diff --git a/.gitignore b/.gitignore index 6fcf7be..9640a29 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,6 @@ +# upstream +pkgs + # tarball directory used before build stage src/ diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 0000000..a4913c1 --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,13 @@ +# Provide gitlab ci configuration for upstream CI +# See https://github.com/QubesOS-contrib/qubes-skeleton/blob/master/.gitlab-ci.yml +include: +# Target 4.2 and newer only +- file: /r4.2/gitlab-base.yml + project: QubesOS/qubes-continuous-integration +- file: /r4.2/gitlab-host.yml + project: QubesOS/qubes-continuous-integration +# It includes all the distributions +# - file: /r4.2/gitlab-vm.yml + # project: QubesOS/qubes-continuous-integration +- file: /r4.2/gitlab-vm-fedora.yml + project: QubesOS/qubes-continuous-integration diff --git a/.qubesbuilder b/.qubesbuilder new file mode 100644 index 0000000..d67c60c --- /dev/null +++ b/.qubesbuilder @@ -0,0 +1,4 @@ +host: + rpm: + build: + - rpm-build/SPECS/securedrop-workstation-keyring.spec diff --git a/Makefile.builder b/Makefile.builder new file mode 100644 index 0000000..2b1440d --- /dev/null +++ b/Makefile.builder @@ -0,0 +1,2 @@ +# PACKAGE_SET variable is provided by qubes-builder at build time +RPM_SPEC_FILES := rpm-build/SPECS/securedrop-workstation-dom0.spec diff --git a/rpm-build/SPECS/securedrop-workstation-keyring.spec b/rpm-build/SPECS/securedrop-workstation-keyring.spec index da841bd..279340d 100644 --- a/rpm-build/SPECS/securedrop-workstation-keyring.spec +++ b/rpm-build/SPECS/securedrop-workstation-keyring.spec @@ -1,6 +1,6 @@ Name: securedrop-workstation-keyring -Version: 0.1.0 -Release: 1%{?dist} +Version: 0.1.0 +Release: 1%{?dist} Summary: SecureDrop Workstation Keyring # For reproducible builds: @@ -33,6 +33,8 @@ Source: %{url}/archive/refs/tags/%{version}.tar.gz#/%{name}-%{version}.tar.gz BuildArch: noarch #BuildRequires: systemd-rpm-macros +BuildRequires: make + %description This package contains the SecureDrop Release public key and yum .repo file @@ -55,10 +57,11 @@ install -m 644 %{_builddir}/files/securedrop-release-signing-pubkey-2021.asc %{b /etc/yum.repos.d/securedrop-workstation-dom0.repo %post -# Not just `rpm --import`, because of https://github.com/rpm-software-management/rpm/issues/2577 -key_id=$(rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n' | grep SecureDrop | cut -f1 -d' ') -rpm -e $key_id -sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation +# TODO +# If installing: import key +# If upgrading: remove key from rpm and reimport key +# If removing: remove key from rpm %changelog -# TODO \ No newline at end of file +* Mon Dec 2 2024 13:12:00 SecureDrop Team - 0.1.0 +- Initial keyring/bootstrap package diff --git a/scripts/build-rpm.sh b/scripts/build-rpm.sh index 3d4d339..343701a 100755 --- a/scripts/build-rpm.sh +++ b/scripts/build-rpm.sh @@ -6,13 +6,8 @@ set -o pipefail source "$(dirname "$0")/common.sh" -# Prepare tarball for rpmbuild -mkdir -p src/ -git clean -fdX rpm-build/ src/ -tar -zcvf src/"${PROJECT}"-"$(cat VERSION)".tar.gz files/ - -# Place tarball where rpmbuild will find it -cp src/*.tar.gz rpm-build/SOURCES/ +# There is no build step, so we can omit the tarball +# step that is used in the sdw config rpm rpmbuild \ --quiet \ diff --git a/update_version.sh b/update_version.sh new file mode 100755 index 0000000..cfe9cc6 --- /dev/null +++ b/update_version.sh @@ -0,0 +1,18 @@ +#!/usr/bin/bash +## Usage: ./update_version.sh + +set -e + +if [ -z "$1" ]; then + echo "You must specify the new version!" + exit 1 +fi + +# We want the Python and RPM versions to match, so we'll use a PEP 440 +# compatible version, e.g. 0.9.0rc1 or 0.9.0. +NEW_VERSION=$(echo "$1" | sed 's/-//g' | sed 's/~//g' ) + +# Update the version in the spec file and VERSION. +# TODO: Use rpmdev-bumpspec +echo "${NEW_VERSION}" > VERSION +sed -i'' -r -e "s/^(Version:\\t).*/\\1${NEW_VERSION}/" "rpm-build/SPECS/securedrop-workstation-keyring.spec"