Added release verification script

Also implemented shasum verification and gpg signature verification
This commit is contained in:
Matt Keeler 2018-06-26 11:33:26 -04:00
parent 50f43fe247
commit 9651b9a1f9
3 changed files with 197 additions and 14 deletions

View File

@ -301,7 +301,6 @@ function check_release_one {
ret=1
fi
done
popd > /dev/null
for fname in "${expected_files[@]}"
do
@ -309,6 +308,24 @@ function check_release_one {
ret=1
done
if test $ret -eq 0
then
if ! shasum -c -s "${CONSUL_PKG_NAME}_${2}_SHA256SUMS"
then
err "ERROR: Failed SHA-256 hash verification"
shasum -c "${CONSUL_PKG_NAME}_${2}_SHA256SUMS"
ret=1
fi
fi
if test $ret -eq 0 && is_set "${3}"
then
if ! gpg --verify "${CONSUL_PKG_NAME}_${2}_SHA256SUMS.sig" "${CONSUL_PKG_NAME}_${2}_SHA256SUMS" > /dev/null 2>&1
then
err "ERROR: Failed GPG verification of SHA256SUMS signature"
ret=1
fi
fi
if test $ret -eq 0
then
@ -319,6 +336,8 @@ function check_release_one {
done
fi
popd > /dev/null
return $ret
}
@ -455,6 +474,7 @@ function build_release {
err "ERROR: Failed to build the ui"
return 1
fi
status "UI Built with Version: $(ui_version "${sdir}/pkg/web_ui/v2/index.html")"
status_stage "==> Building Static Assets for version ${vers}"
build_assetfs "${sdir}" "${GO_BUILD_TAG}"

View File

@ -251,6 +251,47 @@ function confirm_consul_info {
done
fi
if test "${ret}" -eq 0
then
local tfile="$(mktemp) -t "${CONSUL_PKG_NAME}_")"
if ! curl -o "${tfile}" "http://localhost:8500/ui/"
then
err "ERROR: Failed to curl http://localhost:8500/ui/"
return 1
fi
local ui_vers=$(ui_version "${tfile}")
if test $? -ne 0
then
err "ERROR: Failed to determine the ui version from the index.html file"
return 1
fi
status "UI Version: ${ui_vers}"
echo ""
local answer=""
while true
do
case "${answer}" in
[yY]* )
status "Consul UI Version Accepted"
break
;;
[nN]* )
err "Consul UI Version Rejected"
return 1
break
;;
* )
read -p "Is this Consul UI Version correct? [y/n]: " answer
;;
esac
done
fi
status "Requesting Consul to leave the cluster / shutdown"
"${consul_exe}" leave
wait ${consul_pid} > /dev/null 2>&1
@ -262,6 +303,49 @@ function extract_consul {
extract_consul_local "$1" "$2"
}
function verify_release_build {
# Arguments:
# $1 - Path to top level Consul source
# $2 - expected version (optional - will parse if empty)
#
# Returns:
# 0 - success
# * - failure
if ! test -d "$1"
then
err "ERROR: '$1' is not a directory. publish_release must be called with the path to the top level source as the first argument'"
return 1
fi
local sdir="$1"
local vers="$(get_version ${sdir} true false)"
if test -n "$2"
then
vers="$2"
fi
if test -z "${vers}"
then
err "Please specify a version (couldn't parse one from the source)."
return 1
fi
status_stage "==> Verifying release files"
check_release "${sdir}/pkg/dist" "${vers}" true || return 1
status_stage "==> Extracting Consul version for local system"
local consul_exe=$(extract_consul "${sdir}/pkg/dist" "${vers}") || return 1
# make sure to remove the temp file
trap "rm '${consul_exe}'" EXIT
status_stage "==> Confirming Consul Version"
confirm_consul_version "${consul_exe}" || return 1
status_stage "==> Confirming Consul Agent Info"
confirm_consul_info "${consul_exe}" || return 1
}
function publish_release {
# Arguments:
@ -300,19 +384,7 @@ function publish_release {
return 1
fi
status_stage "==> Verifying release files"
check_release "${sdir}/pkg/dist" "${vers}" true || return 1
status_stage "==> Extracting Consul version for local system"
local consul_exe=$(extract_consul "${sdir}/pkg/dist" "${vers}") || return 1
# make sure to remove the temp file
trap "rm '${consul_exe}'" EXIT
status_stage "==> Confirming Consul Version"
confirm_consul_version "${consul_exe}" || return 1
status_stage "==> Confirming Consul Agent Info"
confirm_consul_info "${consul_exe}" || return 1
verify_release_build "$1" "${vers}" || return 1
status_stage "==> Confirming Git is clean"
is_git_clean "$1" true || return 1

View File

@ -0,0 +1,91 @@
#!/bin/bash
SCRIPT_NAME="$(basename ${BASH_SOURCE[0]})"
pushd $(dirname ${BASH_SOURCE[0]}) > /dev/null
SCRIPT_DIR=$(pwd)
pushd ../.. > /dev/null
SOURCE_DIR=$(pwd)
popd > /dev/null
pushd ../functions > /dev/null
FN_DIR=$(pwd)
popd > /dev/null
popd > /dev/null
source "${SCRIPT_DIR}/functions.sh"
function usage {
cat <<-EOF
Usage: ${SCRIPT_NAME} [<options ...>]
Description:
This script will verify a Consul release build. It will check for prebuilt
files, verify shasums and gpg signatures as well as run some commands
and prompt for manual verification where required.
Options:
-s | --source DIR Path to source to build.
Defaults to "${SOURCE_DIR}"
-h | --help Print this help text.
EOF
}
function err_usage {
err "$1"
err ""
err "$(usage)"
}
function main {
declare sdir="${SOURCE_DIR}"
declare vers="$(parse_version true false)"
while test $# -gt 0
do
case "$1" in
-h | --help )
usage
return 0
;;
-s | --source )
if test -z "$2"
then
err_usage "ERROR: option -s/--source requires an argument"
return 1
fi
if ! test -d "$2"
then
err_usage "ERROR: '$2' is not a directory and not suitable for the value of -s/--source"
return 1
fi
sdir="$2"
shift 2
;;
-v | --version )
if test -z "$2"
then
err_usage "ERROR: option -v/--version requires an argument"
return 1
fi
vers="$2"
shift 2
;;
*)
err_usage "ERROR: Unknown argument: '$1'"
return 1
;;
esac
done
status_stage "=> Starting release verification for version: ${version}"
verify_release_build "${sdir}" "${vers}" || return 1
return 0
}
main "$@"
exit $?