release/verify_brooklyn_rc.sh - brooklyn-dist - Git at Google

 #!/bin/bash

 #
 # Licensed to the Apache Software Foundation (ASF) under one or more
 # contributor license agreements.  See the NOTICE file distributed with
 # this work for additional information regarding copyright ownership.
 # The ASF licenses this file to You under the Apache License, Version 2.0
 # (the "License"); you may not use this file except in compliance with
 # the License.  You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #

 set -e

 if [ "$#" -ne 1 ]; then
   echo "Usage: $0 0.10.0-rc3"
   exit 1
 fi

 command -v svn >/dev/null 2>&1 || { echo >&2 "svn required but is not installed.  Aborting."; exit 1; }
 command -v md5sum >/dev/null 2>&1 || { echo >&2 "md5sum required but is not installed. On macOS install with 'brew install md5sha1sum'. Aborting."; exit 1; }
 command -v shasum >/dev/null 2>&1 || { echo >&2 "shasum required but is not installed. On macOS install with 'brew install md5sha1sum'. Aborting."; exit 1; }
 command -v gpg2 >/dev/null 2>&1 || { echo >&2 "gpg2 required but is not installed. On macOS install with 'brew install gnupg2'. Aborting."; exit 1; }

 RELEASE=$1
 DOWNLOAD_ROOT=https://dist.apache.org/repos/dist/dev/brooklyn/apache-brooklyn-$RELEASE/
 DOWNLOADS_FOLDER=apache-brooklyn-$RELEASE

 mkdir ${DOWNLOADS_FOLDER}
 cd ${DOWNLOADS_FOLDER}

 echo
 echo "======================"
 echo "= Importing PGP keys ="
 echo "======================"
 echo
 echo "Downloading KEYS from https://dist.apache.org/repos/dist/release/brooklyn/KEYS"
 curl -s https://dist.apache.org/repos/dist/release/brooklyn/KEYS | gpg --import

 echo
 echo "============================="
 echo "= Downloading release files ="
 echo "============================="
 echo
 echo "Downloading from staging URL $DOWNLOAD_ROOT"
 curl -s $DOWNLOAD_ROOT | \
   grep href | grep -v '\.\.' | \
   sed -e 's@.*href="@'$DOWNLOAD_ROOT'@' | \
   sed -e 's@">.*@@' | \
   xargs -n 1 curl -O

 echo
 echo "========================================================"
 echo "= Compare downloaded files listing to SVN staging repo ="
 echo "========================================================"
 echo
 # TODO --trust-server-cert because fails on OS X due to untrusted issuer Issuer: Symantec Class 3 Secure Server CA - G4, Symantec Trust Network, Symantec Corporation, US
 diff <(svn --non-interactive --trust-server-cert ls https://dist.apache.org/repos/dist/dev/brooklyn/apache-brooklyn-$RELEASE | sort) \
   <(ls -1 * | sort)
 echo "OK"

 echo
 echo "==================================================="
 echo "= Check signatures and hashes of downloaded files ="
 echo "==================================================="
 echo
 for artifact in $(find * -type f ! \( -name '*.asc' -o -name '*.md5' -o -name '*.sha1' -o -name '*.sha256' \) ); do
   md5sum -c ${artifact}.md5 && \
   shasum -a1 -c ${artifact}.sha1 && \
   shasum -a256 -c ${artifact}.sha256 && \
   gpg2 --verify ${artifact}.asc ${artifact} \
     || { echo "Invalid signature for $artifact. Aborting!"; exit 1; }
 done

 echo
 echo "=================================================="
 echo "= Check for LICENSE and NOTICE files in archives ="
 echo "=================================================="
 echo
 for ARCHIVE in $(find * -type f ! \( -name '*.asc' -o -name '*.md5' -o -name '*.sha1' -o -name '*.sha256' \) ); do
   REL_ARCHIVE=${ARCHIVE/-rc?}
   case $ARCHIVE in
     *.tar.gz)
       LIST="tar -tvf"
       PREFIX=${REL_ARCHIVE%.tar.gz}
       ;;
     *.zip)
       LIST="unzip -Zl"
       PREFIX=${REL_ARCHIVE%.zip}
       ;;
     *.rpm)
       LIST="rpm -qlp"
       PREFIX="/opt/brooklyn"
       ;;
     *)
       echo "Unrecognized file type $ARCHIVE. Aborting!"
       exit 1
       ;;
   esac
   $LIST $ARCHIVE | grep "$PREFIX/NOTICE" && \
   $LIST $ARCHIVE | grep "$PREFIX/LICENSE" \
     || { echo "Missing LICENSE or NOTICE in $ARCHIVE. Aborting!"; exit 1; }
 done

 echo
 echo "========================="
 echo "= Extract source folder ="
 echo "========================="
 echo
 tar -zxf apache-brooklyn-$RELEASE-src.tar.gz
 GA_RELEASE=${RELEASE%%-rc?}
 SOURCE_RELEASE_FOLDER=apache-brooklyn-${GA_RELEASE}-src
 echo "OK"

 echo
 echo "======================================="
 echo "= Checkout repository at release tags ="
 echo "======================================="
 echo
 git clone git://git.apache.org/brooklyn.git repository
 cd repository
 git submodule init
 git submodule update --remote --merge --recursive
 git checkout rel/apache-brooklyn-$RELEASE
 git submodule foreach git checkout rel/apache-brooklyn-$RELEASE
 cd ..

 echo
 echo "========================================"
 echo "= Compare repository to source release ="
 echo "========================================"
 echo
 diff -qr ${SOURCE_RELEASE_FOLDER} repository/ || true
 SOURCE_DIFF_CNT=$(
   diff -qr ${SOURCE_RELEASE_FOLDER} repository/ \
     -x '*.git' -x '*.gitattributes' -x '*.gitignore' \
     -x '*.gitmodules' -x 'release' -x 'brooklyn-docs' \
     -x 'sandbox' | \
   grep -v 'src/test/.*\.jar' | \
   grep -v 'hello-world.*\.war' | \
   wc -c)

 [ ${SOURCE_DIFF_CNT} -eq 0 ] || { echo "Unexpected differences between source distribution and repository. Aborting!"; exit 1; }
 echo
 echo "Didn't find unexpected differences."

 echo
 echo "======================"
 echo "= Build from sources ="
 echo "======================"
 echo
 cd ${SOURCE_RELEASE_FOLDER};
 mvn -Dmaven.repo.local=../maven-sandbox-repo clean install
 cd ..;

 echo
 echo "Do a clean extract of source repo for next steps."
 rm -rf ${SOURCE_RELEASE_FOLDER};
 tar -zxf apache-brooklyn-$RELEASE-src.tar.gz
 echo
 echo "-------------------------------------------"
 echo
 echo "Additional steps requiring manual intervention (execute in source distribution folder ${SOURCE_RELEASE_FOLDER}:"
 echo " * Check for files with invalid headers in source distribution. There are already files excluded from RAT checks, do a sanity check."
 echo "   $ grep -rL \"Licensed to the Apache Software Foundation\" ${DOWNLOADS_FOLDER}/${SOURCE_RELEASE_FOLDER}* | less"
 echo
 echo " * Check for binary files in source distribution. Look for files which are created/compiled based on other source files in the distribution. \
 \"Primary\" binary files like images are acceptable."
 echo "   Example less filter:  '&!ASCII|Unicode|directory|PNG|JPEG|GIF|KeyStore|EOT|SVG|icon|font|woff|public key|private key|certificate'"
 echo "   $ find ${DOWNLOADS_FOLDER}/${SOURCE_RELEASE_FOLDER} | xargs -n1 file | awk -F $':' ' { t = \$1; \$1 = \$2; \$2 = t; print; } ' | sort | less"
 echo
 echo "Checks successfully completed:"
 echo "[✓] Download links work."
 echo "[✓] Checksums and PGP signatures are valid."
 echo "[✓] Expanded source archive matches contents of RC tag."
 echo "[✓] Expanded source archive builds and passes tests."
 echo "[✓] LICENSE is present and correct."
 echo "[✓] NOTICE is present and correct, including copyright date."
 echo "[✓] No compiled archives bundled in source archive."
 echo
 echo "Checks left to do manually with the help of above instructions:"
 echo "[ ] All files have license headers where appropriate."
 echo "[ ] All dependencies have compatible licenses."
 echo
 echo "Remaning items from checklist:"
 echo "[ ] Binaries work."
 echo "[ ] I follow this project’s commits list."

 ## TODO
 # * Automate above manual steps
 # * Add maven repository checks (generate archetype project and build it?; should happen in a container not to pollute local repo)
 # * Run binary distribution and do basic sanity checks (using br; using maven plugin?)
 # * --trust-server-cert is against the spirit of the "verify" step - can we fix it another way?
	#!/bin/bash

	#
	# Licensed to the Apache Software Foundation (ASF) under one or more
	# contributor license agreements. See the NOTICE file distributed with
	# this work for additional information regarding copyright ownership.
	# The ASF licenses this file to You under the Apache License, Version 2.0
	# (the "License"); you may not use this file except in compliance with
	# the License. You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.
	#

	set -e

	if [ "$#" -ne 1 ]; then
	echo "Usage: $0 0.10.0-rc3"
	exit 1
	fi

	command -v svn >/dev/null 2>&1 \|\| { echo >&2 "svn required but is not installed. Aborting."; exit 1; }
	command -v md5sum >/dev/null 2>&1 \|\| { echo >&2 "md5sum required but is not installed. On macOS install with 'brew install md5sha1sum'. Aborting."; exit 1; }
	command -v shasum >/dev/null 2>&1 \|\| { echo >&2 "shasum required but is not installed. On macOS install with 'brew install md5sha1sum'. Aborting."; exit 1; }
	command -v gpg2 >/dev/null 2>&1 \|\| { echo >&2 "gpg2 required but is not installed. On macOS install with 'brew install gnupg2'. Aborting."; exit 1; }

	RELEASE=$1
	DOWNLOAD_ROOT=https://dist.apache.org/repos/dist/dev/brooklyn/apache-brooklyn-$RELEASE/
	DOWNLOADS_FOLDER=apache-brooklyn-$RELEASE

	mkdir ${DOWNLOADS_FOLDER}
	cd ${DOWNLOADS_FOLDER}

	echo
	echo "======================"
	echo "= Importing PGP keys ="
	echo "======================"
	echo
	echo "Downloading KEYS from https://dist.apache.org/repos/dist/release/brooklyn/KEYS"
	curl -s https://dist.apache.org/repos/dist/release/brooklyn/KEYS \| gpg --import

	echo
	echo "============================="
	echo "= Downloading release files ="
	echo "============================="
	echo
	echo "Downloading from staging URL $DOWNLOAD_ROOT"
	curl -s $DOWNLOAD_ROOT \| \
	grep href \| grep -v '\.\.' \| \
	sed -e 's@.*href="@'$DOWNLOAD_ROOT'@' \| \
	sed -e 's@">.*@@' \| \
	xargs -n 1 curl -O

	echo
	echo "========================================================"
	echo "= Compare downloaded files listing to SVN staging repo ="
	echo "========================================================"
	echo
	# TODO --trust-server-cert because fails on OS X due to untrusted issuer Issuer: Symantec Class 3 Secure Server CA - G4, Symantec Trust Network, Symantec Corporation, US
	diff <(svn --non-interactive --trust-server-cert ls https://dist.apache.org/repos/dist/dev/brooklyn/apache-brooklyn-$RELEASE \| sort) \
	<(ls -1 * \| sort)
	echo "OK"

	echo
	echo "==================================================="
	echo "= Check signatures and hashes of downloaded files ="
	echo "==================================================="
	echo
	for artifact in $(find * -type f ! \( -name '.asc' -o -name '.md5' -o -name '.sha1' -o -name '.sha256' \) ); do
	md5sum -c ${artifact}.md5 && \
	shasum -a1 -c ${artifact}.sha1 && \
	shasum -a256 -c ${artifact}.sha256 && \
	gpg2 --verify ${artifact}.asc ${artifact} \
	\|\| { echo "Invalid signature for $artifact. Aborting!"; exit 1; }
	done

	echo
	echo "=================================================="
	echo "= Check for LICENSE and NOTICE files in archives ="
	echo "=================================================="
	echo
	for ARCHIVE in $(find * -type f ! \( -name '.asc' -o -name '.md5' -o -name '.sha1' -o -name '.sha256' \) ); do
	REL_ARCHIVE=${ARCHIVE/-rc?}
	case $ARCHIVE in
	*.tar.gz)
	LIST="tar -tvf"
	PREFIX=${REL_ARCHIVE%.tar.gz}
	;;
	*.zip)
	LIST="unzip -Zl"
	PREFIX=${REL_ARCHIVE%.zip}
	;;
	*.rpm)
	LIST="rpm -qlp"
	PREFIX="/opt/brooklyn"
	;;
	*)
	echo "Unrecognized file type $ARCHIVE. Aborting!"
	exit 1
	;;
	esac
	$LIST $ARCHIVE \| grep "$PREFIX/NOTICE" && \
	$LIST $ARCHIVE \| grep "$PREFIX/LICENSE" \
	\|\| { echo "Missing LICENSE or NOTICE in $ARCHIVE. Aborting!"; exit 1; }
	done

	echo
	echo "========================="
	echo "= Extract source folder ="
	echo "========================="
	echo
	tar -zxf apache-brooklyn-$RELEASE-src.tar.gz
	GA_RELEASE=${RELEASE%%-rc?}
	SOURCE_RELEASE_FOLDER=apache-brooklyn-${GA_RELEASE}-src
	echo "OK"

	echo
	echo "======================================="
	echo "= Checkout repository at release tags ="
	echo "======================================="
	echo
	git clone git://git.apache.org/brooklyn.git repository
	cd repository
	git submodule init
	git submodule update --remote --merge --recursive
	git checkout rel/apache-brooklyn-$RELEASE
	git submodule foreach git checkout rel/apache-brooklyn-$RELEASE
	cd ..

	echo
	echo "========================================"
	echo "= Compare repository to source release ="
	echo "========================================"
	echo
	diff -qr ${SOURCE_RELEASE_FOLDER} repository/ \|\| true
	SOURCE_DIFF_CNT=$(
	diff -qr ${SOURCE_RELEASE_FOLDER} repository/ \
	-x '.git' -x '.gitattributes' -x '*.gitignore' \
	-x '*.gitmodules' -x 'release' -x 'brooklyn-docs' \
	-x 'sandbox' \| \
	grep -v 'src/test/.*\.jar' \| \
	grep -v 'hello-world.*\.war' \| \
	wc -c)

	[ ${SOURCE_DIFF_CNT} -eq 0 ] \|\| { echo "Unexpected differences between source distribution and repository. Aborting!"; exit 1; }
	echo
	echo "Didn't find unexpected differences."

	echo
	echo "======================"
	echo "= Build from sources ="
	echo "======================"
	echo
	cd ${SOURCE_RELEASE_FOLDER};
	mvn -Dmaven.repo.local=../maven-sandbox-repo clean install
	cd ..;

	echo
	echo "Do a clean extract of source repo for next steps."
	rm -rf ${SOURCE_RELEASE_FOLDER};
	tar -zxf apache-brooklyn-$RELEASE-src.tar.gz
	echo
	echo "-------------------------------------------"
	echo
	echo "Additional steps requiring manual intervention (execute in source distribution folder ${SOURCE_RELEASE_FOLDER}:"
	echo " * Check for files with invalid headers in source distribution. There are already files excluded from RAT checks, do a sanity check."
	echo " $ grep -rL \"Licensed to the Apache Software Foundation\" ${DOWNLOADS_FOLDER}/${SOURCE_RELEASE_FOLDER}* \| less"
	echo
	echo " * Check for binary files in source distribution. Look for files which are created/compiled based on other source files in the distribution. \
	\"Primary\" binary files like images are acceptable."
	echo " Example less filter: '&!ASCII\|Unicode\|directory\|PNG\|JPEG\|GIF\|KeyStore\|EOT\|SVG\|icon\|font\|woff\|public key\|private key\|certificate'"
	echo " $ find ${DOWNLOADS_FOLDER}/${SOURCE_RELEASE_FOLDER} \| xargs -n1 file \| awk -F $':' ' { t = \$1; \$1 = \$2; \$2 = t; print; } ' \| sort \| less"
	echo
	echo "Checks successfully completed:"
	echo "[✓] Download links work."
	echo "[✓] Checksums and PGP signatures are valid."
	echo "[✓] Expanded source archive matches contents of RC tag."
	echo "[✓] Expanded source archive builds and passes tests."
	echo "[✓] LICENSE is present and correct."
	echo "[✓] NOTICE is present and correct, including copyright date."
	echo "[✓] No compiled archives bundled in source archive."
	echo
	echo "Checks left to do manually with the help of above instructions:"
	echo "[ ] All files have license headers where appropriate."
	echo "[ ] All dependencies have compatible licenses."
	echo
	echo "Remaning items from checklist:"
	echo "[ ] Binaries work."
	echo "[ ] I follow this project’s commits list."

	## TODO
	# * Automate above manual steps
	# * Add maven repository checks (generate archetype project and build it?; should happen in a container not to pollute local repo)
	# * Run binary distribution and do basic sanity checks (using br; using maven plugin?)
	# * --trust-server-cert is against the spirit of the "verify" step - can we fix it another way?