mirror of
https://github.com/certbot/certbot.git
synced 2026-06-03 22:08:07 -04:00
Remove modifications to certbot-auto from the release script (#8797)
Fixes #8707. * Remove modifications to certbot-auto from the release script * Update tools/_release.sh * Delete tools/eff-pubkey.pem Co-authored-by: Brad Warren <bmw@users.noreply.github.com>
This commit is contained in:
ohemorange
GitHub
parent
e4f5aced1c
commit
32247b3c89
2 changed files with 7 additions and 74 deletions
|
|
@ -30,9 +30,6 @@ echo Releasing production version "$version"...
|
|||
nextversion="$2"
|
||||
RELEASE_BRANCH="candidate-$version"
|
||||
|
||||
if [ "$RELEASE_OPENSSL_PUBKEY" = "" ] ; then
|
||||
RELEASE_OPENSSL_PUBKEY="`realpath \`dirname $0\``/eff-pubkey.pem"
|
||||
fi
|
||||
RELEASE_GPG_KEY=${RELEASE_GPG_KEY:-A2CFB51FA275A7286234E7B24D17C995CD9775F2}
|
||||
# Needed to fix problems with git signatures and pinentry
|
||||
export GPG_TTY=$(tty)
|
||||
|
|
@ -40,14 +37,13 @@ export GPG_TTY=$(tty)
|
|||
# port for a local Python Package Index (used in testing)
|
||||
PORT=${PORT:-1234}
|
||||
|
||||
# subpackages to be released (the way developers think about them)
|
||||
SUBPKGS_IN_AUTO_NO_CERTBOT="acme certbot-apache certbot-nginx"
|
||||
SUBPKGS_NOT_IN_AUTO="certbot-dns-cloudflare certbot-dns-cloudxns certbot-dns-digitalocean certbot-dns-dnsimple certbot-dns-dnsmadeeasy certbot-dns-gehirn certbot-dns-google certbot-dns-linode certbot-dns-luadns certbot-dns-nsone certbot-dns-ovh certbot-dns-rfc2136 certbot-dns-route53 certbot-dns-sakuracloud"
|
||||
|
||||
# subpackages to be released (the way the script thinks about them)
|
||||
SUBPKGS_IN_AUTO="certbot $SUBPKGS_IN_AUTO_NO_CERTBOT"
|
||||
SUBPKGS_NO_CERTBOT="$SUBPKGS_IN_AUTO_NO_CERTBOT $SUBPKGS_NOT_IN_AUTO"
|
||||
SUBPKGS="$SUBPKGS_IN_AUTO $SUBPKGS_NOT_IN_AUTO"
|
||||
SUBPKGS_NO_CERTBOT="acme certbot-apache certbot-nginx certbot-dns-cloudflare certbot-dns-cloudxns \
|
||||
certbot-dns-digitalocean certbot-dns-dnsimple certbot-dns-dnsmadeeasy \
|
||||
certbot-dns-gehirn certbot-dns-google certbot-dns-linode certbot-dns-luadns \
|
||||
certbot-dns-nsone certbot-dns-ovh certbot-dns-rfc2136 certbot-dns-route53 \
|
||||
certbot-dns-sakuracloud"
|
||||
SUBPKGS="certbot $SUBPKGS_NO_CERTBOT"
|
||||
# certbot_compatibility_test is not packaged because:
|
||||
# - it is not meant to be used by anyone else than Certbot devs
|
||||
# - it causes problems when running pytest - the latter tries to
|
||||
|
|
@ -198,60 +194,10 @@ for module in $SUBPKGS ; do
|
|||
# use an empty configuration file rather than the one in the repo root
|
||||
pytest -c <(echo '') $module
|
||||
done
|
||||
|
||||
# pin pip hashes of the things we just built
|
||||
for pkg in $SUBPKGS_IN_AUTO ; do
|
||||
echo $pkg==$version \\
|
||||
pip hash dist."$version/$pkg"/*.{whl,gz} | grep "^--hash" | python -c 'from sys import stdin; input = stdin.read(); print(" ", input.replace("\n--hash", " \\\n --hash"), end="")'
|
||||
done > letsencrypt-auto-source/pieces/certbot-requirements.txt
|
||||
deactivate
|
||||
|
||||
# there should be one requirement specifier and two hashes for each subpackage
|
||||
expected_count=$(expr $(echo $SUBPKGS_IN_AUTO | wc -w) \* 3)
|
||||
if ! wc -l letsencrypt-auto-source/pieces/certbot-requirements.txt | grep -qE "^\s*$expected_count " ; then
|
||||
echo Unexpected pip hash output
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# ensure we have the latest built version of leauto
|
||||
letsencrypt-auto-source/build.py
|
||||
|
||||
# Now we have to sign the built version of leauto.
|
||||
SignLEAuto() {
|
||||
yubico-piv-tool -a verify-pin --sign -s 9c -i letsencrypt-auto-source/letsencrypt-auto -o letsencrypt-auto-source/letsencrypt-auto.sig
|
||||
}
|
||||
|
||||
# Loop until letsencrypt-auto is signed correctly.
|
||||
SignLEAuto || true
|
||||
while ! openssl dgst -sha256 -verify $RELEASE_OPENSSL_PUBKEY -signature \
|
||||
letsencrypt-auto-source/letsencrypt-auto.sig \
|
||||
letsencrypt-auto-source/letsencrypt-auto ; do
|
||||
echo "The signature on letsencrypt-auto is not correct."
|
||||
read -p "Would you like this script to try and sign it again [Y/n]?" response
|
||||
case $response in
|
||||
[yY][eE][sS]|[yY]|"")
|
||||
SignLEAuto || true;;
|
||||
*)
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
# This signature is not quite as strong, but easier for people to verify out of band
|
||||
while ! gpg2 -u "$RELEASE_GPG_KEY" --detach-sign --armor --sign --digest-algo sha256 letsencrypt-auto-source/letsencrypt-auto; do
|
||||
echo "Unable to sign letsencrypt-auto using $RELEASE_KEY."
|
||||
echo "Make sure your OpenPGP card is in your computer if you are using one."
|
||||
echo "You may need to take the card out and put it back in again."
|
||||
read -p "Press enter to try signing again."
|
||||
done
|
||||
# We can't rename the openssl letsencrypt-auto.sig for compatibility reasons,
|
||||
# but we can use the right name for certbot-auto.asc from day one
|
||||
mv letsencrypt-auto-source/letsencrypt-auto.asc letsencrypt-auto-source/certbot-auto.asc
|
||||
|
||||
# copy leauto to the root, overwriting the previous release version
|
||||
cp -p letsencrypt-auto-source/letsencrypt-auto certbot-auto
|
||||
cp -p letsencrypt-auto-source/letsencrypt-auto letsencrypt-auto
|
||||
|
||||
git add certbot-auto letsencrypt-auto letsencrypt-auto-source certbot/docs/cli-help.txt
|
||||
git add certbot/docs/cli-help.txt
|
||||
while ! git commit --gpg-sign="$RELEASE_GPG_KEY" -m "Release $version"; do
|
||||
echo "Unable to sign the release commit using git."
|
||||
echo "You may have to configure git to use gpg2 by running:"
|
||||
|
|
@ -283,15 +229,11 @@ git commit -m "Add contents to certbot/CHANGELOG.md for next version"
|
|||
|
||||
echo "New root: $root"
|
||||
echo "Test commands (in the letstest repo):"
|
||||
echo 'python multitester.py auto_targets.yaml $AWS_KEY $USERNAME scripts/test_leauto_upgrades.sh --alt_pip $YOUR_PIP_REPO --branch public-beta'
|
||||
echo 'python multitester.py auto_targets.yaml $AWK_KEY $USERNAME scripts/test_letsencrypt_auto_certonly_standalone.sh --branch candidate-0.1.1'
|
||||
echo 'python multitester.py --saveinstances targets.yaml $AWS_KEY $USERNAME scripts/test_apache2.sh'
|
||||
echo "In order to upload packages run the following command:"
|
||||
echo twine upload "$root/dist.$version/*/*"
|
||||
|
||||
if [ "$RELEASE_BRANCH" = candidate-"$version" ] ; then
|
||||
SetVersion "$nextversion".dev0
|
||||
letsencrypt-auto-source/build.py
|
||||
git add letsencrypt-auto-source/letsencrypt-auto
|
||||
git commit -m "Bump version to $nextversion"
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -1,9 +0,0 @@
|
|||
-----BEGIN PUBLIC KEY-----
|
||||
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6MR8W/galdxnpGqBsYbq
|
||||
OzQb2eyW15YFjDDEMI0ZOzt8f504obNs920lDnpPD2/KqgsfjOgw2K7xWDJIj/18
|
||||
xUvWPk3LDkrnokNiRkA3KOx3W6fHycKL+zID7zy+xZYBuh2fLyQtWV1VGQ45iNRp
|
||||
9+Zo7rH86cdfgkdnWTlNSHyTLW9NbXvyv/E12bppPcEvgCTAQXgnDVJ0/sqmeiij
|
||||
n9tTFh03aM+R2V/21h8aTraAS24qiPCz6gkmYGC8yr6mglcnNoYbsLNYZ69zF1XH
|
||||
cXPduCPdPdfLlzVlKK1/U7hkA28eG3BIAMh6uJYBRJTpiGgaGdPd7YekUB8S6cy+
|
||||
CQIDAQAB
|
||||
-----END PUBLIC KEY-----
|
||||
Loading…
Reference in a new issue