incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lecharny <elecha...@gmail.com>
Subject Re: Mad signing and checksumming (Was: [VOTE] Release DeltaSpike 0.1-incubating)
Date Wed, 08 Feb 2012 12:15:37 GMT
On 2/8/12 11:41 AM, Jukka Zitting wrote:
> Hi,
>
> On Wed, Feb 8, 2012 at 3:06 AM, sebb<sebbaz@gmail.com>  wrote:
>> On 8 February 2012 01:44, Niall Pemberton<niall.pemberton@gmail.com>  wrote:
>>> A small but annoying nit: you've gone mad signing and creating
>> AFAIK, this is a known bug with Nexus and/or Maven.
> I know the problem with .asc.md5 and .asc.sha1 [1], but not the one
> with .asc.asc and .asc.asc.*. Is this a new generic issue, or just
> something specific to the DeltaSpike build?
We don't use anymore the Maven plugin to sign the package because of 
this problem (asc.asc etc)

Here is a shell script we use instead for Apache Directory, and you have 
to run it manually :

#!/bin/sh
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements.  See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership.  The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License.  You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied.  See the License for the
# specific language governing permissions and limitations
# under the License.

echo "PGP Key ID: "
read DEFAULT_KEY

echo "PGP Key Password: "
stty -echo
read PASSWORD
stty echo
echo ""

for FILE in $(find . -maxdepth 1 -not '(' -name "sign.sh" -or -name ".*" 
-or -name "*.md5" -or -name "*.sha1" -or -name "*.asc" ')' -and -type f) 
; do
     if [ -f "$FILE.asc" ]; then
         echo "Skipping: $FILE"
         continue
     fi

     echo "Signing: $FILE ... "

     # MD5
     if [ ! -f "$FILE.md5" ];
     then
         openssl md5 < "$FILE" | cut "-d " -f2 > "$FILE.md5"
         echo "  - Generated '$FILE.md5'"
     else
         echo "  - Skipped '$FILE.md5' (file already existing)"
     fi

     # SHA1
     if [ ! -f "$FILE.sha1" ];
     then
         gpg --default-key "$DEFAULT_KEY" --print-md SHA1 "$FILE" > 
"$FILE".sha1
         echo "  - Generated '$FILE.sha1'"
     else
         echo "  - Skipped '$FILE.sha1' (file already existing)"
     fi

     # ASC
     if [ ! -f "$FILE.asc" ];
     then
         echo "$PASSWORD" | gpg --default-key "$DEFAULT_KEY" 
--detach-sign --armor --no-tty --yes --passphrase-fd 0 "$FILE"
         echo "  - Generated '$FILE.asc'"
     else
         echo "  - Skipped '$FILE.asc' (file already existing)"
     fi
done


In Apache Directory Studio, we also use this script, but it's called 
from maven :

<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-antrun-plugin</artifactId>
<executions>
<execution>
<id>unzip-copy-files</id>
<phase>process-resources</phase>
<configuration>
<tasks>
<unzip dest="${project.build.directory}">
<fileset dir="${project.build.directory}" 
includes="ApacheDirectoryStudio-*.zip"/>
</unzip>
<copy 
file="${project.build.directory}/ApacheDirectoryStudio-macosx-x86-dmg-${version}/ApacheDirectoryStudio-macosx-x86-${version}.dmg"

todir="${release-dir}" />
<copy 
file="${project.build.directory}/ApacheDirectoryStudio-macosx-x86_64-dmg-${version}/ApacheDirectoryStudio-macosx-x86_64-${version}.dmg"

todir="${release-dir}" />
<copy 
file="${project.build.directory}/ApacheDirectoryStudio-win32-x86-exe-${version}/ApacheDirectoryStudio-win32-x86-${version}.exe"

todir="${release-dir}" />
<copy 
file="${project.build.directory}/ApacheDirectoryStudio-win32-x86_64-exe-${version}/ApacheDirectoryStudio-win32-x86_64-${version}.exe"

todir="${release-dir}" />
<copy todir="${release-dir}/updatesite">
<fileset 
dir="${project.build.directory}/ApacheDirectoryStudio-updatesite-${version}"/>
</copy>
<copy file="src/main/resources/sign.sh" todir="${release-dir}">
<filterset>
<filter token="gpg.keyname" value="${gpg.keyname}" />
<filter token="gpg.passphrase" value="${gpg.passphrase}" />
</filterset>
</copy>
</tasks>
</configuration>
<goals>
<goal>run</goal>
</goals>
</execution>


Ok, I can understand if it makes you puke...

I *wish* the bug is fixed in maven... All in all, it's *just* 4 years 
this issue is opened...


-- 
Regards,
Cordialement,
Emmanuel L├ęcharny
www.iktek.com


---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message