diff options
| -rwxr-xr-x | desktop/scripts/release/4-make-release | 81 | ||||
| -rwxr-xr-x | desktop/scripts/release/5-update-and-publish-metadata | 84 | ||||
| -rwxr-xr-x | desktop/scripts/release/download-release-artifacts | 57 |
3 files changed, 144 insertions, 78 deletions
diff --git a/desktop/scripts/release/4-make-release b/desktop/scripts/release/4-make-release index aa713966ff..71f52a2acd 100755 --- a/desktop/scripts/release/4-make-release +++ b/desktop/scripts/release/4-make-release @@ -2,21 +2,16 @@ # This script downloads the build artifacts along with the signatures, verifies the signatures and # creates a GitHub draft release. This should be run after `3-verify-build`. -# This will also publish new version metadata set -eu SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" cd "$SCRIPT_DIR" -if [ $# -lt 3 ]; then +if [ $# -ne 1 ]; then echo "Please provide the following arguments:" echo " $(basename "$0") \\" - echo " <product version> \\" - echo " <build server SSH destination> \\" - echo " <metadata server SSH destination>" - echo "" - echo "Note that the metadata server SSH destination is part of the rsync command executed on the build server and will be checked against the SSH config of build@\$buildserver_host." + echo " <product version>" exit 1 fi @@ -31,80 +26,12 @@ if ! gh auth status > /dev/null; then fi PRODUCT_VERSION=$1 -BUILDSERVER_HOST=$2 -CDN_HOST=$3 ARTIFACT_DIR="./artifacts" -URL_BASE="https://releases.mullvad.net/desktop/releases" rm -rf $ARTIFACT_DIR mkdir -p $ARTIFACT_DIR -function download_and_verify { - # Find GnuPG command to use. Prefer gpg2 - gpg_cmd=$(command -v gpg2 || command -v gpg) - - for ext in .exe _arm64.exe _x64.exe _amd64.deb _arm64.deb _x86_64.rpm _aarch64.rpm .pkg; do - pkg_filename="MullvadVPN-${PRODUCT_VERSION}${ext}" - pkg_path="$ARTIFACT_DIR/$pkg_filename" - url="$URL_BASE/$PRODUCT_VERSION/$pkg_filename" - echo ">>> Downloading $pkg_filename - $url" - curl -o "$pkg_path" --progress-bar --fail "$url" - curl -o "$pkg_path.asc" --progress-bar --fail "$url.asc" - - echo "" - echo ">>> Verifying integrity of $pkg_filename" - if ! $gpg_cmd --verify "$pkg_path.asc" "$pkg_path"; then - echo "" - echo "!!! INTEGRITY CHECKING FAILED !!!" - rm "$pkg_path" "$pkg_path.asc" - exit 1 - fi - echo "" - echo "GOOD SIGNATURE FOR $pkg_filename" - echo "" - done -} - -function publish_metadata { - local platforms - platforms=(windows macos linux) - local signed_dir="signed/" - - rm -rf currently_published/ - - echo ">>> Fetching current version metadata" - meta pull --assume-yes "${platforms[@]}" - echo "" - - echo ">>> Backing up released data" - cp -r $signed_dir currently_published/ - echo "" - - echo ">>> Replacing work/ directory with latest published data" - cp -rf signed/ work/ - echo "" - - echo ">>> Adding new release $$PRODUCT_VERSION (rollout = 1)" - meta add-release "$PRODUCT_VERSION" "${platforms[@]}" - echo "" - - echo ">>> Signing $PRODUCT_VERSION metadata" - meta sign "${platforms[@]}" - echo "" - - echo ">>> Verifying signed metadata" - meta verify "${platforms[@]}" - echo "" - - echo ">>> New metadata including $$PRODUCT_VERSION" - git --no-pager diff --no-index -- currently_published/ $signed_dir || true - echo "" - - read -rp "Press enter to upload if the diff looks good " - ./publish-metadata-to-api $signed_dir "$BUILDSERVER_HOST" "$CDN_HOST" -} - function publish_release { echo ">>> Downloading changelog" local changelog_path @@ -158,7 +85,5 @@ function publish_release { echo "The above URL contains the text \"untagged\", but don't worry it is tagged properly and everything will look correct once it's published." } -download_and_verify -# TODO: Uncomment before releasing installer downloader -# publish_metadata +./download-release-artifacts "$PRODUCT_VERSION" publish_release diff --git a/desktop/scripts/release/5-update-and-publish-metadata b/desktop/scripts/release/5-update-and-publish-metadata new file mode 100755 index 0000000000..b9bf9915ab --- /dev/null +++ b/desktop/scripts/release/5-update-and-publish-metadata @@ -0,0 +1,84 @@ +#!/usr/bin/env bash + +# This script downloads the build artifacts along with the signatures, verifies the signatures and +# publishes new version metadata to Mullvads API. This should be run after `4-make-release`. + +set -eu + +SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" +cd "$SCRIPT_DIR" + +if [ $# -ne 3 ]; then + echo "Please provide the following arguments:" + echo " $(basename "$0") \\" + echo " <product version> \\" + echo " <build server SSH destination> \\" + echo " <metadata server SSH destination>" + echo "" + echo "Note that the metadata server SSH destination is part of the rsync command executed on the build server and will be checked against the SSH config of build@\$buildserver_host." + exit 1 +fi + +# Duplicated from /scripts/utils/gh-ready-check +if ! command -v gh > /dev/null; then + echo "gh (GitHub CLI) is required to run this script" + exit 1 +fi +if ! gh auth status > /dev/null; then + echo "Authentication through gh (GitHub CLI) is required to run this script" + exit 1 +fi + +PRODUCT_VERSION=$1 +BUILDSERVER_HOST=$2 +METADATA_SERVER_HOST=$3 + +ARTIFACT_DIR="./artifacts" + +function publish_metadata { + local platforms + platforms=(windows macos linux) + local signed_dir="signed/" + + rm -rf currently_published/ + + echo ">>> Fetching current version metadata" + meta pull --assume-yes "${platforms[@]}" + echo "" + + echo ">>> Backing up released data" + cp -r $signed_dir currently_published/ + echo "" + + echo ">>> Replacing work/ directory with latest published data" + cp -rf signed/ work/ + echo "" + + echo ">>> Adding new release $PRODUCT_VERSION (rollout = 1)" + meta add-release "$PRODUCT_VERSION" "${platforms[@]}" 1 + echo "" + + echo ">>> Signing $PRODUCT_VERSION metadata" + meta sign "${platforms[@]}" + echo "" + + echo ">>> Verifying signed metadata" + meta verify "${platforms[@]}" + echo "" + + echo ">>> New metadata including $$PRODUCT_VERSION" + git --no-pager diff --no-index -- currently_published/ $signed_dir || true + echo "" + + read -rp "Press enter to upload if the diff looks good " + ./publish-metadata-to-api $signed_dir "$BUILDSERVER_HOST" "$METADATA_SERVER_HOST" +} + +function remove_release_artifacts { + echo ">>> Cleaning up $ARTIFACT_DIR" + rm -r "$ARTIFACT_DIR" +} + +./download-release-artifacts "$PRODUCT_VERSION" +publish_metadata +remove_release_artifacts diff --git a/desktop/scripts/release/download-release-artifacts b/desktop/scripts/release/download-release-artifacts new file mode 100755 index 0000000000..b6444cbd66 --- /dev/null +++ b/desktop/scripts/release/download-release-artifacts @@ -0,0 +1,57 @@ +#!/usr/bin/env bash + +# This script downloads the build artifacts along with the signatures, and verifies them. + +set -eu + +SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" +cd "$SCRIPT_DIR" + +if [ $# -ne 1 ]; then + echo "Please provide the following arguments:" + echo " $(basename "$0") \\" + echo " <product version>" + exit 1 +fi + +PRODUCT_VERSION=$1 + +ARTIFACT_DIR="./artifacts" +URL_BASE="https://releases.mullvad.net/desktop/releases" + +mkdir -p $ARTIFACT_DIR + +# Find GnuPG command to use. Prefer gpg2 +gpg_cmd=$(command -v gpg2 || command -v gpg) + +for ext in .exe _arm64.exe _x64.exe _amd64.deb _arm64.deb _x86_64.rpm _aarch64.rpm .pkg; do + pkg_filename="MullvadVPN-${PRODUCT_VERSION}${ext}" + pkg_path="$ARTIFACT_DIR/$pkg_filename" + url="$URL_BASE/$PRODUCT_VERSION/$pkg_filename" + + if [ -f "$pkg_path" ]; then + echo ">>> Using existing file: $pkg_filename" + else + echo ">>> Downloading $pkg_filename - $url" + curl -o "$pkg_path" --progress-bar --fail "$url" + fi + + if [ -f "$pkg_path.asc" ]; then + echo ">>> Using existing file: $pkg_filename.asc" + else + echo ">>> Downloading $pkg_filename.asc - $url.asc" + curl -o "$pkg_path.asc" --progress-bar --fail "$url.asc" + fi + + echo "" + echo ">>> Verifying integrity of $pkg_filename" + if ! $gpg_cmd --verify "$pkg_path.asc" "$pkg_path"; then + echo "" + echo "!!! INTEGRITY CHECKING FAILED !!!" + rm "$pkg_path" "$pkg_path.asc" + exit 1 + fi + echo "" + echo "GOOD SIGNATURE FOR $pkg_filename" + echo "" +done |