Commit b2d4f7a3 authored by David Goulet's avatar David Goulet 🔆
Browse files

build: Many changes to be more resilient and shellcheck

Signed-off-by: David Goulet's avatarDavid Goulet <>
parent 4e206965
#!/usr/bin/env bash
set -euo pipefail
T_RED=$(tput setaf 1 || true)
T_GREEN=$(tput setaf 2 || true)
T_BOLD=$(tput bold || true)
T_RESET=$(tput sgr0 || true)
# Defaults. This is needed because of the bash set restriction
function die()
echo "${T_BOLD}${T_RED}FATAL ERROR:${T_RESET} $*" 1>&2
exit 1
function runcmd()
echo "${T_BOLD}${T_GREEN}\$ $*${T_RESET}"
if ! "$@" ; then
die "command '$*' has failed"
function usage()
echo "$(basename $0) [-h] [-k <gpg-keyid>]"
echo "$(basename "$0") [-h] [-k <gpg-keyid>]"
echo " arguments:"
echo " -h: show this help text"
......@@ -30,69 +55,78 @@ done
# This directory is needed for the build script in the CI release repository
# thus why we export it. It will be the location of the generated tarball(s).
export TARBALLS_DIR="$BUILD/tarballs"
mkdir -p $TARBALLS_DIR
# Create the directory hierarchy we need.
runcmd mkdir -p $BUILD
runcmd mkdir -p $SIGS_DIRPATH
# Get in the build directory and start the process.
runcmd cd "$BUILD"
# Get the Tor CI release repository to use to build tarball(s).
git clone
cd tor-ci-release/
# Bunch of useful functions in there.
source ./
if [ ! -d "tor-ci-release" ]; then
runcmd git clone
runcmd git pull
runcmd cd tor-ci-release/
# Fetch the version artifacts so we can learn which version and which branch
# to use to build the tarballs.
runcmd curl -L -o
http_code=$(curl -L -w "%{http_code}" -o $URL)
if [ "$?" -ne 0 ] || [ "$http_code" -ne 200 ]; then
die "Failed to download latest artifacts. Was the latest build successful? See $URL"
runcmd unzip -o
# Export the directory containing the versions because the build tor script
# needs it to find the versions and git branches.
export VERSIONS_DIR="$(pwd)/artifacts/versions"
# Export these variables for the Tor CI release build script. We hijack those
# to point to what we want to use.
export VERSIONS_DIR="$BUILD/tor-ci-release/artifacts/versions"
export TARBALLS_DIR="$BUILD/tarballs"
# This must be set else our bash set restrictions do not like it.
export BUILDDIR="/"
# Create the tarball directory.
runcmd mkdir -p $TARBALLS_DIR
# That is another thing that the build script needs. The CI passes it so w
# Build all versions
# Go back to our root repository
cd $BUILD/../
runcmd cd "$BUILD/../"
# For each versions, sign the generated tarball.
for file in $VERSIONS_DIR/*
for file in "$VERSIONS_DIR"/*
# Get version from file
VERSION=$(basename $file)
VERSION=$(basename "$file")
# Tarballs signature directory
runcmd mkdir -p $SIG_DIR
runcmd mkdir -p "$SIG_DIR"
# Maybe use a specific keyid?
if [ ! -z "$KEYID" ]; then
if [ -n "$KEYID" ]; then
# Sign the tarball.
runcmd gpg -o $SIG_DIR/tmp.asc -ba $KEYID_OPT $TARBALLS_DIR/tor-$VERSION.tar.gz
runcmd gpg -o "$SIG_DIR/tmp.asc" -ba $KEYID_OPT "$TARBALLS_DIR/tor-$VERSION.tar.gz"
# Get KeyID of the signed file to identify the file.
keyid=$(gpg --list-packets $SIG_DIR/tmp.asc | grep "keyid" | awk '{print $NF}')
keyid=$(gpg --list-packets "$SIG_DIR/tmp.asc" | grep "keyid" | awk '{print $NF}')
if [ -z "$keyid" ]; then
die "Failed to extract keyID from signed file $SIG_DIR/tmp.asc. Stopping."
mv $SIG_DIR/tmp.asc $SIG_PATH
runcmd mv "$SIG_DIR/tmp.asc" "$SIG_PATH"
# Add file and "intent-to-add" so it ain't staged for commit.
runcmd git add -N $SIG_PATH
runcmd git diff $SIG_PATH
runcmd git add -N "$SIG_PATH"
runcmd git diff "$SIG_PATH"
while true; do
read -p "Commit (y/n)? " yn
read -rp "Commit (y/n)? " yn
case $yn in
[Yy]* ) break;;
[Nn]* ) exit 0;;
......@@ -101,6 +135,6 @@ do
# Add file for staging area and commit.
runcmd git add $SIG_PATH
runcmd git add "$SIG_PATH"
runcmd git commit -s -m "$keyid: Signature for tor.git $VERSION"
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment