blob: 89a16c118570aed3d440ea2bb4cefed95f93d166 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
|
#!/usr/bin/env bash
# # Setup instructions before this script will work
#
# * Follow the instructions in ../README.md
# * Import and trust the GPG keys of everyone who the build server should trust code from
# * Set up an entry in `~/.ssh/config` for app-build-linux
# * Add the build servers public ssh key to the upload account on app-build-linux
#
# ## Windows
#
# * Add signtool.exe to your PATH: C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64
# * Put the comodo.pfx certificate in the same folder as this script
# * Create sign.bat in the same folder as this script, with the content:
# signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /d "Mullvad VPN" /du https://github.com/mullvad/mullvadvpn-app#readme /f comodo.pfx /p <PASSWORD TO comodo.pfx> "%1"
set -eu
shopt -s nullglob
SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
BUILD_DIR="$SCRIPT_DIR/mullvadvpn-app"
LAST_BUILT_DIR="$SCRIPT_DIR/last-built"
UPLOAD_DIR="/home/upload/upload"
BRANCHES_TO_BUILD=("origin/master")
case "$(uname -s)" in
Darwin*)
if [[ -z ${CSC_KEY_PASSWORD-} ]]; then
read -sp "CSC_KEY_PASSWORD = " CSC_KEY_PASSWORD
echo ""
export CSC_KEY_PASSWORD
fi
;;
MINGW*|MSYS_NT*)
if [[ -z ${CERT_PASSPHRASE-} ]]; then
read -sp "CERT_PASSPHRASE = " CERT_PASSPHRASE
echo ""
export CERT_PASSPHRASE
fi
;;
esac
# Uploads whatever matches the first argument to the Linux build server
upload_sftp() {
echo "Uploading Mullvad VPN installers to app-build-linux:upload/"
sftp app-build-linux <<EOF
cd upload
put $1
bye
EOF
}
# Sign the Windows app. We try multiple times because it can randomly fail to
# contact the timestamp server.
# signtool must be called via a bat file, I cant make it work any other way :(
sign_win() {
echo "Signing Windows Mullvad VPN installer"
echo 'signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /d "Mullvad VPN" /du https://github.com/mullvad/mullvadvpn-app#readme /f "%1" /p "%2" "%3"' > "$SCRIPT_DIR/sign.bat"
for _ in {0..3}; do
sleep 1
$SCRIPT_DIR/sign.bat $SCRIPT_DIR/comodo.pfx "$CERT_PASSPHRASE" dist/MullvadVPN-*.exe && return 0
done
return 1
}
upload() {
current_hash=$1
for f in MullvadVPN-*.{deb,rpm,exe,pkg}; do
sha256sum "$f" > "$f.sha256"
case "$(uname -s)" in
# Linux is both the build and upload server. Just move directly to target dir
Linux*)
mv "$f" "$f.sha256" "$UPLOAD_DIR/"
;;
# Other platforms need to transfer their artifacts to the Linux build machine.
Darwin*|MINGW*|MSYS_NT*)
upload_sftp "$f" || return 1
upload_sftp "$f.sha256" || return 1
;;
esac
done
}
build_ref() {
ref=$1
tag_or_branch=$2
ref_filename="${ref/\//_}"
last_built_hash="$(cat $LAST_BUILT_DIR/$ref_filename || echo "N/A")"
current_hash="$(git rev-parse $ref)"
if [ "$last_built_hash" == "$current_hash" ]; then
# Same commit as last time this ref was built, not building
return 0
fi
echo ""
echo "[#] $ref: $last_built_hash->$current_hash, building new packages."
if [ "$tag_or_branch" == "tag" ] && ! git verify-tag $ref; then
echo "!!!"
echo "[#] $ref is a tag, but it failed GPG verification!"
echo "!!!"
sleep 60
return 0
elif [ "$tag_or_branch" == "branch" ] && ! git verify-commit $current_hash; then
echo "!!!"
echo "[#] $ref is a branch, but it failed GPG verification!"
echo "!!!"
sleep 60
return 0
fi
# Clean our working dir and check out the code we want to build
rm -r dist/ 2&>/dev/null || true
git reset --hard
git checkout $ref
git submodule update
git clean -df
# Make sure we have the latest Rust toolchain before the build
rustup update
./build.sh || return 0
case "$(uname -s)" in
MINGW*|MSYS_NT*)
sign_win || return 0
echo "Packaging all PDB files..."
find ./windows/ -iname "*.pdb" | tar -cJf $SCRIPT_DIR/pdb/$current_hash.tar.xz -T -
;;
esac
(cd dist/ && upload $current_hash) || return 0
echo "$current_hash" > "$LAST_BUILT_DIR/$ref_filename"
echo "Successfully finished build at $(date)"
}
cd "$BUILD_DIR"
while true; do
# Delete all tags. So when fetching we only get the ones existing on the remote
git tag | xargs git tag -d > /dev/null
git fetch --prune --tags 2> /dev/null || continue
tags=( $(git tag) )
for tag in "${tags[@]}"; do
build_ref $tag tag
done
for branch in "${BRANCHES_TO_BUILD[@]}"; do
build_ref $branch branch
done
sleep 240
done
|
