Skip to content

Commit

Permalink
zipsign
Browse files Browse the repository at this point in the history
  • Loading branch information
jdx committed Nov 8, 2023
1 parent ea5b5d6 commit 818ba93
Show file tree
Hide file tree
Showing 8 changed files with 215 additions and 9 deletions.
14 changes: 13 additions & 1 deletion .github/workflows/rtx.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ name: rtx
on:
push:
tags: ["v*"]
branches: ["main"]
branches: ["zipsign"]
pull_request:
branches: ["main"]
# Allows you to run this workflow manually from the Actions tab
Expand Down Expand Up @@ -56,6 +56,12 @@ jobs:
- uses: taiki-e/install-action@cargo-llvm-cov
- name: Install zsh/fish/direnv
run: sudo apt-get update; sudo apt-get install zsh fish direnv
- uses: shimataro/ssh-key-action@v2
with:
key: ${{ secrets.RTX_SSH_KEY }}
known_hosts: ${{ secrets.RTX_KNOWN_HOSTS_AUR }}
- run: |
ls -l ~/.ssh
- name: Install just
uses: taiki-e/install-action@just
- name: Run tests with coverage
Expand Down Expand Up @@ -94,6 +100,9 @@ jobs:
shared-key: "build-linux-${{matrix.target}}"
save-if: ${{ github.event_name == 'push' && github.ref_name == 'main' }}
- uses: taiki-e/install-action@cross
- run: scripts/setup-zipsign.sh
env:
ZIPSIGN: ${{ secrets.ZIPSIGN }}
- run: scripts/build-tarball.sh rtx --release --features openssl/vendored,self_update --target ${{matrix.target}}
env:
CROSS: "1"
Expand Down Expand Up @@ -126,6 +135,9 @@ jobs:
with:
key: "${{matrix.target}}"
save-if: ${{ github.event_name == 'push' && github.ref_name == 'main' }}
- run: scripts/setup-zipsign.sh
env:
ZIPSIGN: ${{ secrets.ZIPSIGN }}
- run: scripts/build-tarball.sh rtx --release --features openssl/vendored,self_update --target ${{matrix.target}}
- run: scripts/build-tarball.sh rtx-nonup --release --features openssl/vendored --target ${{matrix.target}}
- uses: actions/upload-artifact@v3
Expand Down
149 changes: 147 additions & 2 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

16 changes: 14 additions & 2 deletions Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,15 @@ readme = "README.md"
license = "MIT"
keywords = ["rtx"]
categories = ["command-line-utilities"]
include = ["src/**/*.rs", "src/plugins/core/assets/**", "/build.rs", "/LICENSE", "/README.md", "/Cargo.lock"]
include = [
"src/**/*.rs",
"src/plugins/core/assets/**",
"/Cargo.lock",
"/LICENSE",
"/README.md",
"/build.rs",
"/zipsign.pub",
]
rust-version = "1.65.0"
build = "build.rs"

Expand Down Expand Up @@ -73,7 +81,11 @@ reqwest = { version = "0.11.17", default-features = false, features = [
"gzip",
] }
rmp-serde = "1.1.2"
self_update = { version = "0.38.0", default-features = false, optional = true }
self_update = { version = "<1", default-features = false, optional = true, features = [
"archive-tar",
"compression-flate2",
"signatures",
] }
serde = "1.0"
serde_derive = "1.0"
serde_json = "1.0"
Expand Down
10 changes: 9 additions & 1 deletion deny.toml
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,15 @@ unlicensed = "deny"
# List of explicitly allowed licenses
# See https://spdx.org/licenses/ for list of possible licenses
# [possible values: any SPDX 3.11 short identifier (+ optional exception)].
allow = ["MIT", "ISC", "Apache-2.0", "Unicode-DFS-2016", "BSD-3-Clause", "OpenSSL"]
allow = [
"MIT",
"ISC",
"Apache-2.0",
"Apache-2.0 WITH LLVM-exception",
"Unicode-DFS-2016",
"BSD-3-Clause",
"OpenSSL",
]
# List of explicitly disallowed licenses
# See https://spdx.org/licenses/ for list of possible licenses
# [possible values: any SPDX 3.11 short identifier (+ optional exception)].
Expand Down
5 changes: 5 additions & 0 deletions scripts/build-tarball.sh
Original file line number Diff line number Diff line change
Expand Up @@ -75,4 +75,9 @@ cd dist
tar -cJf "$BASENAME.tar.xz" rtx
tar -czf "$BASENAME.tar.gz" rtx

if [ -f ~/.zipsign/rtx.priv ]; then
zipsign sign tar "$BASENAME.tar.gz" ~/.zipsign/rtx.priv
zipsign verify tar "$BASENAME.tar.gz" ../zipsign.pub
fi

ls -oh "$BASENAME.tar.xz"
11 changes: 11 additions & 0 deletions scripts/setup-zipsign.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
#!/usr/bin/env bash
set -euxo pipefail

if [ -z "$ZIPSIGN" ]; then
echo "ZIPSIGN is not defined"
exit 0
fi

cargo install zipsign
mkdir -p ~/.zipsign
echo "$ZIPSIGN" | base64 -d >~/.zipsign/rtx.priv
18 changes: 15 additions & 3 deletions src/cli/self_update.rs
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
use color_eyre::Result;
use console::style;

use self_update::backends::github::Update;
use self_update::backends::github::{ReleaseList, Update};
use self_update::cargo_crate_version;

use crate::cli::command::Command;
Expand All @@ -23,15 +23,27 @@ impl Command for SelfUpdate {
fn run(self, _config: Config, out: &mut Output) -> Result<()> {
let current_version =
env::var("RTX_SELF_UPDATE_VERSION").unwrap_or(cargo_crate_version!().to_string());
let target = format!("{}-{}", *OS, *ARCH);
let mut releases = ReleaseList::configure();
releases.repo_owner("jdx").repo_name("rtx");
if let Some(token) = &*env::GITHUB_API_TOKEN {
releases.auth_token(token);
}
let releases = releases.build()?.fetch()?;
let latest = &releases[0].version;

let mut update = Update::configure();
update
.repo_owner("jdx")
.repo_name("rtx")
.bin_name("rtx")
// TODO: enable if working locally
//.verifying_keys([*include_bytes!("../../zipsign.pub")])
.show_download_progress(true)
.current_version(&current_version)
.target(&format!("{}-{}", *OS, *ARCH))
.identifier("rtx-v");
.target(&target)
.bin_path_in_archive("rtx/bin/rtx")
.identifier(&format!("rtx-v{latest}-{target}.tar.gz"));
if let Some(token) = &*env::GITHUB_API_TOKEN {
update.auth_token(token);
}
Expand Down
1 change: 1 addition & 0 deletions zipsign.pub
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
���uy=�q�����D��A�%��R]J����

0 comments on commit 818ba93

Please sign in to comment.