From 93f5217d81990b7e1622427993be9e8561b5b4ac Mon Sep 17 00:00:00 2001 From: Antoine du Hamel Date: Wed, 27 Nov 2024 20:16:10 +0000 Subject: [PATCH] tools: filter release keys to reduce interactivity MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit PR-URL: https://github.com/nodejs/node/pull/55950 Reviewed-By: James M Snell Reviewed-By: Yagiz Nizipli Reviewed-By: Rafael Gonzaga Reviewed-By: Juan José Arboleda --- tools/release.sh | 34 ++++++++++++++++++++++++++-------- 1 file changed, 26 insertions(+), 8 deletions(-) diff --git a/tools/release.sh b/tools/release.sh index fca6e30a6308f2..a40035cb7427fc 100755 --- a/tools/release.sh +++ b/tools/release.sh @@ -15,15 +15,25 @@ webuser=dist promotablecmd=dist-promotable promotecmd=dist-promote signcmd=dist-sign +allPGPKeys="" customsshkey="" # let ssh and scp use default key +readmePath="README.md" signversion="" cloudflare_bucket="r2:dist-prod" -while getopts ":i:s:" option; do +while getopts ":i:r:s:a" option; do case "${option}" in + a) + # With -a, local keys are not filtered based on the one listed in the README + # useful if you want to sign with a subkey. + allPGPKeys="true" + ;; i) customsshkey="-i ${OPTARG}" ;; + r) + readmePath="${OPTARG}" + ;; s) signversion="${OPTARG}" ;; @@ -44,7 +54,16 @@ shift $((OPTIND-1)) echo "# Selecting GPG key ..." -gpgkey=$(gpg --list-secret-keys --keyid-format SHORT | awk -F'( +|/)' '/^(sec|ssb)/{print $3}') + +if [ -z "$allPGPKeys" ]; then + gpgkey="$(awk '{ + if ($1 == "gpg" && $2 == "--keyserver" && $4 == "--recv-keys" && (1 == 2'"$( + gpg --list-secret-keys | awk -F' = ' '/^ +Key fingerprint/{ gsub(/ /,"",$2); print " || $5 == \"" $2 "\"" }' || true + )"')) { print substr($5, 33) } + }' "$readmePath")" +else + gpgkey=$(gpg --list-secret-keys --keyid-format SHORT | awk -F'( +|/)' '/^(sec|ssb)/{print $3}') +fi keycount=$(echo "$gpgkey" | wc -w) if [ "$keycount" -eq 0 ]; then @@ -68,13 +87,12 @@ elif [ "$keycount" -ne 1 ]; then gpgkey=$(echo "$gpgkey" | sed -n "${keynum}p") fi -gpgfing=$(gpg --keyid-format 0xLONG --fingerprint "$gpgkey" | grep 'Key fingerprint =' | awk -F' = ' '{print $2}' | tr -d ' ') - -grep -q "$gpgfing" README.md || (\ - echo 'Error: this GPG key fingerprint is not listed in ./README.md' && \ - exit 1 \ -) +gpgfing=$(gpg --keyid-format 0xLONG --fingerprint "$gpgkey" | awk -F' = ' '/^ +Key fingerprint/{gsub(/ /,"",$2);print $2}') +grep -q "$gpgfing" "$readmePath" || { + echo "Error: this GPG key fingerprint is not listed in $readmePath" + exit 1 +} echo "Using GPG key: $gpgkey" echo " Fingerprint: $gpgfing"