Sonatype release scripts

peterschrammel · peterschrammel · commit afdd64283df7 · 2020-12-22T14:49:16.000+01:00
diff --git a/scripts/mvnsettingsPlainText.xml.enc b/scripts/mvnsettingsPlainText.xml.enc
diff --git a/scripts/private.gpg.enc b/scripts/private.gpg.enc
diff --git a/scripts/release_util_script__deploy_to_maven_central.sh b/scripts/release_util_script__deploy_to_maven_central.sh
@@ -0,0 +1,64 @@
+#!/bin/bash
+set -euo pipefail
+#------------------------------------------------------------
+VERSION=$(mvn help:evaluate -Dexpression=project.version | grep -v -e "^\\[")
+RELEASE="true"
+GPG_KEY_ENC_FILENAME="scripts/private.gpg.enc"
+RELEASE_KEY_TO_PUBLIC_SERVER="false"
+#------------------------------------------------------------
+SSL_PWD="$1"
+## encoding command used of form "echo "$var" | openssl aes-256-cbc -a -salt -pass pass:${SSL_PWD} | openssl enc -A -base64"
+SONATYPETOKEN_USER_ENC="VTJGc2RHVmtYMThXUlJTa0hRNzZOK1pReU9wanFpSVBDQ2VWQTFxWDlpZ3Boa0R4clBhd29hakgzRUxrNS9adgo="
+SONATYPETOKEN_PWD_ENC="VTJGc2RHVmtYMThOdUduSmg1MEtjRE56R3lQd2hxdVVrd1pScDNFSXpNaVNud1UwUksrakRSTTY2RVVYUDlnQwo="
+GPG_KEYID_ENC="VTJGc2RHVmtYMSs5dTVQaW9QS3RCTGhRV2hrTEx0a2FXbHVaMjVqQ05yZlc3QmR6UC9TWGRPWXVtRzFFN2FCagpqeTlJU0Z6eHpjajBlSDlHWThSd0JRPT0K="
+
+decrypt_fn(){
+    echo "$1" | openssl enc -A -base64 -d | openssl aes-256-cbc -d -a -pass pass:"$SSL_PWD"
+}
+
+SONATYPETOKENUSER=$(decrypt_fn "${SONATYPETOKEN_USER_ENC}")
+export SONATYPETOKENUSER
+SONATYPETOKENPWD=$(decrypt_fn "${SONATYPETOKEN_PWD_ENC}")
+export SONATYPETOKENPWD
+GPG_KEYID=$(decrypt_fn "${GPG_KEYID_ENC}")
+export GPG_KEYID
+#------------------------------------------------------------
+openssl enc -aes-256-cbc -d -pass pass:"${SSL_PWD}" -in ${GPG_KEY_ENC_FILENAME} -out private.gpg
+gpg --fast-import private.gpg
+rm private.gpg
+
+# Following section is in case a key is provided which has not already been
+# shared to a pgp public server - and documents that process.
+# NB if script 'release_util_script_create_gpg.sh' is used to create a new key,
+# this procedure will have already been done.
+if [[ "${RELEASE_KEY_TO_PUBLIC_SERVER}" == "true" ]]
+then
+    gpg --keyserver keys.openpgp.org --send-keys "${GPG_KEYID}"
+
+    ## wait for the key to be accessible
+    while(true); do
+        date
+        gpg --keyserver keys.openpgp.org --recv-keys "${GPG_KEYID}" && break || sleep 20
+    done
+
+    echo "wait for 2 minutes to let the key be synced"
+    sleep 120
+fi
+
+## encoding command is of form 'openssl enc -aes-256-cbc -salt -in file.txt -out file.txt.enc' - nb 'salt'
+openssl enc -aes-256-cbc -d -pass pass:"${SSL_PWD}" -in scripts/mvnsettingsPlainText.xml.enc -out mvnsettingsPlainText.xml
+#------------------------------------------------------------
+if [[ "${RELEASE}" == "false" ]]
+then
+    echo "This is a 'snapshot' release of cprover-api.jar, version ${VERSION}"
+    mvn clean install -DskipTests=true -B -V
+else
+    echo "this is a 'release' version of cprover-api.jar, version ${VERSION}, this will be uploaded to the maven central staging ground"
+    mvn clean deploy -DskipTests=true -P sign,build-extras,stdbuild --settings mvnsettingsPlainText.xml -B -V -Dgpg.keyname="${GPG_KEYID}"
+fi
+#------------------------------------------------------------
+rm mvnsettingsPlainText.xml
+## remove key from keyring, if this was a gpg key generated on the fly - then it would be gone forever.
+gpg --delete-secret-keys "${GPG_KEYID}"
+gpg --delete-key "${GPG_KEYID}"
+#------------------------------------------------------------
diff --git a/scripts/release_util_script__deploy_to_maven_central_remove_staged_artifact.sh b/scripts/release_util_script__deploy_to_maven_central_remove_staged_artifact.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+set -euo pipefail
+
+SSL_PWD=$1
+openssl enc -aes-256-cbc -d -pass pass:"${SSL_PWD}" -in mvnsettingsPlainText.xml.enc -out mvnsettingsPlainText.xml
+
+mvn nexus-staging:drop -DstagingDescription="No longer required" --settings mvnsettingsPlainText.xml
+rm mvnsettingsPlainText.xml
diff --git a/scripts/release_util_script_create_gpg.sh b/scripts/release_util_script_create_gpg.sh
@@ -0,0 +1,68 @@
+#!/bin/bash
+set -euo pipefail
+#--------------------------------------------------------------------------------
+SSL_PWD="$1"
+RELEASE_KEY_TO_PUBLIC_SERVER="true"
+#--------------------------------------------------------------------------------
+cat >gen-key-script <<EOF
+      %echo Generating a basic OpenPGP key
+      Key-Type: RSA
+      Key-Length: 4096
+      Name-Real: Peter Schrammel
+      Name-Email: peter.schrammel@diffblue.com
+      Name-Comment:"CProver Java API" 
+      Expire-Date: 1y
+      %no-protection
+      %commit
+      %echo done
+EOF
+
+## create a local keypair with given configuration
+gpg --batch --gen-key gen-key-script
+#----------------------------------
+#gpg --quick-gen-key 'Peter Schrammel <peter.schrammel@diffblue.com>'
+#--------------------------------------------------------------------------------
+## get key id
+GPG_KEYID=$( gpg --list-keys --with-colons "Peter Schrammel" | grep "pub" | head -n1 | cut -d ':' -f5 )
+echo "key id is: ${GPG_KEYID}"
+
+echo "encrypted key id is:"
+GPG_KEYID_ENC=$(echo "${GPG_KEYID}" | openssl aes-256-cbc -a -salt -pass pass:"${SSL_PWD}" | openssl enc -A -base64)
+echo "${GPG_KEYID_ENC}"
+#--------------------------------------------------------------------------------
+## list keys public
+echo "------- list public keys ------------------"
+gpg --list-keys
+## list keys private
+echo "------- list private keys -----------------"
+gpg --list-secret-keys
+#--------------------------------------------------------------------------------
+if [[ "${RELEASE_KEY_TO_PUBLIC_SERVER}" == "true" ]]
+then
+    #gpg --keyserver keyserver.ubuntu.com --send-keys ${GPG_KEYID}
+    gpg --keyserver pgp.mit.edu --send-keys "${GPG_KEYID}"
+
+    ## wait for the key to be accessible
+    while(true); do
+        date
+        #gpg --keyserver keyserver.ubuntu.com --recv-keys ${GPG_KEYID} && break || sleep 15
+        gpg --keyserver pgp.mit.edu --recv-keys "${GPG_KEYID}" && break || sleep 20
+    done
+fi
+#--------------------------------------------------------------------------------
+## export key
+# gpg --batch --export-secret-key ${GPG_KEYID} -a --passphrase "" > private1.gpg
+gpg --batch -a --export-secret-key "${GPG_KEYID}" > private1.gpg
+#gpg --armor --export-secret-key 'Peter Schrammel <peter.schrammel@diffblue.com>'
+
+## encode key to file
+openssl enc -aes-256-cbc -pass pass:"${SSL_PWD}" -in private1.gpg -out private1.gpg.enc
+rm private1.gpg
+
+## remove generated key
+gpg --delete-secret-keys "${GPG_KEYID}"
+gpg --delete-key "${GPG_KEYID}"
+
+## cleanup local configuration
+rm gen-key-script
+#--------------------------------------------------------------------------------
diff --git a/scripts/release_util_script_decrypt_file.sh b/scripts/release_util_script_decrypt_file.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+set -euo pipefail
+
+SSL_PWD="$1"
+FILE="$2"
+
+openssl enc -aes-256-cbc -salt -pass pass:"${SSL_PWD}" -d -in ${FILE} -out ${FILE}.decrypted
diff --git a/scripts/release_util_script_decrypt_var.sh b/scripts/release_util_script_decrypt_var.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+# --------------------------------------------------------------------------------
+# This script can be used to double check that an encrypted variable found in a
+# file (e.g. gpg key id) is correct (e.g. no misspellings have occurred).
+# It is the peer of 'release_util_script_encrypt_var.sh' - which is used for
+# encrypting a variable (e.g. a gpg key id).
+# --------------------------------------------------------------------------------
+set -euo pipefail
+
+SSL_PWD="$1"
+VAR_ENC="$2"
+
+echo "decrypted var is:"
+VAR=$(echo "${VAR_ENC}" | openssl enc -A -base64 -d | openssl aes-256-cbc -d -a -pass pass:"$SSL_PWD")
+echo "${VAR}"
diff --git a/scripts/release_util_script_encrypt_file.sh b/scripts/release_util_script_encrypt_file.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+set -euo pipefail
+
+SSL_PWD="$1"
+FILE="$2"
+
+openssl enc -aes-256-cbc -salt -pass pass:"${SSL_PWD}" -in "${FILE}" -out "${FILE}".encrypted
+
diff --git a/scripts/release_util_script_encrypt_var.sh b/scripts/release_util_script_encrypt_var.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+# --------------------------------------------------------------------------------
+# This script can be used to encrypt a variable (e.g. gpg key id, if a key is
+# provided by someone else)
+# NB release_util_script_create_gpg provides both the key id and also its
+# encrypted form.
+# This script is the peer of 'release_util_script_decrypt_var.sh' - which can be used to
+# double check that an encrypted variable (e.g. gpg key id) is correct (e.g. no
+# misspellings have occurred).
+# --------------------------------------------------------------------------------
+set -euo pipefail
+
+SSL_PWD="$1"
+VAR="$2"
+
+echo "encrypted var is:"
+VAR_ENC=$(echo "${VAR}" | openssl aes-256-cbc -a -salt -pass pass:"${SSL_PWD}" | openssl enc -A -base64)
+echo "${VAR_ENC}"
