From db05ad1b423745cb4695bbbbb6c9e2c7280702e7 Mon Sep 17 00:00:00 2001
From: Philip Whineray <phil@firehol.org>
Date: Thu, 24 Nov 2016 19:01:37 +0000
Subject: [PATCH] Travis signature checking, deployment to github and
 firehol.org

Allows us to eliminate a large number of scripts from the firehol
infrastructure.

Netdata does multiple compiler tests. We pick one (CC = gcc) for
deploying; it doesn't really matter which, since binaries are not
part of the deployment.
---
 .travis.yml            |  50 +++++++++++++++++++++++++++++--
 .travis/travis_rsa.enc | Bin 0 -> 1680 bytes
 packaging/README.md    |   3 ++
 packaging/check-files  |   2 ++
 packaging/git-build    |  14 +++++++++
 packaging/gpg.keys     |  65 +++++++++++++++++++++++++++++++++++++++++
 6 files changed, 131 insertions(+), 3 deletions(-)
 create mode 100644 .travis/travis_rsa.enc
 create mode 100644 packaging/gpg.keys

diff --git a/.travis.yml b/.travis.yml
index 09860fa3..f88f206e 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,13 +1,57 @@
+dist: precise
+#
+# C includes autotools and make by default
 language: c
 compiler:
  - gcc
  - clang
+#
+# Extra packages
+addons:
+  apt:
+    packages:
+    - gnupg
+    - libcap2-bin
+    - zlib1g-dev
+    - uuid-dev
+#
+# Setup environment
 before_install:
- - sudo apt-get update -qq
- - sudo apt-get install -qq automake make libcap2-bin zlib1g-dev uuid-dev
+ # Decrypt our private files for CI use only
+ - openssl aes-256-cbc -K $encrypted_decb6f6387c4_key -iv $encrypted_decb6f6387c4_iv -in .travis/travis_rsa.enc -out .travis/travis_rsa -d
+ - eval "$(ssh-agent -s)"        # start the ssh agent
+ - chmod 600 .travis/travis_rsa  # add our key
+ - ssh-add .travis/travis_rsa    # add our key
+ - rm -f .travis/travis_rsa      # remove to prevent leaks
+ # WARNING: Any changes to the above 5 lines should be monitored closely
+ - ssh-keyscan -H firehol.org >> ~/.ssh/known_hosts
+#
+# Run
+before_script:
+ - gpg --import packaging/gpg.keys
+ # Run the commit hooks in case the developer didn't
+ - git diff 4b825dc642cb6eb9a060e54bf8d69288fbee4904 | ./packaging/check-files -
 script:
+   # make release packages
+ - fakeroot ./packaging/git-build
    # default build
  - ./autogen.sh && ./configure && make -j4
-
    # test installer
  - fakeroot ./netdata-installer.sh --install $HOME --dont-wait --dont-start-it
+#
+# Deploy as required
+after_success:
+  - for i in *.tar.*; do md5sum -b $i > $i.md5; sha512sum -b $i > $i.sha; done
+  - "case \"$TRAVIS_BRANCH\" in master|stable-*) if [ $TRAVIS_PULL_REQUEST = false -a \"$TRAVIS_TAG\" = \"\" -a \"$CC\" = \"gcc\" ]; then ssh travis@firehol.org mkdir -p uploads/netdata/$TRAVIS_BRANCH/ && scp -p *.tar.* travis@firehol.org:uploads/netdata/$TRAVIS_BRANCH/ && ssh travis@firehol.org touch uploads/netdata/$TRAVIS_BRANCH/complete.txt; fi;; esac"
+deploy:
+  # Upload results to GitHub (tag only)
+  - provider: releases
+    api_key:
+      secure: invJ0ZdNOPi9x8JJmFkqSIQMxljkLROwgRFCbmXMausJ0rA4E/PgLtM7ddWrHlu6lu8N9e5Pus4bG8DWATHbY0blMUhL5C82S5KK4mxAANLCLgTV8Qr7dMWnMqRV/OJBMGM1ZWpC2AA5GVhPLF7Z++54iqK+LM8P0EuOTAKbebIWCIkGybbSpXj+jJqaQXY0tLGSn5fXPFfyV3Tw0URJPcO3Uz5iukELngkLVSve2d0XYwy8M5tpLKHJi5bzc9CwcJZ/JK1WvklqmV3fNdSSzZunaAfDwWosV3hO7QcGnAVEbNl0HBKZJ8JkriV2fDbH4fttoSvLO2tW9HauP7Yf5XqLDudqUj4gPTuGzd31vRb9kx9cAulfE9onMAmDbjbne8Cp2Bq9/yBEqaofqEIaRcLgnlZSNc+PWbH4FQJ6fIOs5nfqLJo0G+3isgRWrqxp/rjILOvbIGbfLkbPl9aV09IvzShyW2lK7E+QOP0TZIwyXGT0NW0Rr/eyzuMXooy8wi9NehKfrxIcUr7784nU2E+EtItrhtTkJpK8XBBh16swn7s2sQ89qx9PYd/wE5qnKfG0yy3SSc2ycKzEpH7Cy3E6lC4Jytw0AM1Mc179WASBhlR2tyElkRcuhlqOFlJ/6iXjp3kqSgW4kvWbwHwT6VsyiDRhf+Ir4XILFBJ26Z8=
+    skip_cleanup: true
+    file_glob: true
+    file: "netdata*.tar.*"
+    on:
+      condition: $CC = gcc
+      repo: firehol/netdata
+      tags: true
diff --git a/.travis/travis_rsa.enc b/.travis/travis_rsa.enc
new file mode 100644
index 0000000000000000000000000000000000000000..148a425bc4f33303e52ce1be0f91881a12b5ffc2
GIT binary patch
literal 1680
zcmV;B25<RKQdN2-Kw2s&;*zU_@2wZKo-n|Ifm?DK8zn^t|ILY7R21OY3h}X{FWY!_
zua(5@qCCZ_lbcEqc@M7@8k}O%_gq&9GP!FP)Li;n3%-A>LELlES?<Lve5%WBcN)c7
zM`QpCAq}rT+z@opq2y#aBe?F{SRu$c1Nt?c(iWF|ue)KKmgIpTH<R;dDv==%*A;~6
zr-WZQ767RCOpb!6qHRnv256HL+$E{A3KQn6{*^TEy+6U=b0eAsw%QnQ$5DtuvkwMI
zYnx&1mGj-aWPl2{(#H?LBaBCKF87zeVYr)EF-u9KhCJ0i!{pR2K4EuZh@W?97ygq0
zg9sJXOUhgg7`cLVime<exV(Y@>`$0LMtpmHg`qdlS}A>M8Pz;O6dW4lEr}BNV5YyQ
z5)yGD3K1u78zSz}hYj19ejB6meH9c2!xPGM_V@PKdW48w<<=s>1N)7><~MRpeQ04U
zA0QeU0|<KkG5iHLXuSpAIe3M~WU;+KF5qA$aSfH9iUPjb890MHNlCmO$%0FHVa>l1
zntg&g2jKIH0nuL9^6y=)r!BsNonXO&;!~KmIKtjY^i)8*0B}DzaX6)3#cl3;hiNzp
zB$TnQ=_*MkQaH&`KR7xi#YXPaO(iXo)ZZ5*r4^H>E#7iC`ZM%e!wTxT8a-oCtHkeT
zyJAu40XRLsTHR+@Yk4(TIPIUB?FQR|gf1dLHExgLY<B7bl^2!T72Las3U)R)-BHHM
zcNb8#P`RpX;cT_lIqj0S8q@DNQSrln=Od8ybhxJC5_3x$PJubXTDMB%ja5K<uC7+E
zPF*zY=X>T35Ztw=ot#p>C&uQb%z+IgI=yX98|5S17rn_+Zy%_!0v4?=U;ko*&#jVW
z=$#{h{s--YH%5}**|2vfV+r>?1#vK=y~IBZ;9|<}n`rgqDSv+=yn%@fL?yu0i!0l$
z<ddV=w6=fe*^G)r;b|scvf>QzX{cRpBG1w@f)Ye!Q&oGLMC)9~kXKp53*&TbmYL_>
zOo{he(_Sh#pd<{Xpq6;S=HD+lw53c6R(x@7HSaE#VGOB_CNYwD)nC(FsR8$F`ws|b
zvncl=o3mQxwI<do^|;b|7K{81zR}G_TRK1su7}xv!Cq^epU|vN)nFyNB|8DWm_w@=
z+lhr@*4D#|aU1$98M;%btAki`6f4Fsl8;H7Y<FP2+M6*K6{sO}P$A9I>74A?HI0E`
z0{rZ7F3fuIkU?S$^JI%Z^Dh_Rcf;-^1D_eu6?o2iuW##SQob0z?nMGB6!MR<b{M6e
z5<Wr#nAf6BQPP@FAMameurT7KE0-HC(p-F5JXOGY^YtY{3bE42IpJri7!~2qN_Es1
z0;5KJ#9aX}?XS01hb66Q@g<jJnH+)3mvyHrfhY_h8o5i9dsQaHFHkIF#{_XRGByJk
z-Kuxu>-4Nej;~S!6DN3@-1j*oxTDijU7Zup7W?P$x~)DU%?nJ(CO1O;T-WTxH)a>B
zrA&O8m^D>sXS?wwkcGSznZI|eFx_6NkHi@t^Fs>+^dD`T_Q1aSkRpaQxJj%6)!I)y
zi|kTayAzheekW+ri_0egI}sy;{!gf0KTk%kLFNk+_T);aDiwoyg`TmMAFYb2D`1Gr
znF~6`cFTO~5Ky^*N&FZB**58ST;S%qWURJ2Ivd=)RG8CX3rvNtMR+P7#rU-|{kAWO
z*A476&Pf0Y64u6~4LY>MmX{MI4Fof$#j{ndK&#%dDKp=93Ci6SStd2Y7-Und<ttV(
z>`<F2$pc=sA!8;toqgdK<24VOx%@^8kznlwi#iD_wB^3&y+kI}-|@r0g6{)3-|S`q
z9TO1OHa!+Z&1SLSFMb^_Bl@DiwJ*FCh~{VkIr73HTegvuAT0x9O5*G9f5oLRS=mVW
za+}xLp|JeCicj5_yBboIrTo9@E-_jwUM>0rNr7$3gI6>4<m+bfe_9Z9t*cSH0aX)7
z8hWYs`JivaLxbSQLho6x{X`={{VuAM$|n#JXxQVepCQ2ek%-{`%n2$^JtR7D-d+~F
za&=|>HK@Gs6RML?Zm;u>-~uL_LA=xa3B*GB86hczqVg`Rse+gm)-d2BX^D&JD6f8w
zuw8n_4_v-E!4e!3>!Uz68Kh(F&kRun1VdIsx25zo1fmO0S#h_9E%AmUj)TTP3wuFq
agKsc9`UL#$qCQ*1s{b3gPN#zuhp+#RVk`at

literal 0
HcmV?d00001

diff --git a/packaging/README.md b/packaging/README.md
index 664f588e..e07853a8 100644
--- a/packaging/README.md
+++ b/packaging/README.md
@@ -18,6 +18,9 @@ and post-release update.
 Programs and packages with specific needs should create extra
 `whatever.functions` and supporting scripts in a subdirectory.
 
+The `gpg.keys` file is a list of keys that can be expected to sign
+tags and packages.
+
 Making a release
 ----------------
 `
diff --git a/packaging/check-files b/packaging/check-files
index 4827f563..347de5a4 100755
--- a/packaging/check-files
+++ b/packaging/check-files
@@ -36,6 +36,8 @@ then
   echo "check-files [--debug] -|filenames"
   echo "e.g."
   echo "  git diff | ./packaging/check-files -"
+  echo "for a complete check (v.s. empty repo):"
+  echo "  git diff 4b825dc642cb6eb9a060e54bf8d69288fbee4904 | ./packaging/check-files -"
   echo "or in .git/hooks/pre-commit:"
   echo "  exec git diff --cached | ./packaging/check-files -"
   exit 1
diff --git a/packaging/git-build b/packaging/git-build
index e33d2355..56ae2166 100755
--- a/packaging/git-build
+++ b/packaging/git-build
@@ -13,6 +13,20 @@ fi
 # just make the assumption
 if [ -d .git ]
 then
+  if [ -n "$TRAVIS_TAG" ]
+  then
+    echo "Checking we have a good signature during CI build..."
+    echo "Checking tag: $TRAVIS_TAG"
+    git tag -v "$TRAVIS_TAG" 2>&1 | tee /tmp/tagcheck
+    grep -iq "gpg. good signature" /tmp/tagcheck
+    status=$?
+    rm -f /tmp/tagcheck
+    if [ $status -ne 0 ]
+    then
+      exit $status
+    fi
+  fi
+
   clean=$(git status -s | grep "^?")
 
   if [ "$clean" ]
diff --git a/packaging/gpg.keys b/packaging/gpg.keys
new file mode 100644
index 00000000..25455d9b
--- /dev/null
+++ b/packaging/gpg.keys
@@ -0,0 +1,65 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQENBE/SZE8BCAC2tGkIFG2jYmtO7X/SFzqAlgWd4iW3ZSpjAki5Z9PGMIkaOFgL
+fnNrQV/il4mMUzmvetgV9ShA288JT6KLT4lnL/lHCgxY9dJgzXfOrHxxlXQNU7i4
+XWRO+96aNysFjVJPsjRv+51836OV+w+TvE495zG7YNUUcWVAqsc49WPyt1Bm4Bsw
+X8fG7NggsV7wA+bMV/CzRAbiXSkJYKVn+GQk1wRYwR6YlpsZ22EKR2rEUxCc4CwN
+75mo9nY3cUKJfFvR7xg1rG6tLwLgv4/SSXbtHPfdKce6dmNWJjwTv8iAZxJUGM1D
+lhAWCl/ZnGIRBf7KDsxk6NCODenDEZvOoxKTABEBAAG0IVBoaWwgV2hpbmVyYXkg
+PHBoaWxAc2FuZXdhbGwub3JnPokBOAQTAQIAIgUCT9JkTwIbAwYLCQgHAwIGFQgC
+CQoLBBYCAwECHgECF4AACgkQY98eRNgpeX4//QgAtCvArmgn/Mt6IJmx8mowPpJz
+Rv6ErwYgBkVRxd87yFHZDV2DX+BjhuD5k8e3/z+1GqwrUCR/+svLsb5e6s9ISSES
+A68xlBNLG8sfZHm4CMEN63lqZsoiMposNUTOa2NY53qYNy8oDmNkjrfIkeKdTeUB
+w8atfFGWe8PZMhaxFox/acQfleyTKPIjfzHGoFvgs7nmYdfFHiFBh5hc+mEI+S+z
+Ao9CVoT3MzyANhJJLINGcQVdexRfvv4210euHQIH2NClRv3qo5cZmeo9DyLdGU9T
+wkAosRNflxciap5hyQvK/Z9pRAPzOR5SnpJj+Daa+Xslq5j61uUdEeMsI2dTv7Qg
+UGhpbCBXaGluZXJheSA8cGhpbEBmaXJlaG9sLm9yZz6JATgEEwECACIFAlZIrFYC
+GwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEGPfHkTYKXl+Hh4H/RkLQui0
+mKwLAq4+aLEJu3yCgFdpQPYFZFYw7fGKcrw92g8pnoY5V43yNaJMiJFkYrHv/UqN
+k0A2v/JIOKBXfe1YWakSIirrNMBMFwBUup4X7losPcAxF8K3Vtuo8PR/c2QF8UZB
+xkB3oPr/4DCBUKKYnk1g+yozfnqut7UNFKPZLWcNCcfy+ueLTmfzGg2CDGvsuY7m
+uXARkY7/h3YptJrRXkmBM8A1g3+Pia90RaJASR9W1LRiPVVb8M0pqVPeeccw1FNq
+yxrZzJl967T5gIWzRZ8ASvhJc/RMxeA6BCfqGp6ehGUgGVb2dlOHQkU9fu6l+4NG
+9sNAzAEkFe2Gdfq5AQ0ET9JkTwEIAOfdWdtPzHRgRLw0uEegoocn47exFoacgEGP
+xi5OFSnDY1IxckvpNap1bshvPQGPtA/p/K33NvX8hZzhk6YGgPzHh0b04GRFQFRC
+TspjjDk8poSuX8JiWnL1jzluFpriV8X7j1pos9fdIS0gQMBAHFTeGJooAfopZAoy
+8GycXUNBOiuLG4Eihbqq3E1BnDVdr5HIJKrMV2RisyukL5GYNbSp0l1DIAurYEbN
+AoUMK/9qe/6iSiX0VMgpXJpVZyFJhI6Z+/7Na0WPN4jjLgva+6g/eo8HPzKZOTak
+lhInBr9+5rl9uA8P1LqYwg0oshK/2LYF+STqfrzcRGldXajd6G0AEQEAAYkBHwQY
+AQIACQUCT9JkTwIbDAAKCRBj3x5E2Cl5frptB/4z7KzQV9X0vR6NdRVHWFnaAuFW
+gzIefG+XZR9xS4Wgc9pEMRs5ZR1bRbHWd2yNiBckajHOOSYdRD2ECMlCYrBhmH0M
+ep3vS9ly2rJRlgeFeNUdXtu0+XVdZGFsULlW2Kcb2Pv/UvOnmEppL1caAfEAMMjw
+Nc2QIKPYEyMLVQ/x7x61/RRqIuwSZL4xVAjrMic9m/gpsnwB+pxwmT2h3+BDF/gY
+jOz4YFWYV1HDYu1EFRmtpsnpuSC7xiMN92RNkBsdXLeXSkNqxLbqEISx37NFxcCy
+5pz0AytWpZNyYql2RWfiWWQa8TDjPeufxxd0+87OpJ6eHrRtpTRMsbdnC21s
+=fY8a
+-----END PGP PUBLIC KEY BLOCK-----
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQENBFbxoXsBCADm7C+gJkjU10vpMkmB9LP2HuJrzzvCuOLeaFKB0wM0y3seNvKJ
+VSeNg76Db4gCZ0Fw8eBk3V49cnjPqtHqB6fBlx3zyu9jcN6RQLO+sLZy7xrqwZkx
+Lox+D/iBU97wXDudVE3Li4J04goBH8NsQ/bf41H6ZEhLWO3xM4mrwb1BNhyC7+Hm
+O0wkCNHe2P+Vf7Vss3FZ6ZPAynLOvFHHE2W0mAV0fA79Pe/nbA7kP6CueyxKLsFR
+xGavRir+19WSFq19xzMg1S4pDGOqm4PBnJvwlwjFz/4yIn0uSoaFtuJIfDvYTgFh
+XZJFR8sV/0AbZLybKsCv9pEgYlm1oeiQSk77ABEBAAG0IkNvc3RhIFRzYW91c2lz
+IDxjb3N0YUB0c2FvdXNpcy5ncj6JATkEEwEIACMFAlbxoXsCGwMHCwkIBwMCAQYV
+CAIJCgsEFgIDAQIeAQIXgAAKCRApyjNYibmoY1RPB/9o8azh6siD7VsHWjaMStBU
+alSa9nyGIinZzmb2u94VzdPUF0ZW08HI++I37HoAIQmXEa1oUtNK4D6pUYhrJpL6
+NnOVVhfFbJH1Siwl1v0dqpNqKmcJ0oUvHEHsKfGWBGqqQCFE4bnDmyayedunzoUV
+aXnUt+3dTD8hwOcicKQ1CID2rT8QvEoSv4jIGqks8t+Dnvp0Gx8bKvxF2CYfEQlr
+LxZbXrjloXQR4IaAjv/Wxpghl0RXslXIx6yRiHYu4QavBDYvL9iZ2168eIUiRiUD
+xkT38N6Itj/YfhBjW+ZXHF73UeGwFlYjagJM7YG3dKrB31OsUdch9leBcw2satmA
+uQENBFbxoXsBCADC+y/ZuxxKn742DYoXX6BvedjNwdrs5swEWrg4JnzdXRAW8g5D
+6YkPlfQ56ov7yXuOAjTgU4vMA0OjI0JN1DrR9ZmsyvmOtQq9+mZMZLFeFSPYXDRa
+0EuBFs6m2V0kq5sfFqcsItC6RSQu0mTu+1HmOmrat2o4XZXhT5Jr/QXQ6ShHkWmm
+823y4XBOxHzDRD6NfZKJbiWfLkmS5Ojza2pOp6otxlLmsknQrEe8V2mHNjiJntMv
+cSv9tJO6EnN613eo/IDejz9mrGJURbu/hTWHX00ONYmwfOmCtF4nPMyh85B3NSTF
+JhORjziEGt4lnOPV6G0vK1hlD2kwmZ48tLy3ABEBAAGJAR8EGAEIAAkFAlbxoXsC
+GwwACgkQKcozWIm5qGPD7Af+Pg398YBVnYW/ze5pGDd/IEPhmUp/mSRu2nU9pZXa
+k30eItf3Cd5JfYIKBFgeOlEx8hb0bXU2OReb1bUpT9aAW7h7YW2F9tjm1gBPdtD4
+iO9jBiNbI6wvUwPsW95f7BMKlh9tO71MmFpghKD5Dougl9X8LmXUa35PDrJxcXAi
+BaLXcrdqjxB/6r+0RFHYzr/JgMCgenu7DQMHUi0P7P+uMbhZwMuVvAtUIgbb8Vw3
+WQ6cJBbrwiAWwVjF1JauFdB8Oy/fm7k1TTein9nWXF1tZ/OTdUDriqktHbkSVjvN
+SKW3nD2RpZ4F5Pa3uNcK9lcbBfM126HCzybjZHZntcyvSA==
+=7nny
+-----END PGP PUBLIC KEY BLOCK-----
-- 
2.39.2