gitian: Use the new bitcoin-detached-sigs git repo for OSX signatures

Rather than fetching a signature.tar.gz from somewhere on the net, instruct
Gitian to use a signature from a tag in the bitcoin-detached-sigs repository
which corresponds to the tag of the release being built.

This changes detached-sig-apply.sh to take a dirname rather than a tarball as
an argument, though detached-sig-create.sh still outputs a tarball for
convenience.
This commit is contained in:
Cory Fields 2015-06-10 13:59:41 -04:00
parent eba2f061a0
commit c110575a92
4 changed files with 11 additions and 11 deletions

View file

@ -8,10 +8,11 @@ packages:
- "libc6:i386" - "libc6:i386"
- "faketime" - "faketime"
reference_datetime: "2015-06-01 00:00:00" reference_datetime: "2015-06-01 00:00:00"
remotes: [] remotes:
- "url": "https://github.com/bitcoin/bitcoin-detached-sigs.git"
"dir": "signature"
files: files:
- "bitcoin-osx-unsigned.tar.gz" - "bitcoin-osx-unsigned.tar.gz"
- "signature.tar.gz"
script: | script: |
WRAP_DIR=$HOME/wrapped WRAP_DIR=$HOME/wrapped
mkdir -p ${WRAP_DIR} mkdir -p ${WRAP_DIR}
@ -32,6 +33,6 @@ script: |
SIGNED=bitcoin-osx-signed.dmg SIGNED=bitcoin-osx-signed.dmg
tar -xf ${UNSIGNED} tar -xf ${UNSIGNED}
./detached-sig-apply.sh ${UNSIGNED} signature.tar.gz ./detached-sig-apply.sh ${UNSIGNED} signature/osx
${WRAP_DIR}/genisoimage -no-cache-inodes -D -l -probe -V "Bitcoin-Core" -no-pad -r -apple -o uncompressed.dmg signed-app ${WRAP_DIR}/genisoimage -no-cache-inodes -D -l -probe -V "Bitcoin-Core" -no-pad -r -apple -o uncompressed.dmg signed-app
${WRAP_DIR}/dmg dmg uncompressed.dmg ${OUTDIR}/${SIGNED} ${WRAP_DIR}/dmg dmg uncompressed.dmg ${OUTDIR}/${SIGNED}

View file

@ -20,7 +20,7 @@ fi
rm -rf ${TEMPDIR} && mkdir -p ${TEMPDIR} rm -rf ${TEMPDIR} && mkdir -p ${TEMPDIR}
tar -C ${TEMPDIR} -xf ${UNSIGNED} tar -C ${TEMPDIR} -xf ${UNSIGNED}
tar -C ${TEMPDIR} -xf ${SIGNATURE} cp -rf "${SIGNATURE}"/* ${TEMPDIR}
if [ -z "${PAGESTUFF}" ]; then if [ -z "${PAGESTUFF}" ]; then
PAGESTUFF=${TEMPDIR}/pagestuff PAGESTUFF=${TEMPDIR}/pagestuff

View file

@ -7,6 +7,7 @@ CODESIGN=codesign
TEMPDIR=sign.temp TEMPDIR=sign.temp
TEMPLIST=${TEMPDIR}/signatures.txt TEMPLIST=${TEMPDIR}/signatures.txt
OUT=signature.tar.gz OUT=signature.tar.gz
OUTROOT=osx
if [ ! -n "$1" ]; then if [ ! -n "$1" ]; then
echo "usage: $0 <codesign args>" echo "usage: $0 <codesign args>"
@ -23,7 +24,7 @@ grep -v CodeResources < "${TEMPLIST}" | while read i; do
TARGETFILE="${BUNDLE}/`echo "${i}" | sed "s|.*${BUNDLE}/||"`" TARGETFILE="${BUNDLE}/`echo "${i}" | sed "s|.*${BUNDLE}/||"`"
SIZE=`pagestuff "$i" -p | tail -2 | grep size | sed 's/[^0-9]*//g'` SIZE=`pagestuff "$i" -p | tail -2 | grep size | sed 's/[^0-9]*//g'`
OFFSET=`pagestuff "$i" -p | tail -2 | grep offset | sed 's/[^0-9]*//g'` OFFSET=`pagestuff "$i" -p | tail -2 | grep offset | sed 's/[^0-9]*//g'`
SIGNFILE="${TEMPDIR}/${TARGETFILE}.sign" SIGNFILE="${TEMPDIR}/${OUTROOT}/${TARGETFILE}.sign"
DIRNAME="`dirname "${SIGNFILE}"`" DIRNAME="`dirname "${SIGNFILE}"`"
mkdir -p "${DIRNAME}" mkdir -p "${DIRNAME}"
echo "Adding detached signature for: ${TARGETFILE}. Size: ${SIZE}. Offset: ${OFFSET}" echo "Adding detached signature for: ${TARGETFILE}. Size: ${SIZE}. Offset: ${OFFSET}"
@ -32,7 +33,7 @@ done
grep CodeResources < "${TEMPLIST}" | while read i; do grep CodeResources < "${TEMPLIST}" | while read i; do
TARGETFILE="${BUNDLE}/`echo "${i}" | sed "s|.*${BUNDLE}/||"`" TARGETFILE="${BUNDLE}/`echo "${i}" | sed "s|.*${BUNDLE}/||"`"
RESOURCE="${TEMPDIR}/${TARGETFILE}" RESOURCE="${TEMPDIR}/${OUTROOT}/${TARGETFILE}"
DIRNAME="`dirname "${RESOURCE}"`" DIRNAME="`dirname "${RESOURCE}"`"
mkdir -p "${DIRNAME}" mkdir -p "${DIRNAME}"
echo "Adding resource for: "${TARGETFILE}"" echo "Adding resource for: "${TARGETFILE}""

View file

@ -92,15 +92,13 @@ Commit your signature to gitian.sigs:
popd popd
Wait for OSX detached signature: Wait for OSX detached signature:
Once the OSX build has 3 matching signatures, Gavin will sign it with the apple App-Store key. Once the OSX build has 3 matching signatures, it will be signed with the Apple App-Store key.
He will then upload a detached signature to be combined with the unsigned app to create a signed binary. A detached signature will then be committed to the bitcoin-detached-sigs repository, which can be combined with the unsigned app to create a signed binary.
Create the signed OSX binary: Create the signed OSX binary:
pushd ./gitian-builder pushd ./gitian-builder
# Fetch the signature as instructed by Gavin ./bin/gbuild -i --commit signature=v${VERSION} ../bitcoin/contrib/gitian-descriptors/gitian-osx-signer.yml
cp signature.tar.gz inputs/
./bin/gbuild -i ../bitcoin/contrib/gitian-descriptors/gitian-osx-signer.yml
./bin/gsign --signer $SIGNER --release ${VERSION}-osx-signed --destination ../gitian.sigs/ ../bitcoin/contrib/gitian-descriptors/gitian-osx-signer.yml ./bin/gsign --signer $SIGNER --release ${VERSION}-osx-signed --destination ../gitian.sigs/ ../bitcoin/contrib/gitian-descriptors/gitian-osx-signer.yml
mv build/out/bitcoin-osx-signed.dmg ../bitcoin-${VERSION}-osx.dmg mv build/out/bitcoin-osx-signed.dmg ../bitcoin-${VERSION}-osx.dmg
popd popd