<pre style='margin:0'>
Joshua Root (jmroot) pushed a commit to branch master
in repository macports-infrastructure.
</pre>
<p><a href="https://github.com/macports/macports-infrastructure/commit/bc741bd51897e629b8666125ac195af772886e45">https://github.com/macports/macports-infrastructure/commit/bc741bd51897e629b8666125ac195af772886e45</a></p>
<pre style="white-space: pre; background: #F8F8F8">The following commit(s) were added to refs/heads/master by this push:
<span style='display:block; white-space:pre;color:#404040;'> new bc741bd buildbot: support signing archives with signify
</span>bc741bd is described below
<span style='display:block; white-space:pre;color:#808000;'>commit bc741bd51897e629b8666125ac195af772886e45
</span>Author: Joshua Root <jmr@macports.org>
AuthorDate: Tue Jun 10 19:18:55 2025 +1000
<span style='display:block; white-space:pre;color:#404040;'> buildbot: support signing archives with signify
</span>---
buildbot/deploy_archives.sh | 37 ++++++++++++++++++++++++++++---------
buildbot/master.cfg | 5 +++--
2 files changed, 31 insertions(+), 11 deletions(-)
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/buildbot/deploy_archives.sh b/buildbot/deploy_archives.sh
</span><span style='display:block; white-space:pre;color:#808080;'>index 8cad229..5efc98d 100755
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/buildbot/deploy_archives.sh
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/buildbot/deploy_archives.sh
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -26,6 +26,14 @@ fi
</span> if [[ -z "$PRIVKEY" ]]; then
PRIVKEY=""
fi
<span style='display:block; white-space:pre;background:#e0ffe0;'>+# secondary private key to use for signing
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+if [[ -z "$PRIVKEY2" ]]; then
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ PRIVKEY2=""
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+fi
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# signify(1) executable
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+if [[ -z "$SIGNIFY" ]]; then
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ SIGNIFY="/usr/bin/signify-openbsd"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+fi
</span>
# Buildbot apparently doesn't run jobs on the master in different dirs or
# prevent them from running simultaneously.
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -64,16 +72,27 @@ if [[ -n "`ls ${ULPATH}`" ]]; then
</span> portname="$(basename "$(dirname "$archive")")"
aname="$(basename "$archive")"
echo "deploying archive: $aname"
<span style='display:block; white-space:pre;background:#ffe0e0;'>- if [[ -n "$PRIVKEY" ]]; then
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- openssl dgst -ripemd160 -sign "${PRIVKEY}" -out "${ULPATH}/${portname}/${aname}.rmd160" "${archive}"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if [[ $? -eq 0 && -f "${ULPATH}/${portname}/${aname}.rmd160" ]]; then
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- chmod a+r "${ULPATH}/${portname}/${aname}.rmd160"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- rm -rf "$ULPATH"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- rm -f "$LOCKFILE"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- exit 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ for CUR_PRIVKEY in "$PRIVKEY" "$PRIVKEY2"; do
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if [[ "${CUR_PRIVKEY##*.}" = "pem" ]]; then
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ openssl dgst -ripemd160 -sign "$CUR_PRIVKEY" -out "${ULPATH}/${portname}/${aname}.rmd160" "$archive"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if [[ $? -eq 0 && -f "${ULPATH}/${portname}/${aname}.rmd160" ]]; then
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ chmod a+r "${ULPATH}/${portname}/${aname}.rmd160"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ rm -rf "$ULPATH"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ rm -f "$LOCKFILE"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ exit 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fi
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ elif [[ "${CUR_PRIVKEY##*.}" = "sec" ]]; then
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "$SIGNIFY" -S -s "$CUR_PRIVKEY" -x "${ULPATH}/${portname}/${aname}.sig" -m "$archive"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if [[ $? -eq 0 && -f "${ULPATH}/${portname}/${aname}.sig" ]]; then
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ chmod a+r "${ULPATH}/${portname}/${aname}.sig"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ rm -rf "$ULPATH"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ rm -f "$LOCKFILE"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ exit 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fi
</span> fi
<span style='display:block; white-space:pre;background:#ffe0e0;'>- fi
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ done
</span> done
if [[ -n "$DLHOST" ]]; then
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/buildbot/master.cfg b/buildbot/master.cfg
</span><span style='display:block; white-space:pre;color:#808080;'>index 1bddba9..c77a2d6 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/buildbot/master.cfg
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/buildbot/master.cfg
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -90,6 +90,7 @@ config = {
</span> 'archivesite': 'http://packages.macports.org',
'archivesiteprivate': 'https://packages-private.macports.org',
'privkey': '',
<span style='display:block; white-space:pre;background:#e0ffe0;'>+ 'privkey2': '',
</span> 'deploy': {},
'deploy_archives': False,
'upload_method': 'buildbot',
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -681,13 +682,13 @@ if config['production'] or config['deploy_archives']:
</span> name='deploy-archives',
description=['deploying', 'public', 'archives'],
descriptionDone=['deploy', 'public', 'archives'],
<span style='display:block; white-space:pre;background:#ffe0e0;'>- env={'PRIVKEY': config['privkey'], 'DLHOST': dlhost, 'DLPATH': dlpath}))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ env={'PRIVKEY': config['privkey'], 'PRIVKEY2': config['privkey2'], 'DLHOST': dlhost, 'DLPATH': dlpath}))
</span> portbuilder_factory.addStep(steps.MasterShellCommand(
command=['./deploy_archives.sh', util.WithProperties(os.path.join(ulpath_master, 'private'))],
name='deploy-archives-private',
description=['deploying', 'private', 'archives'],
descriptionDone=['deploy', 'private', 'archives'],
<span style='display:block; white-space:pre;background:#ffe0e0;'>- env={'PRIVKEY': config['privkey'], 'DLHOST': dlhost_private, 'DLPATH': dlpath_private}))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ env={'PRIVKEY': config['privkey'], 'PRIVKEY2': config['privkey2'], 'DLHOST': dlhost_private, 'DLPATH': dlpath_private}))
</span>
# TODO: do we want to upload the individual logs so maintainers can review them?
portbuilder_factory.addStep(steps.ShellCommand(
</pre><pre style='margin:0'>
</pre>