aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--Makefile48
-rwxr-xr-xbuild-homebrew-formula.py57
2 files changed, 89 insertions, 16 deletions
diff --git a/Makefile b/Makefile
index 98378ce..1e15c3d 100644
--- a/Makefile
+++ b/Makefile
@@ -1,23 +1,21 @@
# Top-level package build for Cryptech Alpha board.
-export CRYPTECH_VERSION := 2.0
-
-HEAD_TIME := $(shell git show -s --format=%ct HEAD)
-HEAD_HASH := $(shell git rev-parse HEAD)
-
PACKAGE_NAME := cryptech-alpha
-PACKAGE_VERSION := ${CRYPTECH_VERSION}~${HEAD_TIME}~${HEAD_HASH}
+PACKAGE_VERSION := 2.0.$(shell git show -s --format=%ct HEAD)
export GNUPGHOME := /home/aptbot/gnupg
+GPG_USER := APT Builder Robot <aptbot@cryptech.is>
+GPG_KEYID := 37A8E93F5D7E7B9A
-REPO_BASE := /home/aptbot/alpha
+REPO_BASE := /home/aptbot
REPO_UMASK := 002
PBUILDER_BASE := ${HOME}/pbuilder
PBUILDER_TARGETS := debian/jessie/i386 debian/jessie/amd64 ubuntu/xenial/i386 ubuntu/xenial/amd64
REPO_UPLOAD_USER := aptbot
-REPO_UPLOAD_URI := rsync://apt.cryptech.is/alpha/
+REPO_UPLOAD_HOST := bikeshed.cryptech.is
+REPO_UPLOAD_DIRS := apt brew
# Yes, we really are putting the firmware tarball into the source package.
# We want to supply the firmware in both source and binary form, to save users
@@ -34,11 +32,11 @@ TAMPER := build/user/ln5/tamper/tamper.hex
# Does nothing if the changelog already exists.
DCH = test -f debian/changelog || \
- EDITOR=true VISUAL=true TZ=UTC DEBEMAIL='APT Builder Robot <aptbot@cryptech.is>' \
+ EDITOR=true VISUAL=true TZ=UTC DEBEMAIL='${GPG_USER}' \
dch --create --package ${PACKAGE_NAME} --newversion '${PACKAGE_VERSION}' \
- '$(strip Version ${CRYPTECH_VERSION} package for Cryptech Alpha development board.)'
+ 'Software and firmware for Cryptech Alpha development board.'
-all: init firmware dsc pbuilder homebrew
+all: init firmware dsc pbuilder homebrew expire
enchilada: all upload
@@ -85,15 +83,33 @@ pbuilder:
umask ${REPO_UMASK}; \
for target in ${PBUILDER_TARGETS}; do echo $$target | tr '/' ' '; done | \
while read dist code arch; do \
- reprepro -b ${REPO_BASE}/$$dist -A $$arch list $$code ${PACKAGE_NAME} | awk '{v = $$3} END {exit v != "${PACKAGE_VERSION}"}' && continue; \
+ reprepro -b ${REPO_BASE}/apt/$$dist -A $$arch list $$code ${PACKAGE_NAME} | awk '{v = $$3} END {exit v != "${PACKAGE_VERSION}"}' && continue; \
pbuilder-dist $$code $$arch build ${PACKAGE_NAME}_${PACKAGE_VERSION}.dsc; \
- reprepro -b ${REPO_BASE}/$$dist include $$code ${PBUILDER_BASE}/$${code}-$${arch}_result/${PACKAGE_NAME}_${PACKAGE_VERSION}_$${arch}.changes; \
+ cp -p ${PBUILDER_BASE}/$${code}-$${arch}_result/${PACKAGE_NAME}_${PACKAGE_VERSION}.tar.xz ${REPO_BASE}/brew/tarballs/; \
+ reprepro -b ${REPO_BASE}/apt/$$dist include $$code ${PBUILDER_BASE}/$${code}-$${arch}_result/${PACKAGE_NAME}_${PACKAGE_VERSION}_$${arch}.changes; \
done
+homebrew:
+ rm -rf tap
+ umask ${REPO_UMASK}; \
+ git clone ${REPO_BASE}/brew/tap tap; \
+ cd tap; \
+ ../build-homebrew-formula.py ${REPO_BASE}/brew/tarballs/${PACKAGE_NAME}_${PACKAGE_VERSION}.tar.xz ${PACKAGE_VERSION} ${PACKAGE_NAME}.rb; \
+ git add ${PACKAGE_NAME}.rb; \
+ git commit -S${GPG_KEYID} --author='${GPG_USER}' -m '${PACKAGE_NAME} ${PACKAGE_VERSION}'; \
+ git push
+# rm -rf tap
+
+# Still need:
+#
+# expire: target to expire old tarballs from .../brew/tarballs/, along the lines of download.rpki.net scripts
+
RSYNC := rsync --rsh 'ssh -l ${REPO_UPLOAD_USER}' --archive --itemize-changes
upload:
- ${RSYNC} --ignore-existing ${REPO_BASE}/ ${REPO_UPLOAD_URI}
- ${RSYNC} --delete --delete-delay ${REPO_BASE}/ ${REPO_UPLOAD_URI}
+ for dir in ${REPO_UPLOAD_DIRS}; do \
+ ${RSYNC} --ignore-existing ${REPO_BASE}/$${dir}/ rsync://${REPO_UPLOAD_HOST}/$${dir}/ \
+ ${RSYNC} --delete --delete-delay ${REPO_BASE}/$${dir}/ rsync://${REPO_UPLOAD_HOST}/$${dir}/ \
+ done
-.PHONY: all init clean firmware shadow bitstream elves tamper dsc pbuilder homebrew upload enchilada sandblast
+.PHONY: all init clean firmware shadow bitstream elves tamper dsc pbuilder homebrew expire upload enchilada sandblast
diff --git a/build-homebrew-formula.py b/build-homebrew-formula.py
new file mode 100755
index 0000000..8f29720
--- /dev/null
+++ b/build-homebrew-formula.py
@@ -0,0 +1,57 @@
+#!/usr/bin/env python
+
+# Yes, this is a Python program writing a Ruby program.
+
+import argparse
+import hashlib
+import sys
+import os
+
+parser = argparse.ArgumentParser()
+parser.add_argument("--url-base", default = "https://brew.cryptech.is/tarballs/")
+parser.add_argument("tarball")
+parser.add_argument("version")
+parser.add_argument("formula", type = argparse.FileType("w"), nargs = "?", default = sys.stdout)
+args = parser.parse_args()
+
+template = '''\
+# This Homebrew forumula was automatically generated by a script.
+# You might not want to edit it manually.
+
+class CryptechAlpha < Formula
+
+ desc "Software for working with Cryptech Alpha board HSM"
+ homepage "https://cryptech.is/"
+ version "{version}"
+ url "{url}"
+ sha256 "{sha256}"
+
+ # Eventually we'll want resource clauses here to pull in stuff we
+ # need from pypi, see brew doc for that, but skip it initially.
+
+ # We should also specify a dependency on sqlite3, and perhaps other
+ # packages. Skip that for now too.
+
+ # If we get really ambitous, it would be nice to have "bottled"
+ # (precompiled binary) versions, but that requires either a build
+ # farm or some kind of cross-compilation.
+
+ def install
+ ENV.deparallelize
+ system "make", "-C", "sw/pkcs11"
+ share.install "cryptech-alpha-firmware.tar.gz"
+ lib.install "sw/pkcs11/libpkcs11.dylib"
+ sbin.install "sw/pkcs11/p11util"
+ sbin.install "sw/stm32/projects/hsm/cryptech_upload"
+ end
+
+end
+'''
+
+with open(args.tarball, "rb") as f:
+ digest = hashlib.sha256(f.read()).hexdigest()
+
+args.formula.write(template.format(
+ version = args.version,
+ url = os.path.join(args.url_base, os.path.basename(args.tarball)),
+ sha256 = digest))