From bf78476feca3a6a45e2db19659c98142e90e2a45 Mon Sep 17 00:00:00 2001 From: Jarek Kowalski Date: Fri, 16 Apr 2021 08:17:13 -0700 Subject: [PATCH] ci: refactored credentials handling (#987) This strengthens credential handling after our signing keys may have been leaked in the [codecov.io breach](https://about.codecov.io/security-update/) * pass only minimal credentials to each build step to avoid exposing sensitive tokens to tools that don't need them (like code coverage) * removed encrypted credential files and replaced with environment-based * allow full ci/cd including publishing artifacts from forks * regenerated all passwords, tokens and service accounts * do not install Google Cloud SDK on GHA - it's already there * moved RPM signing to 'Stage And Publish Artifacts' phase * generated new GPG signing key See https://kopia.discourse.group/t/important-impact-of-codecov-io-security-issue-on-kopia-build-pipeline/377 --- .github/workflows/make.yml | 159 +++++++++--------- .github/workflows/provider-tests.yml | 45 +++++ Makefile | 100 ++++------- kopia.gpg.enc | Bin 2544 -> 0 bytes site/content/docs/Installation/_index.md | 4 +- site/content/signing-key | 53 +++--- .../gcs/test_service_account.json.enc | Bin 2320 -> 0 bytes tests/credentials/sftp/id_kopia.enc | Bin 1856 -> 0 bytes tests/credentials/sftp/known_hosts.enc | Bin 208 -> 0 bytes tools/apt-publish.sh | 11 +- tools/boto.enc | 2 - tools/homebrew-publish.sh | 8 +- tools/rpm-publish.sh | 6 +- tools/scoop-publish.sh | 8 +- tools/tools.mk | 19 ++- 15 files changed, 213 insertions(+), 202 deletions(-) delete mode 100644 kopia.gpg.enc delete mode 100644 tests/credentials/gcs/test_service_account.json.enc delete mode 100644 tests/credentials/sftp/id_kopia.enc delete mode 100644 tests/credentials/sftp/known_hosts.enc delete mode 100644 tools/boto.enc diff --git a/.github/workflows/make.yml b/.github/workflows/make.yml index ed68e800d..d409378e7 100644 --- a/.github/workflows/make.yml +++ b/.github/workflows/make.yml @@ -11,86 +11,18 @@ on: # run on Mondays at 8AM - cron: '0 8 * * 1' env: + # environment variables shared between build steps + # do not include sensitive credentials and tokens here, instead pass them + # directly to tools that need them to limit the blast radius in case one of them + # becomes compromised and leaks credentials to external sites. # required by Makefile UNIX_SHELL_ON_WINDOWS: true - - # PUBLISH_BINARIES=true publishes the binaries to github - PUBLISH_BINARIES: ${{ secrets.PUBLISH_BINARIES }} - + # set to true if Publish Artifacts should run + PUBLISH_ARTIFACTS: ${{ secrets.PUBLISH_ARTIFACTS }} # where to publish releases for non-tagged commits NON_TAG_RELEASE_REPO: ${{ secrets.NON_TAG_RELEASE_REPO }} - - # encrypt various secrets stored as files - CREDENTIAL_ENCRYPTION_KEY: ${{ secrets.CREDENTIAL_ENCRYPTION_KEY }} - CREDENTIAL_ENCRYPTION_IV: ${{ secrets.CREDENTIAL_ENCRYPTION_IV }} - - # Apple ID and app-specific password for notarizaton - APPLEID: ${{ secrets.APPLEID }} - APPLEIDPASS: ${{ secrets.APPLEIDPASS }} - KOPIA_UI_NOTARIZE: ${{ secrets.KOPIA_UI_NOTARIZE }} - - # tool to install Windows signing certificate - WINDOWS_SIGNING_TOOLS_URL: ${{ secrets.WINDOWS_SIGNING_TOOLS_URL }} - WINDOWS_SIGN_USER: ${{ secrets.WINDOWS_SIGN_USER }} - WINDOWS_SIGN_AUTH: ${{ secrets.WINDOWS_SIGN_AUTH }} - WINDOWS_CERT_SHA1: ${{ secrets.WINDOWS_CERT_SHA1 }} - WINDOWS_SIGN_TOOL: ${{ secrets.WINDOWS_SIGN_TOOL }} - - # macOS signing certificate (base64-encoded), used by Electron Builder - CSC_LINK: ${{ secrets.CSC_LINK }} - CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }} - MACOS_SIGNING_IDENTITY: ${{ secrets.MACOS_SIGNING_IDENTITY }} - - # used to publish docker images - DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} - DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} - - # used in Azure tests - KOPIA_AZURE_TEST_CONTAINER: ${{ secrets.KOPIA_AZURE_TEST_CONTAINER }} - KOPIA_AZURE_TEST_STORAGE_ACCOUNT: ${{ secrets.KOPIA_AZURE_TEST_STORAGE_ACCOUNT }} - KOPIA_AZURE_TEST_STORAGE_KEY: ${{ secrets.KOPIA_AZURE_TEST_STORAGE_KEY }} - - # used in B2 tests - KOPIA_B2_TEST_BUCKET: ${{ secrets.KOPIA_B2_TEST_BUCKET }} - KOPIA_B2_TEST_KEY: ${{ secrets.KOPIA_B2_TEST_KEY }} - KOPIA_B2_TEST_KEY_ID: ${{ secrets.KOPIA_B2_TEST_KEY_ID }} - - # used in GCS tests - KOPIA_GCS_CREDENTIALS_FILE: ${{ secrets.KOPIA_GCS_CREDENTIALS_FILE }} - KOPIA_GCS_TEST_BUCKET: ${{ secrets.KOPIA_GCS_TEST_BUCKET }} - - # used in S3 tests - KOPIA_S3_TEST_ENDPOINT: ${{ secrets.KOPIA_S3_TEST_ENDPOINT }} - KOPIA_S3_TEST_ACCESS_KEY_ID: ${{ secrets.KOPIA_S3_TEST_ACCESS_KEY_ID }} - KOPIA_S3_TEST_SECRET_ACCESS_KEY: ${{ secrets.KOPIA_S3_TEST_SECRET_ACCESS_KEY }} - KOPIA_S3_TEST_BUCKET: ${{ secrets.KOPIA_S3_TEST_BUCKET }} - KOPIA_S3_TEST_REGION: ${{ secrets.KOPIA_S3_TEST_REGION }} - KOPIA_S3_TEST_STS_ACCESS_KEY_ID: ${{ secrets.KOPIA_S3_TEST_STS_ACCESS_KEY_ID }} - KOPIA_S3_TEST_STS_SECRET_ACCESS_KEY: ${{ secrets.KOPIA_S3_TEST_STS_SECRET_ACCESS_KEY }} - KOPIA_S3_TEST_SESSION_TOKEN: ${{ secrets.KOPIA_S3_TEST_SESSION_TOKEN }} - - KOPIA_S3_CREDS: ${{ secrets.KOPIA_S3_CREDS }} - KOPIA_S3_WASABI_CREDS: ${{ secrets.KOPIA_S3_WASABI_CREDS }} - KOPIA_S3_WASABI_VERSIONED_CREDS: ${{ secrets.KOPIA_S3_WASABI_VERSIONED_CREDS }} - - # used in rclone tests - KOPIA_RCLONE_EMBEDDED_CONFIG_B64: ${{ secrets.KOPIA_RCLONE_EMBEDDED_CONFIG_B64 }} - - # used in SFTP tests - KOPIA_SFTP_TEST_HOST: ${{ secrets.KOPIA_SFTP_TEST_HOST }} - KOPIA_SFTP_TEST_PORT: ${{ secrets.KOPIA_SFTP_TEST_PORT }} - KOPIA_SFTP_TEST_USER: ${{ secrets.KOPIA_SFTP_TEST_USER }} - KOPIA_SFTP_TEST_PATH: ${{ secrets.KOPIA_SFTP_TEST_PATH }} - KOPIA_SFTP_KEYFILE: ${{ secrets.KOPIA_SFTP_KEYFILE }} - KOPIA_SFTP_KNOWN_HOSTS_FILE: ${{ secrets.KOPIA_SFTP_KNOWN_HOSTS_FILE }} - - # used in WebDAV tests - KOPIA_WEBDAV_TEST_URL: ${{ secrets.KOPIA_WEBDAV_TEST_URL }} - KOPIA_WEBDAV_TEST_USERNAME: ${{ secrets.KOPIA_WEBDAV_TEST_USERNAME }} - KOPIA_WEBDAV_TEST_PASSWORD: ${{ secrets.KOPIA_WEBDAV_TEST_PASSWORD }} - - # Code Coverage token - CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} + # RPM and APT packages GCS bucket/hostname. + PACKAGES_HOST: ${{ secrets.PACKAGES_HOST }} jobs: build: strategy: @@ -125,16 +57,54 @@ jobs: fetch-depth: 0 - name: Setup run: make -j4 ci-setup + - name: Build HTML + # build HTML separately without passing any sensitive credentials to the build + # since it involves a bunch of NPM scripts. + run: make html-ui + - name: Install macOS certificates + # install signing tools and credentials for macOS and Windows outside of main + # build process. + run: make macos-certificates + env: + # macOS signing certificate (base64-encoded), used by Electron Builder + CSC_LINK: ${{ secrets.CSC_LINK }} + CSC_KEYCHAIN: ${{ secrets.CSC_KEYCHAIN }} + CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }} + MACOS_SIGNING_IDENTITY: ${{ secrets.MACOS_SIGNING_IDENTITY }} + if: ${{ contains(matrix.os, 'macos') }} + - name: Install Windows signing tools + # install signing tools and credentials for macOS and Windows outside of main + # build process. + run: make windows-signing-tools + env: + # tool to install Windows signing certificate + WINDOWS_SIGNING_TOOLS_URL: ${{ secrets.WINDOWS_SIGNING_TOOLS_URL }} + WINDOWS_SIGN_TOOL: ${{ secrets.WINDOWS_SIGN_TOOL }} + if: ${{ contains(matrix.os, 'windows') }} - name: Build run: make ci-build + env: + # Apple ID and app-specific password for notarizaton, used by Electron Builder + APPLEID: ${{ secrets.APPLEID }} + APPLEIDPASS: ${{ secrets.APPLEIDPASS }} + KOPIA_UI_NOTARIZE: ${{ secrets.KOPIA_UI_NOTARIZE }} + + # tool to install Windows signing certificate + WINDOWS_SIGN_USER: ${{ secrets.WINDOWS_SIGN_USER }} + WINDOWS_SIGN_AUTH: ${{ secrets.WINDOWS_SIGN_AUTH }} + WINDOWS_CERT_SHA1: ${{ secrets.WINDOWS_CERT_SHA1 }} + WINDOWS_SIGN_TOOL: ${{ secrets.WINDOWS_SIGN_TOOL }} + + # macOS signing certificate (base64-encoded), used by Electron Builder + MACOS_SIGNING_IDENTITY: ${{ secrets.MACOS_SIGNING_IDENTITY }} - name: Tests run: make ci-tests continue-on-error: ${{ github.event_name != 'pull_request' }} - name: Integration Tests run: make -j2 ci-integration-tests continue-on-error: ${{ github.event_name != 'pull_request' }} - - name: Publish - run: make ci-publish + - name: Publish Coverage Results + run: make ci-publish-coverage - name: Upload Kopia Artifacts uses: actions/upload-artifact@v2 with: @@ -168,7 +138,7 @@ jobs: name: Stage And Publish Artifacts runs-on: ubuntu-latest needs: build - if: ${{ github.event_name != 'pull_request' }} + if: github.event_name != 'pull_request' steps: - uses: actions/checkout@v2 - name: Set up QEMU @@ -187,15 +157,38 @@ jobs: path: dist_binaries - name: Display structure of downloaded files run: ls -lR dist/ dist_binaries/ - - name: Install CI Credentials - run: make -j4 ci-credentials + - name: Install GPG Key + run: make ci-gpg-key + env: + GPG_KEYRING: ${{secrets.GPG_KEYRING}} - name: Stage Release run: make stage-release - name: Push Github Release run: make push-github-release env: GITHUB_TOKEN: ${{secrets.GH_TOKEN}} - - name: Publish Other Packages - run: make publish-packages + - name: Install GCS Credentials + run: make ci-gcs-creds + env: + GCS_CREDENTIALS: ${{secrets.GCS_CREDENTIALS}} + - name: Publish APT + # this needs GCS credentials and GPG keys installed before. + run: make publish-apt + - name: Publish RPM + # this needs GCS credentials and GPG keys installed before. + run: make publish-rpm + - name: Publish Homebrew + # this only pushes to a GitHub repository. + run: make publish-homebrew env: GITHUB_TOKEN: ${{secrets.GH_TOKEN}} + - name: Publish Scoop + # this only pushes to a GitHub repository. + run: make publish-scoop + env: + GITHUB_TOKEN: ${{secrets.GH_TOKEN}} + - name: Publish Docker + run: make publish-docker + env: + DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} + DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} diff --git a/.github/workflows/provider-tests.yml b/.github/workflows/provider-tests.yml index 7299ae511..22c0cd35e 100644 --- a/.github/workflows/provider-tests.yml +++ b/.github/workflows/provider-tests.yml @@ -16,3 +16,48 @@ jobs: fetch-depth: 0 - name: Provider Tests run: make provider-tests + env: + # used in Azure tests + KOPIA_AZURE_TEST_CONTAINER: ${{ secrets.KOPIA_AZURE_TEST_CONTAINER }} + KOPIA_AZURE_TEST_STORAGE_ACCOUNT: ${{ secrets.KOPIA_AZURE_TEST_STORAGE_ACCOUNT }} + KOPIA_AZURE_TEST_STORAGE_KEY: ${{ secrets.KOPIA_AZURE_TEST_STORAGE_KEY }} + + # used in B2 tests + KOPIA_B2_TEST_BUCKET: ${{ secrets.KOPIA_B2_TEST_BUCKET }} + KOPIA_B2_TEST_KEY: ${{ secrets.KOPIA_B2_TEST_KEY }} + KOPIA_B2_TEST_KEY_ID: ${{ secrets.KOPIA_B2_TEST_KEY_ID }} + + # used in GCS tests + KOPIA_GCS_CREDENTIALS_FILE: ${{ secrets.KOPIA_GCS_CREDENTIALS_FILE }} + KOPIA_GCS_TEST_BUCKET: ${{ secrets.KOPIA_GCS_TEST_BUCKET }} + + # used in S3 tests + KOPIA_S3_TEST_ENDPOINT: ${{ secrets.KOPIA_S3_TEST_ENDPOINT }} + KOPIA_S3_TEST_ACCESS_KEY_ID: ${{ secrets.KOPIA_S3_TEST_ACCESS_KEY_ID }} + KOPIA_S3_TEST_SECRET_ACCESS_KEY: ${{ secrets.KOPIA_S3_TEST_SECRET_ACCESS_KEY }} + KOPIA_S3_TEST_BUCKET: ${{ secrets.KOPIA_S3_TEST_BUCKET }} + KOPIA_S3_TEST_REGION: ${{ secrets.KOPIA_S3_TEST_REGION }} + KOPIA_S3_TEST_STS_ACCESS_KEY_ID: ${{ secrets.KOPIA_S3_TEST_STS_ACCESS_KEY_ID }} + KOPIA_S3_TEST_STS_SECRET_ACCESS_KEY: ${{ secrets.KOPIA_S3_TEST_STS_SECRET_ACCESS_KEY }} + KOPIA_S3_TEST_SESSION_TOKEN: ${{ secrets.KOPIA_S3_TEST_SESSION_TOKEN }} + + KOPIA_S3_CREDS: ${{ secrets.KOPIA_S3_CREDS }} + KOPIA_S3_WASABI_CREDS: ${{ secrets.KOPIA_S3_WASABI_CREDS }} + KOPIA_S3_WASABI_VERSIONED_CREDS: ${{ secrets.KOPIA_S3_WASABI_VERSIONED_CREDS }} + + # used in rclone tests + KOPIA_RCLONE_EMBEDDED_CONFIG_B64: ${{ secrets.KOPIA_RCLONE_EMBEDDED_CONFIG_B64 }} + + # used in SFTP tests + KOPIA_SFTP_TEST_HOST: ${{ secrets.KOPIA_SFTP_TEST_HOST }} + KOPIA_SFTP_TEST_PORT: ${{ secrets.KOPIA_SFTP_TEST_PORT }} + KOPIA_SFTP_TEST_USER: ${{ secrets.KOPIA_SFTP_TEST_USER }} + KOPIA_SFTP_TEST_PATH: ${{ secrets.KOPIA_SFTP_TEST_PATH }} + KOPIA_SFTP_KEYFILE: ${{ secrets.KOPIA_SFTP_KEYFILE }} + KOPIA_SFTP_KNOWN_HOSTS_FILE: ${{ secrets.KOPIA_SFTP_KNOWN_HOSTS_FILE }} + + # used in WebDAV tests + KOPIA_WEBDAV_TEST_URL: ${{ secrets.KOPIA_WEBDAV_TEST_URL }} + KOPIA_WEBDAV_TEST_USERNAME: ${{ secrets.KOPIA_WEBDAV_TEST_USERNAME }} + KOPIA_WEBDAV_TEST_PASSWORD: ${{ secrets.KOPIA_WEBDAV_TEST_PASSWORD }} + diff --git a/Makefile b/Makefile index 88fb3c926..6ed86c0e7 100644 --- a/Makefile +++ b/Makefile @@ -74,7 +74,7 @@ endif htmlui-node-modules: $(npm) make -C htmlui deps -ci-setup: ci-credentials go-modules all-tools htmlui-node-modules app-node-modules +ci-setup: go-modules all-tools htmlui-node-modules app-node-modules ifeq ($(CI),true) -git checkout go.mod go.sum endif @@ -102,7 +102,6 @@ htmlui/build/index.html: html-ui # on macOS build and sign AMD64, ARM64 and Universal binary and *.tar.gz files for them dist/kopia_darwin_universal/kopia dist/kopia_darwin_amd64/kopia dist/kopia_darwin_arm6/kopia: htmlui/build/index.html $(all_go_sources) - $(MAKE) signing-tools GOARCH=arm64 go build $(KOPIA_BUILD_FLAGS) -o dist/kopia_darwin_arm64/kopia -tags embedhtml GOARCH=amd64 go build $(KOPIA_BUILD_FLAGS) -o dist/kopia_darwin_amd64/kopia -tags embedhtml mkdir -p dist/kopia_darwin_universal @@ -118,7 +117,6 @@ endif # on Windows build and sign AMD64 and *.zip file dist/kopia_windows_amd64/kopia.exe: htmlui/build/index.html $(all_go_sources) - $(MAKE) signing-tools GOOS=windows GOARCH=amd64 go build $(KOPIA_BUILD_FLAGS) -o dist/kopia_windows_amd64/kopia.exe -tags embedhtml ifneq ($(WINDOWS_SIGN_TOOL),) tools/.tools/signtool.exe sign //sha1 $(WINDOWS_CERT_SHA1) //fd sha256 //tr "http://timestamp.digicert.com" //v dist/kopia_windows_amd64/kopia.exe @@ -154,22 +152,14 @@ ci-tests: lint vet test-with-coverage ci-integration-tests: integration-tests robustness-tool-tests $(MAKE) stress-test -ci-publish: -ifeq ($(GOOS)/$(GOARCH),linux/amd64) - $(MAKE) create-long-term-repository - $(MAKE) publish-coverage-results -endif - -publish-coverage-results: +ci-publish-coverage: +ifeq ($(GOOS)/$(GOARCH)/$(IS_PULL_REQUEST),linux/amd64/false) -bash -c "bash <(curl -s https://codecov.io/bash) -f coverage.txt" +endif # goreleaser - builds packages for all platforms when on linux/amd64, # but don't publish here, we'll upload to GitHub separately. -GORELEASER_OPTIONS=--rm-dist --parallelism=6 --skip-publish - -ifneq ($(PUBLISH_BINARIES)/$(IS_PULL_REQUEST)/$(GOOS)/$(GOARCH),true/false/linux/amd64) - GORELEASER_OPTIONS+=--skip-sign -endif +GORELEASER_OPTIONS=--rm-dist --parallelism=6 --skip-publish --skip-sign ifeq ($(CI_TAG),) GORELEASER_OPTIONS+=--snapshot @@ -274,62 +264,36 @@ official-release: goreturns: find . -name '*.go' | xargs goreturns -w --local github.com/kopia/kopia -# see if we have access to credentials encryption key -ifeq ($(CREDENTIAL_ENCRYPTION_KEY),) - -ci-credentials: - @echo CI credentials not available. - ci-gpg-key: - @echo Not installing GPG keys. - +ifneq ($(GPG_KEYRING),) + @echo "$(GPG_KEYRING)" | base64 -d | gpg --import else - -ci-gpg-key: -ifneq ($(GOOS),windows) - openssl aes-256-cbc -K "$(CREDENTIAL_ENCRYPTION_KEY)" -iv "$(CREDENTIAL_ENCRYPTION_IV)" -in kopia.gpg.enc -out /tmp/kopia.gpg -d - gpg --import /tmp/kopia.gpg + @echo No GPG keyring endif -ci-credentials: ci-gpg-key - -ifneq ($(GOOS),windows) - @echo Installing GPG key... - openssl aes-256-cbc -K "$(CREDENTIAL_ENCRYPTION_KEY)" -iv "$(CREDENTIAL_ENCRYPTION_IV)" -in kopia.gpg.enc -out /tmp/kopia.gpg -d - gpg --import /tmp/kopia.gpg - openssl aes-256-cbc -K "$(CREDENTIAL_ENCRYPTION_KEY)" -iv "$(CREDENTIAL_ENCRYPTION_IV)" -in tests/credentials/gcs/test_service_account.json.enc -out repo/blob/gcs/test_service_account.json -d - openssl aes-256-cbc -K "$(CREDENTIAL_ENCRYPTION_KEY)" -iv "$(CREDENTIAL_ENCRYPTION_IV)" -in tests/credentials/sftp/id_kopia.enc -out repo/blob/sftp/id_kopia -d - openssl aes-256-cbc -K "$(CREDENTIAL_ENCRYPTION_KEY)" -iv "$(CREDENTIAL_ENCRYPTION_IV)" -in tests/credentials/sftp/known_hosts.enc -out repo/blob/sftp/known_hosts -d - openssl aes-256-cbc -K "$(CREDENTIAL_ENCRYPTION_KEY)" -iv "$(CREDENTIAL_ENCRYPTION_IV)" -in tools/boto.enc -out tools/.boto -d - -ifeq ($(GOARCH),amd64) - $(MAKE) install-google-cloud-sdk-if-not-present - $(HOME)/google-cloud-sdk/bin/gcloud auth activate-service-account --key-file repo/blob/gcs/test_service_account.json +ci-gcs-creds: +ifneq ($(GCS_CREDENTIALS),) + @echo $(GCS_CREDENTIALS) | base64 -d | gzip -d | gcloud auth activate-service-account --key-file=/dev/stdin +else + @echo No GPG credentials. endif -endif - -endif - -install-google-cloud-sdk-if-not-present: - if [ ! -d $(HOME)/google-cloud-sdk ]; then $(retry) $(MAKE) install-google-cloud-sdk; fi - -install-google-cloud-sdk: - -rm -rf $(HOME)/google-cloud-sdk - echo Installing Google Cloud SDK... - curl -s https://sdk.cloud.google.com | CLOUDSDK_CORE_DISABLE_PROMPTS=1 bash 2>/dev/null >/dev/null - echo Finished Installing Google Cloud SDK. RELEASE_STAGING_DIR=$(CURDIR)/.release stage-release: rm -rf $(RELEASE_STAGING_DIR) mkdir -p $(RELEASE_STAGING_DIR) + + # copy all dist files to a staging directory find dist -type f -exec cp -v {} $(RELEASE_STAGING_DIR) \; + + # sign RPMs + find $(RELEASE_STAGING_DIR) -type f -name '*.rpm' -exec rpm --define "%_gpg_name Kopia Builder" --addsign {} \; + + # regenerate checksums file and sign it (cd $(RELEASE_STAGING_DIR) && sha256sum * > checksums.txt) cat $(RELEASE_STAGING_DIR)/checksums.txt -ifneq ($(CREDENTIAL_ENCRYPTION_KEY),) gpg --output $(RELEASE_STAGING_DIR)/checksums.txt.sig --detach-sig $(RELEASE_STAGING_DIR)/checksums.txt -endif ifeq ($(IS_PULL_REQUEST),false) ifneq ($(CI_TAG),) @@ -347,7 +311,7 @@ endif endif endif -push-github-release: $(github_release) +push-github-release: ifneq ($(GH_RELEASE_REPO),) @echo Creating Github Release $(GH_RELEASE_NAME) in $(GH_RELEASE_REPO) with flags $(GH_RELEASE_FLAGS) gh --repo $(GH_RELEASE_REPO) release view $(GH_RELEASE_NAME) || gh --repo $(GH_RELEASE_REPO) release create $(GH_RELEASE_FLAGS) $(GH_RELEASE_NAME) @@ -374,16 +338,24 @@ create-long-term-repository: endif -publish-packages: -ifeq ($(REPO_OWNER)/$(GOOS)/$(GOARCH)/$(IS_PULL_REQUEST),kopia/linux/amd64/false) - $(CURDIR)/tools/apt-publish.sh $(CURDIR)/dist - $(CURDIR)/tools/rpm-publish.sh $(CURDIR)/dist - $(CURDIR)/tools/homebrew-publish.sh $(CURDIR)/dist $(KOPIA_VERSION_NO_PREFIX) - $(CURDIR)/tools/scoop-publish.sh $(CURDIR)/dist $(KOPIA_VERSION_NO_PREFIX) +publish-apt: + $(CURDIR)/tools/apt-publish.sh $(RELEASE_STAGING_DIR) + +publish-rpm: + $(CURDIR)/tools/rpm-publish.sh $(RELEASE_STAGING_DIR) + +publish-homebrew: + $(CURDIR)/tools/homebrew-publish.sh $(RELEASE_STAGING_DIR) $(KOPIA_VERSION_NO_PREFIX) + +publish-scoop: + $(CURDIR)/tools/scoop-publish.sh $(RELEASE_STAGING_DIR) $(KOPIA_VERSION_NO_PREFIX) + +publish-docker: +ifneq ($(DOCKERHUB_TOKEN),) @echo $(DOCKERHUB_TOKEN) | docker login --username $(DOCKERHUB_USERNAME) --password-stdin $(CURDIR)/tools/docker-publish.sh $(CURDIR)/dist_binaries else - @echo Not pushing packages on pull request builds. + @echo DOCKERHUB_TOKEN is not set. endif PERF_BENCHMARK_INSTANCE=kopia-perf diff --git a/kopia.gpg.enc b/kopia.gpg.enc deleted file mode 100644 index 34e83c14fee8044b29a8fa5ea2ee1ca12ef990fd..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2544 zcmVApl+=1 zopO<|>{sY7UQQZUvDJcWd7 z)fvo%(*F~GsD~dcM;{}@gyHQ_n&UtyiMY1mZQqJ>JkARzRWx;H|3(WN?RD8mOuE}% z?0R39Qv26t0%5Z6F2aIC9xkRyjuc{Wfa7rq8t5;Whr*C_XnIsn$E&@s)i-sm?F-S( z2_qr|)t0BP!b`K;-oJdQNE%-f%^0jKlAsSA{F{+gKZ%YT=xk;JeH-fLh^Z=iyIov_ zlg4{q@}d=?1&17GzvuVL5enhVRGh1uv7x25j`sfvf56O$Bjh)sKSBgtu-a@OHGtcw zg5(rt8o5ig-(&<|&u(ovup{k>GmsE9dB?|B743}y+KgQM6rnk!P6JsS)=L?&x5nvM zOtE0}*iEoP0N+A1Iw`KWCz>ciZm=z=m`rf0N<5fqmhdOQJCPOF;|ve#6N^BfIfBA{ zxV>As92FAoq~Q==kvf448^N8H=Nw=662hl~ak@Neo zTPY_UJNn=h<>|(f2*a;DaRXy5o{b~XGv`@^sM`DntS30)KI$YYMkkCSV{U&i!Z2O5 zn#GBn#!`Y#Qa9fmILYhQeD9{mcT$In&*Lc-XMCbRa8NX*1%d!FHiY$o zEUOm2JC^sXn=modHfLV6%?+2^!R=f#BaFMqDLx8GbM&aRKy~@A+YJtWuOvJN)zhni z20{#J@O0$bHDvkvFP+Vb#|hn*^hDz}pi1gg1az6jH3tX0ed|jDICK4DWF<$l<94S1 z5fa$ORsrLn0=aj>gkc+Q`+J+3(h{?_5U3U4c!FTBh$U_?eRnynXuh9|Kz_HNuChQ0 z6m}*cn2wkVncW@Vr2|n9J!EF8LuDK|K+sq&c-Ha6~`z)bkXX-$BLrdpofx8>xST|{l?vDlQT#f z&Cu>I>qL*4svD4>3(Dj4Rt@T@1@?cf`MTmnYw^KJOr3c%aM1YkuE!Vj1IBjGzkSC9 z6s`Nk*effU-TtT^rp->0Jt=QlUs9~_A-ogo<~q4{{(Y+#C^z^BRP9mwb!pFjYqQC# zi=ij#WiY|ifXK4Jk%(5}n6%E%C`ta12^oPJEM+O&O zCnB>0>TzO$b6@yXYrEg~Nf8JOP(kt#3D1>j2LeD28JX~r42!}n9`!PpL z)bV2^l7Hw*Aj%c)&ZXV{#F?Hzi~rN07-nx2V&u{in{Mv8fcL>k0Nf)}c4cO!%2F6; zxJk41C~5aoiv(y{?-yesM)e&o3?8IHlCtlgfBcFep;(%}QaUy~3u-paW%n<9e@_Dz zfddE6QoOdwA#cP2mBJxi%vZIgydovs zEJFAmI2tz&5{TrMB+1m)=*=^>xpSv)#a0CFLe4zuCuLeu&9a8TvcL{%|1F$z%&q&; zA?uo)|5lb}#fL*$)D{SRm^@VVz+H^G=e}UduMeg{2!xV4K6mU@v86Zxn+|#ay723w2;&llxaGomGzz96O6}Vp#U_tC)G2!ahn8_*?C!&vii8 zdK`2%C9(eP^iEy7!3p?pyq|GBk8&^T5VSTjob6rs955`>kaK(67nXm$2K-nWC zf9q{+WR46v>pi&{=W42PfkdH=&u)p!?VX=T@4jTR9BXvjaISWqI%OXUD8`8eNKbK4 z;BoaX-72mnpT-Tr3XViGF(~1KO0k+rU0jPdN-`GIm{}GT)^3@!TRhte99$P+aN<@H z3dcjhcxo2+e%kLcrCI#D;WEO%I2iWug&XQ$@|!HqRJ(b#|J%;9K4wtsbK%VozG58h z^QxbAqS6(hL-XO6(l#VCgZsr_(tlHpA}VMrXfnuI*7O^~Rz))i`{~KtDw@KA2Hi1g zveLrzV*)>w9JiILi~*3@o(daP!NOR7^LP!3R7`lZ95v-G(4@P7bTWPrFD}el(R!bm zz<=!AQV`9qx11^H0LV-~Idirw^L1gvvFQ(7!ObJ4$;{j%PJ-ChmiIp06k~s}h5IA9 zbRT{~TFAie@POyn>gh?2CMA_=zM5a1D~vNw5MR#MgftUgzloEiaa-i7-o>jYS@y0V z?-bepozyr0IO8348aZMa6E0i_vW25pSa32M9T<5W6W6+xcOMq^;njT;(Kq*?CH70T zsuK#GFF?7W3C->O#^8?7<|6j(U0-;elQ7Q2m_HDpZAIHP36_-&%kud}D`#C?_^#3Z z2@S`(PD(J6gbBg&oceNA;_dLU68?IjY#V7$prg9" [ultimate] ``` diff --git a/site/content/signing-key b/site/content/signing-key index 198010dc8..b547ab968 100644 --- a/site/content/signing-key +++ b/site/content/signing-key @@ -1,30 +1,29 @@ -----BEGIN PGP PUBLIC KEY BLOCK----- -mQENBFzc1PMBCADUxStBWF421+r7zcE4gInfXNIPMt/xl5ZbcWGNtZLf2R3nEcGf -VpQdxMarooZCDh9EXv0S1A0LzaYBsYE6VFS1GKcuUwrRhSbZvzPYks3K0Cvs0bGW -88lYIDaWH3VsJztapWSwA9nSY+XNgpInq+HXseJfy1omOQ5IXF7yW12t/PXfiQSR -jOc9c+00xrwW7nwmNLyLGRjFP1U0hkZczUdu+yxmPr2a/AhfMSL7rq+Y0MDQL/dt -s08fGuXVec9T+uU/60LF/+j2yWcgaCTZkU+XiBCvx5s8lW/ucWK/8wPw8m+GuX49 -T3ky5A5Q5XdFPt6O16YL3zv78pLeiT32CJ7vABEBAAG0IEtvcGlhIEJ1aWxkZXIg -PGJ1aWxkZXJAa29waWEuaW8+iQFUBBMBCAA+FiEEo7WEPtcFKcIxYuNodxPm2I7X -DZ0FAlzc1PMCGwMFCQPCZwAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQdxPm -2I7XDZ1ASggArGHKQ/h5jIfMi6nKKe/VZ2F20HwlwABnBZum6rHjH8+puLUUMSY/ -qZg+0AtyDz3jZsNNqlkiZANQRnpoV34mn/pO8ARuOC8ChJHy6fPvLAezgJrUBVHq -zfiVeOIEDmV09DMjKputDAezIjKP96XKaBGlRMWrb2hVAEwXmBidcfG58YEQ8bt5 -twqkyhhDvyaakIM8MZ9YFI+QRqU5NcstF/Bb7JsUhoVcqGRR+HM1flu6Tq+N19ZZ -u78GNJbv7i1Pg3PgILaxZOyfLO7JfyBGIYkGxyi9I2UF76xsETA+nRSAg3NkbXEw -Vw35ZGTWlFIOXYF7KWLuIg/Rz3kGKG5Pg7kBDQRc3NTzAQgAp6o6BxEyxSVb/ATe -pnnfsrSA0xLiKZLObd+kkF9xuSKvYy9jXtv+1haWM928Fs5aNTcnfvJj4b09MX0/ -Az5+bgCL621kqh/y9g/F6IoCU3l/UP6udJYP182yV4L0fvYDCtExwhUH1wTNQPXR -s7sVFWZSN8ukndLbFBIUJaLcNn9P//QVs/aK6lvFJZQXxaT2LiMGXxU4XM6RQfg6 -IkNyMhcEpJ6lMULd62QJBKu4PppauUCtoYn60leIbCUefBhTQsiU2YH0mNvZCJtv -A4/HmBQvdfIrsR2YYq6ddQmL52ZCprO+np27K3qS6zErFpfVYjir83PeEuOKfTJs -lhKWLQARAQABiQE8BBgBCAAmFiEEo7WEPtcFKcIxYuNodxPm2I7XDZ0FAlzc1PMC -GwwFCQPCZwAACgkQdxPm2I7XDZ0oEggAl8rpECpMt3bHWWvKSu3SGwR7o60hycBv -Z78ylPCSwSmAfKJGZdkDwm96Snr/ogkb1d6KJnmVqr4LQrjkk/YQ6iGKym95QoK4 -YWn2CucZT6xj2U8h3VT3+HbsA4/pdpxfbHq2iVFjWxj9BfQP2pp6gYMiX0uQtaj1 -czl+9wQhXX5atqQfCa442zPrc9tzNlGOgkSXoeHYgMiBw2c2Oy1QOMZhL3ZR8WUO -79Zx8A0IiU80KLUnyv6BSIZcchwnIlJbZHpCo1Xp0gpxkg9PcC8dhF2lt013gHi2 -P9+AhrmfJ9hJ2VI5kX2ApzdHPGVozEo/hm/IFJ6a1dLpN8lfdZyiqw== -=o6o/ +mQINBGB47AYBEADZyGFu5RB5c8rX/goflaTL6Z7FcYs0oLGw5DS4g+YCqWV5PPor +OuI9BsqH0fIcUeHmWl2DNohNx13K78H6LM5BvutCf2yOc0ktx6jv9uUXBKjEgRHH +hoNvNRVXJMH8wBCH7yU5JgA60x/mZw5pUsB1VGIhM3T9gvEz3Or7OshitG+3txGU +DBgCERclskZ+tTPxW6oQn96ZiInItOlkGmjv4bbpCavlE684OE89KBh/TM81xBXa +kd3aX9E35lpfwMjrnkNSiGRoy2Z0Dx8Ox2wbtfnTz4jVzgqkMmSMYWXrvRSCiisq +rEnEJZ3Y7DFmrj4dVESVVMPVQZMcim/NLpS/4cxFYpma7oj6EQ0FAFxar1E59drK +CNSKN3pj72MzQGFE53T2q7IJ/H7ICZcvuZUhfkbmKTjNZOJlealfmlrftcbiDZbY +9ge2chnNtT5WAY/junAGE7bqZlvInp2IzR1lJkxRhK1Dbg0mIBHY0h7PNm7BvNbD +RguMmEvDQUMCbzjRPyXs/2q28uNqnwDYGzOh5wSTyUks1cGR9JhkAO/n7EHsJDyW +dRQmXfAl/f/9Tbt/D31N+T7JmWsBVvhxJQoKUGWnKuelpUr8zegTy29z2Xii68tW +s6jMGCbmKn6JvVHjunBemEAWlT0ZI/+ETER+krHZQ9Z9TFkcl9m2Yq63gwARAQAB +tCBLb3BpYSBCdWlsZGVyIDxidWlsZGVyQGtvcGlhLmlvPokCVAQTAQgAPhYhBH+5 +nf1HgJ8NUznX2SJzaZr9VqVWBQJgeOwGAhsDBQkDwmcABQsJCAcCBhUKCQgLAgQW +AgMBAh4BAheAAAoJECJzaZr9VqVW2A4QALsCaXZCWUlr6sg5RgM5TScOYNxt+qqc +ViIY/EkEhQ9tb77d6BW9JqduXEEgfUtBZ96fQpXEqcf49Cyiqezf9Bq6OKLNS15x +mBae78kZVMER2pGgvFM5ZrNURZO3mTjcdMx941GdR1rdXIKspkNapkGXhIBArYHt +2OQkM4XAblU/ai2EXFHaRiN4H7Id536iqpt8HBH/kpXMbOgxuFrhVn8Ze89UpI+W +WcoXZ4VaYzs5rBop5aM4YncshBodH0UlUK9/mhu0kioPiJA75DYg1MK/TeKL6yMr +T9MvU7aFZkm0G/4O68xfWWqbB4xlnUBU9PwqF0Pkg3fpVKQifvhaeJz+KrxAyt6V +ShHnnw2wh9S3wEr6SuaA2ivGIfjDEd9dVSVbxnQD0p+/NKqcSFr7/RB7+1n4l8j0 +UFa0mJTSB4xJvDhWflmYqRox/x/4LjpwRE1U5PX7gwJ3yELwy6ybJN4826nN5a6Y +XU+OVMR7pL4UuC+8MACKRnVq7Tw92E0ttYDhYAZvjGHmOjBtdQcj9eqJ8K/vf/DU ++MD+vCFNUkhq3V4LoNE6K5Uz6ESwDbCNSiyxO3Xd+c0yElDozjXioMLVAuKE/STX +6Do6WJUVDbP0ygbR6a1AGJU2/mVICfob6ai3FvjazWRxPjTtZlpHuOBu4JP2e0iT +iJYG/llgQmKv +=VNmX -----END PGP PUBLIC KEY BLOCK----- diff --git a/tests/credentials/gcs/test_service_account.json.enc b/tests/credentials/gcs/test_service_account.json.enc deleted file mode 100644 index 74bb6a04d39fe181301fd6123c2613a8360fccb1..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2320 zcmV+r3Geok01W0I7?ZY?o-`IxWQfjhTatPte9o5t!M17z%APL9aPlkrTv35SPZ(Xsp8Da*2$?pV9oZPFr1-Wx7XIC9Skr=2Q7ILP-If2UTER5WmagP4dz(9& z%it$R$-mq-Ez?Frl@>%98j^R9UJYJGF+BH3X;w-XTp5>tEziA5^DBe&XZsggE=|n- z>wT709W8F^9;FgHVh)pAi(8$%{2bfo^YIavZ0HyU^8&YgbKWl{q-y%(x5>jW7%DFq z+%@Uq!BX_;%-3lj;~6Ickwjr*?=;HG>T8ZL#2@j@!C)Y5FYo-!r7F8IJWg8#f>Flt zzh~QXq^m0Xx&Y2}yP2lo`pNq^snSgXGG7-A!H6|lyTLK-R; zS!q(_0=F6f%U~mW?#8y)jpExs+#d108veNEwKhQ;t(bTDnDzCjft~@FXF5+SPK;*r)6 z=Ox^!WP>p=TD0H5A7mW3(sYB0Y82TAYf#BMR=HNkbsu2;XV?N@{fahYBgC+Kw{gbKGMLHdTu1A|AmAG$u=O2-}8=cFrg?~C8%7_S!)4Op( z&ObRE=E8L#0Z(@PW1m2gsvF{~_0!0r(BAuCPmh2O#EY9TV?Uwk%<;v)G4P#|78!fTJ^sXjN#w->Se;5_Hc!4 zvFJD-v3tKZE&$jF663YX9$b{rto`5H0doJKG|ix&w_Pqk;Y{vC&v}Nc3w`NS7k=j| z=qW@x=Uq4gU1Ss%IA7xCsX`?}xXcz+Ah%NCHT+*H4ZRXx@iL+qu1OFWqPa6cQr3un zRoj7$*%Wmh_I-wNMKRu}^b*@wESm-l`UC+)^3f0-&&Rl!ukAZj=*=tsA@coq(icJ0 z6eB?Ke7BvRrShA90WR3&Xf;k~!7lYSxpFZ`zTq&;F6-6Xg@BacjJ99P&2mlnuNXSCkVt;cqmJ)&CEQI1NzjhZSQx!ms+nI)($?8P*6rMiDoW1%fK+x5{10C`r z-{YC6I|5@Q0%E^QS&MjZikck?lq&DvP^C0=KWO8;EN{R_OPA;SIklgv7(k;q*W>Vn zgrnq3#*V8GL<=RCXCP!}f}WZy?M#@KN9D^N;~6xo!1wN&I8!Z&L`!Zf+FTp3KRsoa z!F&c=Uw_lt5|6?K1sc$UR+&Qz0LUxA+_iSoMXjiY(|vb3UN~?9?gX?SE+&VmT~RfBO^Q$?=`2i3jA|rsUwHxncvPc~k*|)msf4Q7)ofFRk zcwg6pk&)D5_4o|d-sjg!A{`UyA+UU-%F9Tolo&QiqsVRO3?W!%YdnPEO%9(LkoQRI`aohnhFO< zn8J@&$7H$qR)n9VVuq!sBle=Mmq9H67jyOGBsNYQMTq5jD_9eGR*qA#v7S-JI1>L? z&Yz>N4*#{_?1Q*D3Zlz65$S>9o>+t;yfj8A|DlSq{-BL{Z=-WVB@Z<| zT&kfh=TH{n599abJz?Q=qe$5Z?f4A(WnPTMsX8g!Dv1qw)FYAIV-^KL43gSQ*Qk@W z_z0vX5FUvg1-sM-VdGK;i8BLdB=ct2$DKZyb;~Vhg>=}4q{;5Qu*!1F(iS*_!s={4lrKOj51297m@ivBW;A3(>c!6r@ qw4)r%7+azLdlPPMuvxQ3SO)~Y(Zv!VIFjA`y&SydtE%u1(ZbZqN{eU! diff --git a/tests/credentials/sftp/id_kopia.enc b/tests/credentials/sftp/id_kopia.enc deleted file mode 100644 index dd27c62942aacc81c0739dac9b624f7af501ce9b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1856 zcmV-G2fz4`dlS$@A4_xjn*$aR?(2YWtaKR2a8p=<0J%}Qk9`buI2!6z2Dsk9h;OIJ z)f{#)flup?3Zb)1F25Tp)AsE8>o;f+GI`*~u%;}oE16Zg03Cg#o`&l&ggtB>_I|CK zd=Sz4Pgkr;GCAba2Wl}(zqahhikJY+RzJRI9+pLnzhAj)hireCR?|S0F^4A`NR}sd zSmDRPnTZiXkJ=vJB|>LmO=QS|xhs*Vd_U^2fm#81x`|h21oOvrGuU+-cKLp$9p$HL z3134Lcdn1Qx54SDZF3)4(qEBJ&l}m!7<>q}D(TOqG<>6^d;E zKtHl4jw-G!*5HuP6RoP-TNS{>i-G2UvjkDbJ4}h^s-7`>rvH9SHZBp| z_mP0oC_eTiJK4tbx~!bh)4vUV@=)gy9>=b8wZaq*?qTZPg06z>eZ!V+4Vn3YjQ}hb z)9Z4gx2vjjv@2QZ7H%a}Avl7nvP5Y$lRBI=>xJ|rRA^$4IRKm)Q*-OCx;AU5l3t_V zCsk4Ef?Z^W-i9nJL7gHm(v88SGfUzvI%E3xby_(Ohb<->e~P+(`;W;`avm9-kq1E} z&qNkE8<&~kp8v;n?M09c-k~Un|IB7D#$P96Sg2o^*#zo)AcRolZiu}(-Za7R&%%U7 zv@=-+{m@7XjiPkap9pY0t<%y41QR&c={i39$I_2fv&zif77{abk#0Bl6fy>ZmBpLL=C_&n zBmFMgodXS&rg9K1Lt{m1$cow~PF2zK8J8mD0w_pBRS}@mjy~ljAnGiExgMig``A0y zLL>V-RF#|*Rx$jsuib(8qeq|IE-yRYo`$F9!*d?0%C2%D?4eS>LnPoVVHnkV zCD2W943`G|u<)P@zK2K-GNz||TTp=Ieg(*r&UO5Yi`OT;DbOYL@@EORATFV{9B1;S z4v_SlNl>8`6MXHPK~aL=zR1$7`Z?W=|QBgE|F=3nPMpX2{wD`zf&Mq zFBzQnQ___($T3DsgG@nfLLNdZSdu3W5IR{jufM9E6%pQN>*4{*Ad?L|ZxCfUNm$BT z8@$A1ziI30r~~^P^wna5)mVy{i65jAOUAEein3Ou?C^@(Z2j$Taqx0SPy1Ych_na1 zzGF3US=HRbft-y6U`Z__MQkA*5JSI7@xKK3$k4=4>d|B&Scv22zK|dH6UK0^PUJ9H z`me4$@ZWp4m`DNOcSqdTMCnFStp#bp=1meua5ofO1vYeMnZ+(1dKv2`0JwYV$Z|j?4_kG+0-H1+u$-4ty|jQ-%8KzIr;)e@2P~TpM;_twED@i3 zGd_4xFa8YW(CUdQnCjzkSsep0Yz z>9qtiH2dT`XFa61Y7`u)Qd5h!QAYEWIWb*bF$z&do+!LjZI=8Kn0IL9;C`ET<5)vm z>m`~t;c^pQX-oU^A`T`Jg-}Ap1LbE@^nPheG#2|!8{dKflsUn8PGQGe_wj7+*(~t< uu5%k{$z}R7!FYqB_dKyn3j|@ba@$OHG-_GHVcWa|4Lz1Nc diff --git a/tests/credentials/sftp/known_hosts.enc b/tests/credentials/sftp/known_hosts.enc deleted file mode 100644 index 24b6c8d32ebf1d5494df6f37f26832c9eb87d49f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 208 zcmV;>05AV}xar_)Dq)WrGyjJg695uHcG;DEzYxv}GvvY@9#8~9lub)wSZ$Zw%*c`g zn2HcXxQ(ex;I4gn*Zi;j0{ld}%Bvi0dRIMBn+)V)wDBr%=LoDDFJL1CbBcDz*KKfb z*?OO7SD$1px`R!NTwU+~ld5O{A$|f_T;ZW7H$YpNbU0N~#3h(h>w?dL<1qaLk5#FE zv%eb2?C&Y)R7lCb=P` /dev/null; then echo $bn already in $packages_dir/Packages else + mkdir -p $packages_dir cp -av $f $packages_dir fi done diff --git a/tools/boto.enc b/tools/boto.enc deleted file mode 100644 index f0fafa8fe..000000000 --- a/tools/boto.enc +++ /dev/null @@ -1,2 +0,0 @@ -Z0ܤI?$L="_Lw\/ -TΆC[Ԁ?؍˜sL1hݤaI}9n~w%U+ n]Ç_]C0Lkcţ dfwaGP%MF_2!;# \ No newline at end of file diff --git a/tools/homebrew-publish.sh b/tools/homebrew-publish.sh index c2c284b52..29c40702d 100755 --- a/tools/homebrew-publish.sh +++ b/tools/homebrew-publish.sh @@ -3,12 +3,12 @@ set -e dist_dir=$1 ver=$2 -target_repo=kopia/homebrew-kopia -source_repo=kopia/kopia +target_repo=$REPO_OWNER/homebrew-kopia +source_repo=$REPO_OWNER/kopia if [ "$CI_TAG" == "" ]; then - target_repo=kopia/homebrew-test-builds - source_repo=kopia/kopia-test-builds + target_repo=$REPO_OWNER/homebrew-test-builds + source_repo=$REPO_OWNER/kopia-test-builds fi if [ "$GITHUB_TOKEN" == "" ]; then diff --git a/tools/rpm-publish.sh b/tools/rpm-publish.sh index a9c2a7ac2..b08313c25 100755 --- a/tools/rpm-publish.sh +++ b/tools/rpm-publish.sh @@ -1,6 +1,6 @@ #!/bin/bash set -e -GS_PREFIX=gs://packages.kopia.io/rpm +GS_PREFIX=gs://$PACKAGES_HOST/rpm PKGDIR=$1 RETAIN_UNSTABLE_RPM_COUNT=2 @@ -13,8 +13,8 @@ if [ -z "$PKGDIR" ]; then exit 1 fi -if [ "$REPO_OWNER" != "kopia" ]; then - echo Not publishing RPM package because current repo owner is $REPO_OWNER +if [ -z "$PACKAGES_HOST" ]; then + echo Not publishing APT package because PACKAGES_HOST is not set. exit 0 fi diff --git a/tools/scoop-publish.sh b/tools/scoop-publish.sh index b82074236..dffb91a0b 100755 --- a/tools/scoop-publish.sh +++ b/tools/scoop-publish.sh @@ -3,12 +3,12 @@ set -e dist_dir=$1 ver=$2 -target_repo=kopia/scoop-bucket -source_repo=kopia/kopia +target_repo=$REPO_OWNER/scoop-bucket +source_repo=$REPO_OWNER/kopia if [ "$CI_TAG" == "" ]; then - target_repo=kopia/scoop-test-builds - source_repo=kopia/kopia-test-builds + target_repo=$REPO_OWNER/scoop-test-builds + source_repo=$REPO_OWNER/kopia-test-builds fi if [ "$GITHUB_TOKEN" == "" ]; then diff --git a/tools/tools.mk b/tools/tools.mk index d83d6af0e..9f8cade60 100644 --- a/tools/tools.mk +++ b/tools/tools.mk @@ -275,9 +275,10 @@ windows_signing_dir=$(TOOLS_DIR)$(slash)win_signing # name of the temporary keychain to import signing keys into (will be deleted and re-created by 'signing-tools' target) MACOS_KEYCHAIN=kopia-build.keychain +export CSC_KEYCHAIN:=$(MACOS_KEYCHAIN) +export CSC_NAME:=$(MACOS_SIGNING_IDENTITY) -signing-tools: - +windows-signing-tools: ifeq ($(GOOS)/$(CI),windows/true) ifneq ($(WINDOWS_SIGNING_TOOLS_URL),) echo Installing Windows signing tools to $(windows_signing_dir)... @@ -286,15 +287,16 @@ ifneq ($(WINDOWS_SIGNING_TOOLS_URL),) unzip -a -q $(windows_signing_dir).zip -d $(windows_signing_dir) pwsh -noprofile -executionpolicy bypass $(windows_signing_dir)\\setup.ps1 else - echo Not installing Windows signing tools because WINDOWS_SIGNING_TOOLS_URL is not set + @echo Not installing Windows signing tools because WINDOWS_SIGNING_TOOLS_URL is not set endif endif -ifeq ($(GOOS)/$(CI),darwin/true) -ifneq ($(CSC_LINK),) # create and unlock a keychain with random strong password and import macOS signing certificate from .p12. -signing-tools: KEYCHAIN_PASSWORD:=$(shell uuidgen) -signing-tools: +ifeq ($(GOOS)/$(CI),darwin/true) +macos-certificates: KEYCHAIN_PASSWORD:=$(shell uuidgen) +endif +macos-certificates: +ifneq ($(CSC_LINK),) @rm -fv $(HOME)/Library/Keychains/$(MACOS_KEYCHAIN)-db @echo "$(CSC_LINK)" | base64 -d > /tmp/certs.p12 @security create-keychain -p $(KEYCHAIN_PASSWORD) $(MACOS_KEYCHAIN) @@ -304,7 +306,8 @@ signing-tools: @security set-keychain-settings -u $(MACOS_KEYCHAIN) @rm -f /tmp/certs.p12 @security set-key-partition-list -S apple: -s -k $(KEYCHAIN_PASSWORD) $(MACOS_KEYCHAIN) > /dev/null -endif +else + @echo Not installing macOS certificates because CSC_LINK is not set. endif # disable some tools on non-default architectures