Skip to content

Commit

Permalink
tools: filter release keys to reduce interactivity
Browse files Browse the repository at this point in the history
PR-URL: nodejs#55950
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com>
  • Loading branch information
aduh95 authored and nodejs-github-bot committed Dec 4, 2024
1 parent cca666d commit d1f8d01
Showing 1 changed file with 26 additions and 8 deletions.
34 changes: 26 additions & 8 deletions tools/release.sh
Original file line number Diff line number Diff line change
Expand Up @@ -15,15 +15,25 @@ webuser=dist
promotablecmd=dist-promotable
promotecmd=dist-promote
signcmd=dist-sign
allPGPKeys=""
customsshkey="" # let ssh and scp use default key
readmePath="README.md"
signversion=""
cloudflare_bucket="r2:dist-prod"

while getopts ":i:s:" option; do
while getopts ":i:r:s:a" option; do
case "${option}" in
a)
# With -a, local keys are not filtered based on the one listed in the README
# useful if you want to sign with a subkey.
allPGPKeys="true"
;;
i)
customsshkey="-i ${OPTARG}"
;;
r)
readmePath="${OPTARG}"
;;
s)
signversion="${OPTARG}"
;;
Expand All @@ -44,7 +54,16 @@ shift $((OPTIND-1))

echo "# Selecting GPG key ..."

gpgkey=$(gpg --list-secret-keys --keyid-format SHORT | awk -F'( +|/)' '/^(sec|ssb)/{print $3}')

if [ -z "$allPGPKeys" ]; then
gpgkey="$(awk '{
if ($1 == "gpg" && $2 == "--keyserver" && $4 == "--recv-keys" && (1 == 2'"$(
gpg --list-secret-keys | awk -F' = ' '/^ +Key fingerprint/{ gsub(/ /,"",$2); print " || $5 == \"" $2 "\"" }' || true
)"')) { print substr($5, 33) }
}' "$readmePath")"
else
gpgkey=$(gpg --list-secret-keys --keyid-format SHORT | awk -F'( +|/)' '/^(sec|ssb)/{print $3}')
fi
keycount=$(echo "$gpgkey" | wc -w)

if [ "$keycount" -eq 0 ]; then
Expand All @@ -68,13 +87,12 @@ elif [ "$keycount" -ne 1 ]; then
gpgkey=$(echo "$gpgkey" | sed -n "${keynum}p")
fi

gpgfing=$(gpg --keyid-format 0xLONG --fingerprint "$gpgkey" | grep 'Key fingerprint =' | awk -F' = ' '{print $2}' | tr -d ' ')

grep -q "$gpgfing" README.md || (\
echo 'Error: this GPG key fingerprint is not listed in ./README.md' && \
exit 1 \
)
gpgfing=$(gpg --keyid-format 0xLONG --fingerprint "$gpgkey" | awk -F' = ' '/^ +Key fingerprint/{gsub(/ /,"",$2);print $2}')

grep -q "$gpgfing" "$readmePath" || {
echo "Error: this GPG key fingerprint is not listed in $readmePath"
exit 1
}

echo "Using GPG key: $gpgkey"
echo " Fingerprint: $gpgfing"
Expand Down

0 comments on commit d1f8d01

Please sign in to comment.