fix: use detached signature for release

feat: sign released binaries
Fix panic when peer is not yet associated
2023-11-21 12:21:42 +01:00 · 2023-10-19 15:44:01 +02:00 · 2023-09-04 21:08:46 -06:00 · 2022-09-16 14:47:40 +02:00 · 2022-09-12 18:22:49 +02:00
6 changed files with 47 additions and 22 deletions
--- a/.env.dist
+++ b/.env.dist
@ -0,0 +1,2 @@
+GPG_SIGNING_KEY=
+ARCH_TARGETS='amd64 arm arm64 386'
--- a/.gitignore
+++ b/.gitignore
@ -3,4 +3,7 @@
 /bin
 /testdata
 /release
-/out
+/out
+/.mktools
+/tools
+/.env
--- a/13
+++ b/13
@ -25,19 +25,6 @@ pipeline {
                }
            }
        }
-        stage('Release') {
-            steps {
-                script {
-                    sh 'make tidy'
-                    sh 'ARCH_TARGETS="amd64 arm arm64 mipsle" make release'
-
-                    def attachments = sh(returnStdout: true, script: 'find release -maxdepth 1 -type f').split(' ')
-                    gitea.release('forge-jenkins', 'Cadoles', 'go-http-peering', [
-                        'attachments': attachments
-                    ])
-                }
-            }
-        }
    }

    post {
--- a/33
+++ b/33
@ -1,3 +1,5 @@
+SHELL := /bin/bash
+
 test:
 	go clean -testcache
 	go test -cover -v ./...
@ -5,8 +7,11 @@ test:
 watch:
 	go run -mod=readonly github.com/cortesi/modd/cmd/modd@latest

-release:
-	script/release
+release: tidy .env
+	( set -o allexport && source .env && set +o allexport && script/release )
+
+.env:
+	cp .env.dist .env

 tidy:
 	go mod tidy
@ -17,4 +22,26 @@ lint:
 bin/keygen:
 	CGO_ENABLED=0 go build -o bin/keygen ./cmd/keygen

-.PHONY: test lint doc sequence-diagram bin/keygen release
+.PHONY: test lint doc sequence-diagram bin/keygen release
+
+gitea-release: .mktools tools/gitea-release/bin/gitea-release.sh release
+	GITEA_RELEASE_PROJECT="go-http-peering" \
+		GITEA_RELEASE_ORG="Cadoles" \
+		GITEA_RELEASE_BASE_URL="https://forge.cadoles.com" \
+		GITEA_RELEASE_VERSION="$(MKT_PROJECT_VERSION)" \
+		GITEA_RELEASE_NAME="$(MKT_PROJECT_VERSION)" \
+		GITEA_RELEASE_COMMITISH_TARGET="$(GIT_VERSION)" \
+		GITEA_RELEASE_IS_DRAFT="false" \
+		GITEA_RELEASE_BODY="" \
+		GITEA_RELEASE_ATTACHMENTS="$$(find release -type f -name '*.tar.gz')" \
+		tools/gitea-release/bin/gitea-release.sh
+
+.PHONY: mktools
+mktools:
+	rm -rf .mktools
+	curl -k -q https://forge.cadoles.com/Cadoles/mktools/raw/branch/master/install.sh | $(SHELL)
+
+.mktools:
+	$(MAKE) mktools
+
+-include .mktools/*.mk
--- a/script/release
+++ b/script/release
@ -5,6 +5,8 @@ set -eo pipefail
 OS_TARGETS=(linux)
 ARCH_TARGETS=${ARCH_TARGETS:-amd64 mipsle}

+export GOMIPS=softfloat
+
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )"

 function build {
@ -29,10 +31,16 @@ function build {
    -o "$destdir/$name" \
    "$srcdir"

-  if [ ! -z "$(which upx)" ]; then
+  # Disable UPX compression for MIPS archs
+  # See https://github.com/upx/upx/issues/339
+  if [ ! -z "$(which upx)" ] && [[ ! "$arch" =~ "mips" ]]; then
    upx --best "$destdir/$name"
  fi

+  if [ ! -z "${GPG_SIGNING_KEY}" ]; then
+    echo "signing '$destdir/$name' with gpg key '$GPG_SIGNING_KEY'..."
+    gpg --sign --default-key "${GPG_SIGNING_KEY}" --detach-sign --output "$destdir/$name.sig" "$destdir/$name"
+  fi
 }

 function copy {
--- a/server/middleware.go
+++ b/server/middleware.go
@ -8,14 +8,13 @@ import (
 	"errors"
 	"io"
 	"io/ioutil"
+	"net/http"
 	"time"

 	peeringCrypto "forge.cadoles.com/Cadoles/go-http-peering/crypto"

 	peering "forge.cadoles.com/Cadoles/go-http-peering"
 	jwt "github.com/dgrijalva/jwt-go"
-
-	"net/http"
 )

 const (
@ -38,7 +37,6 @@ func Authenticate(store peering.Store, key *rsa.PublicKey, funcs ...OptionFunc)

 	middleware := func(next http.Handler) http.Handler {
 		fn := func(w http.ResponseWriter, r *http.Request) {
-
 			serverToken := r.Header.Get(ServerTokenHeader)
 			if serverToken == "" {
 				sendError(w, http.StatusUnauthorized)
@ -77,6 +75,7 @@ func Authenticate(store peering.Store, key *rsa.PublicKey, funcs ...OptionFunc)
 						return
 					}
 					sendError(w, http.StatusUnauthorized)
+					return
 				case ErrPeerRejected:
 					if err := store.UpdateLastContact(serverClaims.PeerID, r.RemoteAddr, time.Now()); err != nil {
 						logger.Printf("[ERROR] %s", err)
@ -115,7 +114,6 @@ func Authenticate(store peering.Store, key *rsa.PublicKey, funcs ...OptionFunc)
 			r.Body = ioutil.NopCloser(bytes.NewBuffer(body))

 			next.ServeHTTP(w, r)
-
 		}
 		return http.HandlerFunc(fn)
 	}
Author	SHA1	Message	Date
William Petit	ced46bf6eb	fix: use detached signature for release Some checks reported warnings Cadoles/go-http-peering/pipeline/head This commit is unstable Details	2023-11-21 12:21:42 +01:00
William Petit	cf8f026574	feat: sign released binaries Some checks reported warnings Cadoles/go-http-peering/pipeline/head This commit is unstable Details	2023-10-19 15:44:01 +02:00
William Petit	891cfa7540	Fix panic when peer is not yet associated Some checks reported warnings Cadoles/go-http-peering/pipeline/head This commit is unstable Details	2023-09-04 21:08:46 -06:00
William Petit	d38f0be312	Use GOMIPS=softfloat by default and do not use UPX on mips targeted binaries Some checks reported warnings Cadoles/go-http-peering/pipeline/head This commit is unstable Details	2022-09-16 14:47:40 +02:00
wpetit	5be381d2b7	Disable upx compression for mips arch Some checks reported warnings Cadoles/go-http-peering/pipeline/head This commit is unstable Details	2022-09-12 18:22:49 +02:00