[PATCH util/modular] Add gpg signing to release.sh

Stephen Kitt skitt at debian.org
Sun Jun 1 06:13:13 PDT 2014 

On Sat, 31 May 2014 16:49:56 -0700, Alan Coopersmith
<alan.coopersmith at oracle.com> wrote:
> On 05/20/14 01:49 PM, Stephen Kitt wrote:
> > Peter Hutterer suggested I send this here; it's a patch to add gpg
> > signing to release.sh, both for the git tag and the generated tarballs.
> >
> > This version tries to use gpg unconditionnally, it might be more useful
> > with a parameter to switch the behaviour...
> 
> Thanks for doing this - we keep talking about it, but never got the changes
> made.

You're welcome! I noticed the announcement emails were being properly
gpg-signed, but not the tarballs.

> I'd modified my copy locally to add -m to the git tag flags a couple months
> ago, and that seems to have worked fine for me for the few releases I've
> done since then.
> 
> The only problem I see with this patch for me is that on the systems I use
> (Solaris 12.0 & 11.x development branches) GnuPG 2.x is installed as gpg2,
> not gpg, so would appreciate having some way to override the exact path.
> 
> So I dropped my patch, applied yours, and tweaked it to allow setting the
> GPG path, and it seemed to work fine for the xcursorgen release I just
> pushed, so there are now xcursorgen-1.0.6.tar.bz2.sig &
> xcursorgen-1.0.6.tar.gz.sig files the script uploaded alongside the
> released tarballs.

Excellent!

> The one issue I did see is that I made a mistake on the first run (forgot to
> push the version changing commit first), so the script aborted and re-ran,
> and after re-running make distcheck to create new tarballs, I was then
> prompted:
> 
> File `xcursorgen-1.0.6.tar.gz.sig' exists. Overwrite? (y/N) y
> File `xcursorgen-1.0.6.tar.bz2.sig' exists. Overwrite? (y/N) y
> 
> Should those files be automatically deleted after rebuilding the tarballs?

I think so, otherwise we risk uploading invalid signatures...

> I've attached my modified form of your patch for further review/discussion.

And I'm attaching an updated version which includes your modifications and
deletes the signatures if any before re-generating them.

I don't know what the X.org release signing policy is, I haven't found
anything in the wiki; the patch as-is works fine if people just use their
default key for signing, but if role keys are planned then it might be worth
adding an option to specify the key id to use. Perhaps that can come later,
it seems to me that the benefit of getting signed releases (which can then be
automatically checked, as is done in Debian) outweighs the benefit of key id
selection.

Regards,

Stephen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Add-gpg-signing-to-release.sh.patch
Type: text/x-patch
Size: 2290 bytes
Desc: not available
URL: <http://lists.x.org/archives/xorg-devel/attachments/20140601/787fd8a8/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.x.org/archives/xorg-devel/attachments/20140601/787fd8a8/attachment.sig>

More information about the xorg-devel mailing list