Browse Source

Verify PGP signatures on tarballs when deploying

pull/2974/head
Richard van der Hoff 6 years ago
parent
commit
d1fbbf90c0
  1. 35
      scripts/deploy.py
  2. 6
      scripts/redeploy.py

35
scripts/deploy.py

@ -10,8 +10,16 @@ from __future__ import print_function
import argparse
import os
import os.path
import subprocess
import sys
import tarfile
import urllib
try:
# python3
from urllib.request import urlretrieve
except ImportError:
# python2
from urllib import urlretrieve
class DeployException(Exception):
pass
@ -56,6 +64,7 @@ class Deployer:
self.bundles_path = None
self.should_clean = False
self.config_location = None
self.verify_signature = True
def deploy(self, tarball, extract_path):
"""Download a tarball if necessary, and unpack it
@ -65,9 +74,15 @@ class Deployer:
"""
print("Deploying %s to %s" % (tarball, extract_path))
name_str = os.path.basename(tarball).replace(".tar.gz", "")
extracted_dir = os.path.join(extract_path, name_str)
if os.path.exists(extracted_dir):
raise DeployException('Cannot unpack %s: %s already exists' % (
tarball, extracted_dir))
downloaded = False
if tarball.startswith("http://") or tarball.startswith("https://"):
tarball = self.download_file(tarball)
tarball = self.download_and_verify(tarball)
print("Downloaded file: %s" % tarball)
downloaded = True
@ -78,8 +93,6 @@ class Deployer:
if self.should_clean and downloaded:
os.remove(tarball)
name_str = os.path.basename(tarball).replace(".tar.gz", "")
extracted_dir = os.path.join(extract_path, name_str)
print ("Extracted into: %s" % extracted_dir)
if self.config_location:
@ -101,12 +114,24 @@ class Deployer:
)
return extracted_dir
def download_and_verify(self, url):
tarball = self.download_file(url)
if self.verify_signature:
sigfile = self.download_file(url + ".asc")
subprocess.check_call(["gpg", "--verify", sigfile, tarball])
return tarball
def download_file(self, url):
if not os.path.isdir(self.packages_path):
os.mkdir(self.packages_path)
local_filename = os.path.join(self.packages_path,
url.split('/')[-1])
urllib.urlretrieve(url, local_filename)
sys.stdout.write("Downloading %s -> %s..." % (url, local_filename))
sys.stdout.flush()
urlretrieve(url, local_filename)
print ("Done")
return local_filename
if __name__ == "__main__":

6
scripts/redeploy.py

@ -214,6 +214,12 @@ if __name__ == "__main__":
deployer.should_clean = args.clean
deployer.config_location = args.config
# we don't pgp-sign jenkins artifacts; instead we rely on HTTPS access to
# the jenkins server (and the jenkins server not being compromised and/or
# github not serving it compromised source). If that's not good enough for
# you, don't use riot.im/develop.
deployer.verify_signature = False
if args.tarball_uri is not None:
build_dir = os.path.join(arg_extract_path, "test-%i" % (time.time()))
deploy_tarball(args.tarball_uri, build_dir)

Loading…
Cancel
Save