-
Notifications
You must be signed in to change notification settings - Fork 55
/
Copy pathdeploy.sh
executable file
·104 lines (86 loc) · 3.04 KB
/
deploy.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
#!/bin/bash
# cron job for the webserver
set -ex
REPODIR="$(dirname "$(readlink -e "$0")")"
date -u
rm -rf /tmp/airlock
mkdir /tmp/airlock
cd /tmp/airlock
sftp -oBatchMode=no -b - pubwww@uploadserver << !
cd electrum-downloads-airlock
-get trigger_website
-rm trigger_website
-get trigger_binaries
-rm trigger_binaries
bye
!
# Maybe update website.
# This could also update this script itself (but only for subsequent runs!)
if [ -f trigger_website ]; then
echo "file trigger found: trigger_website."
cd "$REPODIR"
git fetch github
LOCAL_COMMIT="$(git rev-parse master)"
REMOTE_COMMIT="$(git rev-parse github/master)"
if [ "$LOCAL_COMMIT" = "$REMOTE_COMMIT" ]; then
echo "no changes for website."
else
echo "found some changes for website."
sftp -oBatchMode=no -b - pubwww@uploadserver << !
cd electrum-downloads-airlock
get website.ThomasV.asc
get website.sombernight_releasekey.asc
bye
!
git rev-parse github/master | gpg --no-default-keyring --keyring "$REPODIR/gpg/thomasv.gpg" --verify website.ThomasV.asc -
git rev-parse github/master | gpg --no-default-keyring --keyring "$REPODIR/gpg/sombernight_releasekey.gpg" --verify website.sombernight_releasekey.asc -
echo "website signature verified"
# Update website immediately (in case the rest of the script crashes)
git merge --ff-only FETCH_HEAD
fi
else
echo "file trigger NOT found: trigger_website."
fi
# Maybe upload binaries.
cd /tmp/airlock
if [ ! -f trigger_binaries ] || [ ! -s trigger_binaries ]; then
echo "file trigger NOT found or is empty: trigger_binaries."
else
echo "file trigger found: trigger_binaries."
TRIGGERVERSION="$(cat trigger_binaries)"
echo "TRIGGERVERSION: $TRIGGERVERSION"
# Read binaries/etc from the airlock directory, based on TRIGGERVERSION
rm -rf /tmp/airlock
mkdir /tmp/airlock
cd /tmp/airlock
sftp -oBatchMode=no -b - pubwww@uploadserver << !
cd electrum-downloads-airlock
cd "$TRIGGERVERSION"
mget *
bye
!
# verify signatures of binaries
for item in ./*
do
if [[ "$item" == *".asc" ]]; then
: # skip verifying signature-files
else
# All other files should be reproducible binaries; verify two sigs.
# In case we upload any other file for whatever reason, both sigs are needed too.
gpg --no-default-keyring --keyring "$REPODIR/gpg/thomasv.gpg" --verify "$item.ThomasV.asc" "$item"
gpg --no-default-keyring --keyring "$REPODIR/gpg/sombernight_releasekey.gpg" --verify "$item.sombernight_releasekey.asc" "$item"
# create aggregated signature file
cat $item.*.asc > "$item.asc"
fi
done
echo "verification passed"
# publish files
sftp -oBatchMode=no -b - pubwww@uploadserver << !
cd electrum-downloads
-mkdir "$TRIGGERVERSION"
cd "$TRIGGERVERSION"
-mput *
bye
!
fi
# todo: clear cloudflare cache