Last active
March 19, 2019 21:22
-
-
Save rabbah/0f9e138c9088758c30fe31f05b893041 to your computer and use it in GitHub Desktop.
Verifies release candidates for openwhisk
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# This script will download the release candidate artifacts and verify | |
# they are properly signed and authentic. The script assumes you have | |
# curl, git, python and gpg already installed and that your gpg is trusted. | |
# the location providing the distribution | |
DIST=https://dist.apache.org/repos/dist/dev/incubator/openwhisk | |
# the artifact being released | |
NAME=${1?"missing artifact name e.g., openwhisk-client-js"} | |
# the name of the podling (to match what is in the disclaimer file) | |
DESCRIPTION=${2?"missing podling description e.g., 'OpenWhisk JavaScript Client Library'"} | |
# the version of the release artifact | |
V=${3?"missing version e.g., '3.19.0'"} | |
# the release candidate, usualy 'rc1' | |
RC=${4:-rc1} | |
# set to non-zero to download the artifacts to verify, this is the default | |
DL=${DL:-1} | |
# set to non-zero to import the release keys, this is the default | |
IMPORT=${IMPORT:-1} | |
# this is the construct name of the artifact | |
BASE=incubator-$NAME-$V-incubating | |
TGZ=$NAME-$V-incubating-sources.tar.gz | |
# this is a constructed name for the keys file | |
KEYS=$RC-$V-KEYS | |
DISCLAIMER="Apache $DESCRIPTION is an effort undergoing incubation at The Apache Software Foundation (ASF), sponsored by the Apache Incubator. Incubation is required of all newly accepted projects until a further review indicates that the infrastructure, communications, and decision making process have stabilized in a manner consistent with other successful ASF projects. While incubation status is not necessarily a reflection of the completeness or stability of the code, it does indicate that the project has yet to be fully endorsed by the ASF." | |
NOTICE=$(cat << END | |
Apache $DESCRIPTION | |
Copyright 2016-2019 The Apache Software Foundation | |
This product includes software developed at | |
The Apache Software Foundation (http://www.apache.org/). | |
END | |
) | |
DIR=$(mktemp -d) | |
#DIR=/var/folders/q9/s3th42s53d34ftd5wvcypybr0000gn/T/tmp.6t9xcMV8 | |
echo working in the following directory: | |
echo "$(tput setaf 6)$DIR$(tput sgr0)" | |
if [ $DL -ne 0 ]; then | |
echo fetching $TGZ | |
curl $DIST/apache-openwhisk-$V-incubating-$RC/$TGZ -s -o "$DIR/$TGZ" | |
echo fetching $TGZ.asc | |
curl $DIST/apache-openwhisk-$V-incubating-$RC/$TGZ.asc -s -o "$DIR/$TGZ.asc" | |
echo fetching $TGZ.sha512 | |
curl $DIST/apache-openwhisk-$V-incubating-$RC/$TGZ.sha512 -s -o "$DIR/$TGZ.sha512" | |
fi | |
if [ $IMPORT -ne 0 ]; then | |
echo fetching release keys | |
curl $DIST/KEYS -s -o "$DIR/$KEYS" | |
echo import keys | |
gpg --import "$DIR/$KEYS" | |
fi | |
function validate() { | |
if [[ $1 == $2 ]]; then | |
echo " $(tput setaf 2)passed$(tput sgr0)" | |
else | |
printf " $(tput setaf 1)failed$(tput sgr0)" | |
if [[ $3 != "" ]]; then | |
echo " ($3)" | |
else | |
printf "\n" | |
fi | |
fi | |
} | |
echo "unpacking tar ball" | |
tar zxf "$DIR/$TGZ" -C "$DIR" | |
echo "cloning scancode" | |
cd "$DIR" && git clone https://github.com/apache/incubator-openwhisk-utilities.git --depth 1 | |
printf "computing sha512 and validating..." | |
EXPECTED=$(cat "$DIR/$TGZ.sha512") | |
CMD="cd $DIR && gpg --print-md SHA512 '$TGZ'" | |
SHA=$(eval $CMD) | |
validate "$EXPECTED" "$SHA" "$CMD" | |
printf "verifying asc..." | |
CMD="gpg --verify '$DIR/$TGZ.asc' '$DIR/$TGZ'" | |
ASC=$(eval $CMD >& /dev/null) | |
validate $? 0 "$CMD" | |
printf "verifying disclaimer..." | |
DTXT=$(cat "$DIR/$BASE/DISCLAIMER.txt") | |
validate "$DISCLAIMER" "$DTXT" "cat '$DIR/$BASE/DISCLAIMER.txt'" | |
printf "verifing notice..." | |
NTXT=$(cat "$DIR/$BASE/NOTICE.txt") | |
validate "$NOTICE" "$NTXT" "cat '$DIR/$BASE/NOTICE.txt'" | |
printf "verifying license..." | |
curl http://www.apache.org/licenses/LICENSE-2.0 -s -o "$DIR/LICENSE-2.0" | |
## this is a more forgiving license check that allows for the copyright line to be filled out | |
#CMD="diff '$DIR/$BASE/LICENSE.txt' '$DIR/LICENSE-2.0' -I '^ Copyright'" | |
CMD="diff '$DIR/$BASE/LICENSE.txt' '$DIR/LICENSE-2.0'" | |
DIF=$(eval "$CMD") | |
validate $? 0 "$CMD" | |
printf "verifying sources have proper headers..." | |
CMD="'$DIR/incubator-openwhisk-utilities/scancode/scanCode.py' --config '$DIR/incubator-openwhisk-utilities/scancode/ASF-Release.cfg' '$DIR/$BASE'" | |
SC=$(eval $CMD >& /dev/null) | |
validate $? 0 "$CMD" | |
printf "scanning for binaries..." | |
EXE=$(find "$DIR/$BASE" -type f ! -name "*.sh" ! -name "*.sh" ! -name "gradlew" ! -name "gradlew.bat" -perm -001) | |
validate "$EXE" "" "$EXE" | |
printf "scanning for archives..." | |
EXE=$(find "$DIR/$BASE" -type f -name "*.tar" -name "*.tgz" -o -name "*.gz" -o -name ".zip" -o -name "*.jar") | |
validate "$EXE" "" "$EXE" | |
printf "scanning for packages..." | |
EXE=$(find "$DIR/$BASE" -type d -name "node_modules" -o -name ".gradle") | |
validate "$EXE" "" "$EXE" | |
echo $(tput setaf 6) | |
echo run the following command to remove the scratch space: | |
echo " rm -rf '$DIR'" | |
echo $(tput sgr0) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Example of how to use this script.