Skip to content

Commit afdd642

Browse files
Sonatype release scripts
1 parent de9f81c commit afdd642

9 files changed

+188
-0
lines changed

scripts/mvnsettingsPlainText.xml.enc

224 Bytes
Binary file not shown.

scripts/private.gpg.enc

2.45 KB
Binary file not shown.
Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,64 @@
1+
#!/bin/bash
2+
set -euo pipefail
3+
#------------------------------------------------------------
4+
VERSION=$(mvn help:evaluate -Dexpression=project.version | grep -v -e "^\\[")
5+
RELEASE="true"
6+
GPG_KEY_ENC_FILENAME="scripts/private.gpg.enc"
7+
RELEASE_KEY_TO_PUBLIC_SERVER="false"
8+
#------------------------------------------------------------
9+
SSL_PWD="$1"
10+
## encoding command used of form "echo "$var" | openssl aes-256-cbc -a -salt -pass pass:${SSL_PWD} | openssl enc -A -base64"
11+
SONATYPETOKEN_USER_ENC="VTJGc2RHVmtYMThXUlJTa0hRNzZOK1pReU9wanFpSVBDQ2VWQTFxWDlpZ3Boa0R4clBhd29hakgzRUxrNS9adgo="
12+
SONATYPETOKEN_PWD_ENC="VTJGc2RHVmtYMThOdUduSmg1MEtjRE56R3lQd2hxdVVrd1pScDNFSXpNaVNud1UwUksrakRSTTY2RVVYUDlnQwo="
13+
GPG_KEYID_ENC="VTJGc2RHVmtYMSs5dTVQaW9QS3RCTGhRV2hrTEx0a2FXbHVaMjVqQ05yZlc3QmR6UC9TWGRPWXVtRzFFN2FCagpqeTlJU0Z6eHpjajBlSDlHWThSd0JRPT0K="
14+
15+
decrypt_fn(){
16+
echo "$1" | openssl enc -A -base64 -d | openssl aes-256-cbc -d -a -pass pass:"$SSL_PWD"
17+
}
18+
19+
SONATYPETOKENUSER=$(decrypt_fn "${SONATYPETOKEN_USER_ENC}")
20+
export SONATYPETOKENUSER
21+
SONATYPETOKENPWD=$(decrypt_fn "${SONATYPETOKEN_PWD_ENC}")
22+
export SONATYPETOKENPWD
23+
GPG_KEYID=$(decrypt_fn "${GPG_KEYID_ENC}")
24+
export GPG_KEYID
25+
#------------------------------------------------------------
26+
openssl enc -aes-256-cbc -d -pass pass:"${SSL_PWD}" -in ${GPG_KEY_ENC_FILENAME} -out private.gpg
27+
gpg --fast-import private.gpg
28+
rm private.gpg
29+
30+
# Following section is in case a key is provided which has not already been
31+
# shared to a pgp public server - and documents that process.
32+
# NB if script 'release_util_script_create_gpg.sh' is used to create a new key,
33+
# this procedure will have already been done.
34+
if [[ "${RELEASE_KEY_TO_PUBLIC_SERVER}" == "true" ]]
35+
then
36+
gpg --keyserver keys.openpgp.org --send-keys "${GPG_KEYID}"
37+
38+
## wait for the key to be accessible
39+
while(true); do
40+
date
41+
gpg --keyserver keys.openpgp.org --recv-keys "${GPG_KEYID}" && break || sleep 20
42+
done
43+
44+
echo "wait for 2 minutes to let the key be synced"
45+
sleep 120
46+
fi
47+
48+
## encoding command is of form 'openssl enc -aes-256-cbc -salt -in file.txt -out file.txt.enc' - nb 'salt'
49+
openssl enc -aes-256-cbc -d -pass pass:"${SSL_PWD}" -in scripts/mvnsettingsPlainText.xml.enc -out mvnsettingsPlainText.xml
50+
#------------------------------------------------------------
51+
if [[ "${RELEASE}" == "false" ]]
52+
then
53+
echo "This is a 'snapshot' release of cprover-api.jar, version ${VERSION}"
54+
mvn clean install -DskipTests=true -B -V
55+
else
56+
echo "this is a 'release' version of cprover-api.jar, version ${VERSION}, this will be uploaded to the maven central staging ground"
57+
mvn clean deploy -DskipTests=true -P sign,build-extras,stdbuild --settings mvnsettingsPlainText.xml -B -V -Dgpg.keyname="${GPG_KEYID}"
58+
fi
59+
#------------------------------------------------------------
60+
rm mvnsettingsPlainText.xml
61+
## remove key from keyring, if this was a gpg key generated on the fly - then it would be gone forever.
62+
gpg --delete-secret-keys "${GPG_KEYID}"
63+
gpg --delete-key "${GPG_KEYID}"
64+
#------------------------------------------------------------
Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
#!/bin/bash
2+
set -euo pipefail
3+
4+
SSL_PWD=$1
5+
openssl enc -aes-256-cbc -d -pass pass:"${SSL_PWD}" -in mvnsettingsPlainText.xml.enc -out mvnsettingsPlainText.xml
6+
7+
mvn nexus-staging:drop -DstagingDescription="No longer required" --settings mvnsettingsPlainText.xml
8+
rm mvnsettingsPlainText.xml
Lines changed: 68 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,68 @@
1+
#!/bin/bash
2+
set -euo pipefail
3+
#--------------------------------------------------------------------------------
4+
SSL_PWD="$1"
5+
RELEASE_KEY_TO_PUBLIC_SERVER="true"
6+
#--------------------------------------------------------------------------------
7+
cat >gen-key-script <<EOF
8+
%echo Generating a basic OpenPGP key
9+
Key-Type: RSA
10+
Key-Length: 4096
11+
Name-Real: Peter Schrammel
12+
Name-Email: [email protected]
13+
Name-Comment:"CProver Java API"
14+
Expire-Date: 1y
15+
%no-protection
16+
%commit
17+
%echo done
18+
EOF
19+
20+
## create a local keypair with given configuration
21+
gpg --batch --gen-key gen-key-script
22+
#----------------------------------
23+
#gpg --quick-gen-key 'Peter Schrammel <[email protected]>'
24+
#--------------------------------------------------------------------------------
25+
## get key id
26+
GPG_KEYID=$( gpg --list-keys --with-colons "Peter Schrammel" | grep "pub" | head -n1 | cut -d ':' -f5 )
27+
echo "key id is: ${GPG_KEYID}"
28+
29+
echo "encrypted key id is:"
30+
GPG_KEYID_ENC=$(echo "${GPG_KEYID}" | openssl aes-256-cbc -a -salt -pass pass:"${SSL_PWD}" | openssl enc -A -base64)
31+
echo "${GPG_KEYID_ENC}"
32+
#--------------------------------------------------------------------------------
33+
## list keys public
34+
echo "------- list public keys ------------------"
35+
gpg --list-keys
36+
## list keys private
37+
echo "------- list private keys -----------------"
38+
gpg --list-secret-keys
39+
#--------------------------------------------------------------------------------
40+
if [[ "${RELEASE_KEY_TO_PUBLIC_SERVER}" == "true" ]]
41+
then
42+
#gpg --keyserver keyserver.ubuntu.com --send-keys ${GPG_KEYID}
43+
gpg --keyserver pgp.mit.edu --send-keys "${GPG_KEYID}"
44+
45+
## wait for the key to be accessible
46+
while(true); do
47+
date
48+
#gpg --keyserver keyserver.ubuntu.com --recv-keys ${GPG_KEYID} && break || sleep 15
49+
gpg --keyserver pgp.mit.edu --recv-keys "${GPG_KEYID}" && break || sleep 20
50+
done
51+
fi
52+
#--------------------------------------------------------------------------------
53+
## export key
54+
# gpg --batch --export-secret-key ${GPG_KEYID} -a --passphrase "" > private1.gpg
55+
gpg --batch -a --export-secret-key "${GPG_KEYID}" > private1.gpg
56+
#gpg --armor --export-secret-key 'Peter Schrammel <[email protected]>'
57+
58+
## encode key to file
59+
openssl enc -aes-256-cbc -pass pass:"${SSL_PWD}" -in private1.gpg -out private1.gpg.enc
60+
rm private1.gpg
61+
62+
## remove generated key
63+
gpg --delete-secret-keys "${GPG_KEYID}"
64+
gpg --delete-key "${GPG_KEYID}"
65+
66+
## cleanup local configuration
67+
rm gen-key-script
68+
#--------------------------------------------------------------------------------
Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
#!/bin/bash
2+
set -euo pipefail
3+
4+
SSL_PWD="$1"
5+
FILE="$2"
6+
7+
openssl enc -aes-256-cbc -salt -pass pass:"${SSL_PWD}" -d -in ${FILE} -out ${FILE}.decrypted
Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
#!/bin/bash
2+
# --------------------------------------------------------------------------------
3+
# This script can be used to double check that an encrypted variable found in a
4+
# file (e.g. gpg key id) is correct (e.g. no misspellings have occurred).
5+
# It is the peer of 'release_util_script_encrypt_var.sh' - which is used for
6+
# encrypting a variable (e.g. a gpg key id).
7+
# --------------------------------------------------------------------------------
8+
set -euo pipefail
9+
10+
SSL_PWD="$1"
11+
VAR_ENC="$2"
12+
13+
echo "decrypted var is:"
14+
VAR=$(echo "${VAR_ENC}" | openssl enc -A -base64 -d | openssl aes-256-cbc -d -a -pass pass:"$SSL_PWD")
15+
echo "${VAR}"
Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
#!/bin/bash
2+
set -euo pipefail
3+
4+
SSL_PWD="$1"
5+
FILE="$2"
6+
7+
openssl enc -aes-256-cbc -salt -pass pass:"${SSL_PWD}" -in "${FILE}" -out "${FILE}".encrypted
8+
Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
#!/bin/bash
2+
# --------------------------------------------------------------------------------
3+
# This script can be used to encrypt a variable (e.g. gpg key id, if a key is
4+
# provided by someone else)
5+
# NB release_util_script_create_gpg provides both the key id and also its
6+
# encrypted form.
7+
# This script is the peer of 'release_util_script_decrypt_var.sh' - which can be used to
8+
# double check that an encrypted variable (e.g. gpg key id) is correct (e.g. no
9+
# misspellings have occurred).
10+
# --------------------------------------------------------------------------------
11+
set -euo pipefail
12+
13+
SSL_PWD="$1"
14+
VAR="$2"
15+
16+
echo "encrypted var is:"
17+
VAR_ENC=$(echo "${VAR}" | openssl aes-256-cbc -a -salt -pass pass:"${SSL_PWD}" | openssl enc -A -base64)
18+
echo "${VAR_ENC}"

0 commit comments

Comments
 (0)