST=""
|
|
local BINDEBNAMES=""
|
|
local BINUDEBLIST=""
|
|
local BINSRCLIST=""
|
|
for binary in ${TMP_DIR}/* ; do
|
|
case ${binary##*.} in
|
|
deb) BINDEBLIST="${BINDEBLIST} ${binary}"
|
|
BINDEBNAMES="${BINDEBNAMES} ${binary##*/}"
|
|
;;
|
|
udeb) BINUDEBLIST="${BINUDEBLIST} ${binary}" ;;
|
|
dsc) BINSRCLIST="${binary}" ;;
|
|
esac
|
|
done
|
|
|
|
job_lock ${CONFIGDIR}.lock wait 3600
|
|
|
|
local SRC_NAME=$(awk '/^Source:/ {print $2}' ${BINSRCLIST})
|
|
local NEW_VERSION=$(awk '/^Version:/ {print $2}' ${BINSRCLIST} | head -n 1)
|
|
local OLD_VERSION=$(reprepro ${REPREPRO_OPTS} --list-format '${version}\n' \
|
|
listfilter ${DEB_DIST_NAME} "Package (==${SRC_NAME})" | sort -u | head -n 1)
|
|
[ "${OLD_VERSION}" == "" ] && OLD_VERSION=none
|
|
|
|
# Remove existing packages for requests-on-review and downgrades
|
|
# TODO: Get rid of removing. Just increase version properly
|
|
if [ "${GERRIT_CHANGE_STATUS}" = "NEW" -o "$IS_DOWNGRADE" == "true" ] ; then
|
|
reprepro ${REPREPRO_OPTS} removesrc ${DEB_DIST_NAME} ${SRC_NAME} ${OLD_VERSION} || :
|
|
fi
|
|
# Add .deb binaries
|
|
if [ "${BINDEBLIST}" != "" ]; then
|
|
reprepro ${REPREPRO_COMP_OPTS} includedeb ${DEB_DIST_NAME} ${BINDEBLIST} \
|
|
|| error "Can't include packages"
|
|
fi
|
|
# Add .udeb binaries
|
|
if [ "${BINUDEBLIST}" != "" ]; then
|
|
reprepro ${REPREPRO_COMP_OPTS} includeudeb ${DEB_DIST_NAME} ${BINUDEBLIST} \
|
|
|| error "Can't include packages"
|
|
fi
|
|
|
|
# Replace sources
|
|
# TODO: Get rid of replacing. Just increase version properly
|
|
if [ "${BINSRCLIST}" != "" ]; then
|
|
for dist_name in ${DEB_BASE_DIST_NAME} ${DEB_PROPOSED_DIST_NAME} \
|
|
${DEB_UPDATES_DIST_NAME} ${DEB_SECURITY_DIST_NAME} \
|
|
${DEB_HOLDBACK_DIST_NAME} ; do
|
|
reprepro ${REPREPRO_COMP_OPTS} --architecture source \
|
|
remove ${dist_name} ${SRC_NAME} || :
|
|
# Fix Codename field and resign Release file if necessary
|
|
local _release_file=${DISTDIR}/${dist_name}/Release
|
|
local _inrelease_file=${DISTDIR}/${dist_name}/InRelease
|
|
if ! gpg --verify "${_release_file}.gpg" "$_release_file" &>/dev/null ; then
|
|
sed "s|^Codename:.*$|Codename: ${DEB_BASE_DIST_NAME}|" -i "$_release_file"
|
|
if [ "$USE_SIGUL" = "true" ] ; then
|
|
retry -c4 -s1 _sigul "$KEY_PASSPHRASE" -u "$SIGUL_USER" sign-data --armor -o "${_release_file}.gpg" "$SIGKEYID" "$_release_file"
|
|
retry -c4 -s1 _sigul "$KEY_PASSPHRASE" -u "$SIGUL_USER" sign-text -o "$_inrelease_file" "$SIGKEYID" "$_release_file"
|
|
else
|
|
gpg --sign --local-user "$SIGKEYID" -ba -o "${_release_file}.gpg" "$_release_file"
|
|
gpg --sign --local-user "$SIGKEYID" --clearsign -o "$_inrelease_file" "$_release_file"
|
|
fi
|
|
fi
|
|
done
|
|
reprepro ${REPREPRO_COMP_OPTS} includedsc ${DEB_DIST_NAME} ${BINSRCLIST} \
|
|
|| error "Can't include packages"
|
|
fi
|
|
# Cleanup files from previous version
|
|
[ "${OLD_VERSION}" != "${NEW_VERSION}" ] \
|
|
&& reprepro ${REPREPRO_OPTS} removesrc ${DEB_DIST_NAME} ${SRC_NAME} ${OLD_VERSION}
|
|
|
|
# Fix Codename field
|
|
local release_file="${DISTDIR}/${DEB_DIST_NAME}/Release"
|
|
local inrelease_file="${DISTDIR}/${DEB_DIST_NAME}/InRelease"
|
|
sed "s|^Codename:.*$|Codename: ${DEB_BASE_DIST_NAME}|" -i ${release_file}
|
|
|
|
# Resign Release file
|
|
rm -f "${release_file}.gpg" "$inrelease_file"
|
|
local pub_key_file="${LOCAL_REPO_PATH}/public/archive-${PROJECT_NAME}${PROJECT_VERSION}.key"
|
|
if [ -n "${SIGN_STRING}" ] ; then
|
|
[ ! -f "${pub_key_file}" ] && touch ${pub_key_file}
|
|
if [ "${USE_SIGUL}" = "true" ] ; then
|
|
retry -c4 -s1 _sigul "$KEY_PASSPHRASE" -u "$SIGUL_USER" sign-data --armor -o "${release_file}.gpg" "${SIGKEYID}" "${release_file}"
|
|
retry -c4 -s1 _sigul "$KEY_PASSPHRASE" -u "$SIGUL_USER" sign-text -o "$inrelease_file" "$SIGKEYID" "$release_file"
|
|
retry -c4 -s1 _sigul "$KEY_PASSPHRASE" -u "$SIGUL_ADMIN" get-public-key "${SIGKEYID}" > "${pub_key_file}.tmp"
|
|
else
|
|
gpg --sign --local-user "$SIGKEYID" -ba -o "${release_file}.gpg" "$release_file"
|
|
gpg --sign --local-user "$SIGKEYID" --clearsign -o "$inrelease_file" "$release_file"
|
|
gpg -o "${pub_key_file}.tmp" --armor --export "$SIGKEYID"
|
|
fi
|
|
if diff -q ${pub_key_file} ${pub_key_file}.tmp &>/dev/null ; then
|
|
rm ${pub_key_file}.tmp
|
|
else
|
|
mv ${pub_key_file}.tmp ${pub_key_file}
|
|
fi
|
|
else
|
|
rm -f ${pub_key_file}
|
|
fi
|
|
|
|
sync-repo ${OUTDIR} ${DEB_REPO_PATH} ${REPO_REQUEST_PATH_PREFIX} ${REQUEST_NUM} ${LP_BUG}
|
|
job_lock ${CONFIGDIR}.lock unset
|
|
|
|
rm -f ${WRK_DIR}/deb.publish.setenvfile
|
|
cat > ${WRK_DIR}/deb.publish.setenvfile<<-EOF
|
|
DEB_PUBLISH_SUCCEEDED=true
|
|
DEB_DISTRO=${DIST}
|
|
DEB_REPO_URL="http://${REMOTE_REPO_HOST}/${URL_PREFIX}${DEB_REPO_PATH} ${DEB_DIST_NAME} ${DEB_COMPONENT}"
|
|
DEB_PACKAGENAME=${SRC_NAME}
|
|
DEB_VERSION=${NEW_VERSION}
|
|
DEB_BINARIES=$(cat ${BINSRCLIST} | grep ^Binary | sed 's|^Binary:||; s| ||g')
|
|
DEB_CHANGE_REVISION=${GERRIT_PATCHSET_REVISION}
|
|
LP_BUG=${LP_BUG}
|
|
EOF
|
|
}
|
|
|
|
main "$@"
|
|
|
|
exit 0
|