Merge pull request #33 from krallin/signed-binaries

Sign `tini` and `tini-static` binaries
2016-01-26 22:08:24 -05:00 · 2016-01-26 22:08:24 -05:00 · 9451d6cf50
parent 428d960140 2c2bb517b0
commit 9451d6cf50
10 changed files with 79 additions and 7 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,3 @@
 dist
+sign.key
+.env
--- a/.travis.yml
+++ b/.travis.yml
@ -23,6 +23,15 @@ addons:
    - python-pip
    - python-virtualenv
    - hardening-includes
+    - gnupg
+
+env:
+  global:
+    - SIGN_BINARIES=1
+    - secure: "RKF9Z9gLxp6k/xITqn7ma1E9HfpYcDXuJFf4862WeH9EMnK9lDq+TWnGsQfkIlqh8h9goe7U+BvRiTibj9MiD5u7eluLo3dlwsLxPpYtyswYeLeC1wKKdT5LPGAXbRKomvBalRYMI+dDnGIM4w96mHgGGvx2zZXGkiAQhm6fJ3k="
+
+before_install:
+  - openssl aes-256-cbc -K $encrypted_2893fd5649e7_key -iv $encrypted_2893fd5649e7_iv -in sign.key.enc -out sign.key -d || echo "Encrypted signing key unavailable"

 script: ./ci/run_build.sh

@ -34,9 +43,11 @@ deploy:
    secure: Yk90ANpSPv1iJy8QDXCPwfaSmEr/WIJ3bzhQ6X8JvZjfrwTosbh0HrUzQyeac3nyvNwj7YJRssolOFc21IBKPpCFTZqYxSkuLPU6ysG4HGHgN6YJhOMm4mG4KKJ6741q3DJendhZpalBhCEi+NcZK/PCSD97Vl4OqRjBUged0fs=
  file:
    - "./dist/tini"
+    - "./dist/tini.asc"
    - "./dist/tini-static"
-    - "./dist/tini_0.8.4.deb"
-    - "./dist/tini_0.8.4.rpm"
+    - "./dist/tini-static.asc"
+    - "./dist/tini_0.9.0.deb"
+    - "./dist/tini_0.9.0.rpm"
  on:
    repo: krallin/tini
    tags: true
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -3,8 +3,8 @@ project (tini C)

 # Config
 set (tini_VERSION_MAJOR 0)
-set (tini_VERSION_MINOR 8)
-set (tini_VERSION_PATCH 4)
+set (tini_VERSION_MINOR 9)
+set (tini_VERSION_PATCH 0)

 # Extract git version and dirty-ness
 execute_process (
--- a/2
+++ b/2
@ -1,7 +1,7 @@
 FROM ubuntu:precise

 RUN apt-get update \
- && apt-get install --no-install-recommends --yes build-essential git gdb valgrind cmake rpm python-dev libcap-dev python-pip python-virtualenv hardening-includes \
+ && apt-get install --no-install-recommends --yes build-essential git gdb valgrind cmake rpm python-dev libcap-dev python-pip python-virtualenv hardening-includes gnupg \
 && rm -rf /var/lib/apt/lists/*

 # Pre-install those here for faster local builds.
--- a/README.md
+++ b/README.md
@ -37,7 +37,7 @@ In Docker, you will want to use an entrypoint so you don't have to remember
 to manually invoke Tini:

    # Add Tini
-    ENV TINI_VERSION v0.8.4
+    ENV TINI_VERSION v0.9.0
    ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /tini
    RUN chmod +x /tini
    ENTRYPOINT ["/tini", "--"]
@ -56,6 +56,20 @@ Arguments for Tini itself should be passed like `-v` in the following example:
 *NOTE: The binary linked above is a 64-bit dynamically-linked binary.*


+### Signed binaries ###
+
+The `tini` and `tini-static` binaries are signed using the key `0527A9B7`.
+
+You can verify their signatures using `gpg` (which you may install using
+your package manager):
+
+    ENV TINI_VERSION v0.9.0
+    ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /tini
+    ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini.asc /tini.asc
+    RUN gpg --keyserver ha.pool.sks-keyservers.net --recv-keys 0527A9B7 \
+     && gpg --verify /tini.asc
+
+
 ### Alpine Linux Package ###

 On Alpine Linux, you can use the following command to install Tini (currently
--- a/ci/run_build.sh
+++ b/ci/run_build.sh
@ -11,6 +11,9 @@ set -o nounset
 : ${DIST_DIR:="${SOURCE_DIR}/dist"}
 : ${BUILD_DIR:="/tmp/build"}

+# GPG Configuration
+: ${GPG_PASSPHRASE:=""}
+

 # Make those paths absolute, and export them for the Python tests to consume.
 export SOURCE_DIR="$(readlink -f "${SOURCE_DIR}")"
@ -44,7 +47,6 @@ pushd "${BUILD_DIR}"
 make clean
 make
 make package
-
 popd

 # Smoke tests (actual tests need Docker to run; they don't run within the CI environment)
@ -104,3 +106,20 @@ pip install psutil python-prctl bitmap

 # Run tests
 python "${SOURCE_DIR}/test/run_inner_tests.py"
+
+# If a signing key is made available, then use it to sign the binaries
+if [[ -f "${SOURCE_DIR}/sign.key" ]]; then
+  echo "Signing binaries"
+  GPG_SIGN_HOMEDIR="${BUILD_DIR}/gpg-sign"
+  GPG_VERIFY_HOMEDIR="${BUILD_DIR}/gpg-verify"
+  mkdir "${GPG_SIGN_HOMEDIR}" "${GPG_VERIFY_HOMEDIR}"
+  chmod 700 "${GPG_SIGN_HOMEDIR}" "${GPG_VERIFY_HOMEDIR}"
+
+  gpg --homedir "${GPG_SIGN_HOMEDIR}" --import "${SOURCE_DIR}/sign.key"
+  gpg --homedir "${GPG_VERIFY_HOMEDIR}" --keyserver ha.pool.sks-keyservers.net --recv-keys 0527A9B7
+
+  for tini in "${DIST_DIR}/tini" "${DIST_DIR}/tini-static"; do
+    echo "${GPG_PASSPHRASE}" | gpg --homedir "${GPG_SIGN_HOMEDIR}" --passphrase-fd 0 --armor --detach-sign "${tini}"
+    gpg --homedir "${GPG_VERIFY_HOMEDIR}" --verify "${tini}.asc"
+  done
+fi
--- a/ddist.sh
+++ b/ddist.sh
@ -22,4 +22,5 @@ docker run -it --rm \
  -e BUILD_DIR=/tmp/tini-build \
  -e SOURCE_DIR="${SRC}" \
  -e FORCE_SUBREAPER="${FORCE_SUBREAPER}" \
+  -e GPG_PASSPHRASE="${GPG_PASSPHRASE}" \
  "${IMG}" "${SRC}/ci/run_build.sh"
--- a/sign.key.enc
+++ b/sign.key.enc
--- a/tpl/README.md.in
+++ b/tpl/README.md.in
@ -56,6 +56,20 @@ Arguments for Tini itself should be passed like `-v` in the following example:
 *NOTE: The binary linked above is a 64-bit dynamically-linked binary.*


+### Signed binaries ###
+
+The `tini` and `tini-static` binaries are signed using the key `0527A9B7`.
+
+You can verify their signatures using `gpg` (which you may install using
+your package manager):
+
+    ENV TINI_VERSION v@tini_VERSION_MAJOR@.@tini_VERSION_MINOR@.@tini_VERSION_PATCH@
+    ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /tini
+    ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini.asc /tini.asc
+    RUN gpg --keyserver ha.pool.sks-keyservers.net --recv-keys 0527A9B7 \
+     && gpg --verify /tini.asc
+
+
 ### Alpine Linux Package ###

 On Alpine Linux, you can use the following command to install Tini (currently
--- a/tpl/travis.yml.tpl
+++ b/tpl/travis.yml.tpl
@ -23,6 +23,15 @@ addons:
    - python-pip
    - python-virtualenv
    - hardening-includes
+    - gnupg
+
+env:
+  global:
+    - SIGN_BINARIES=1
+    - secure: "RKF9Z9gLxp6k/xITqn7ma1E9HfpYcDXuJFf4862WeH9EMnK9lDq+TWnGsQfkIlqh8h9goe7U+BvRiTibj9MiD5u7eluLo3dlwsLxPpYtyswYeLeC1wKKdT5LPGAXbRKomvBalRYMI+dDnGIM4w96mHgGGvx2zZXGkiAQhm6fJ3k="
+
+before_install:
+  - openssl aes-256-cbc -K $encrypted_2893fd5649e7_key -iv $encrypted_2893fd5649e7_iv -in sign.key.enc -out sign.key -d || echo "Encrypted signing key unavailable"

 script: ./ci/run_build.sh

@ -34,7 +43,9 @@ deploy:
    secure: Yk90ANpSPv1iJy8QDXCPwfaSmEr/WIJ3bzhQ6X8JvZjfrwTosbh0HrUzQyeac3nyvNwj7YJRssolOFc21IBKPpCFTZqYxSkuLPU6ysG4HGHgN6YJhOMm4mG4KKJ6741q3DJendhZpalBhCEi+NcZK/PCSD97Vl4OqRjBUged0fs=
  file:
    - "./dist/tini"
+    - "./dist/tini.asc"
    - "./dist/tini-static"
+    - "./dist/tini-static.asc"
    - "./dist/tini_@tini_VERSION_MAJOR@.@tini_VERSION_MINOR@.@tini_VERSION_PATCH@.deb"
    - "./dist/tini_@tini_VERSION_MAJOR@.@tini_VERSION_MINOR@.@tini_VERSION_PATCH@.rpm"
  on: