From 9b7505af297a7176f285db979fd983a0f6bf9457 Mon Sep 17 00:00:00 2001
From: Jamis Buck <jamis.buck@mongodb.com>
Date: Tue, 11 Jul 2023 11:36:17 -0600
Subject: [PATCH] Prepare release for Mongoid 8.1.1 (#5663)

* version bump

* check for signed gems without resorting to Docker

* MONGOID-5689 fix documentation error in 8.1 release notes
---
 Rakefile                           | 25 ++++++++++++++++++
 docs/release-notes/mongoid-8.1.txt |  4 +--
 lib/mongoid/version.rb             |  2 +-
 release.sh                         | 22 ++--------------
 release/mri/Dockerfile             | 11 --------
 release/mri/build.sh               |  5 +---
 release/verify-signature.sh        | 41 ------------------------------
 7 files changed, 31 insertions(+), 79 deletions(-)
 delete mode 100644 release/mri/Dockerfile
 delete mode 100755 release/verify-signature.sh

diff --git a/Rakefile b/Rakefile
index dac321af75..c8ce790d29 100644
--- a/Rakefile
+++ b/Rakefile
@@ -11,6 +11,15 @@ $: << File.join(ROOT, 'spec/shared/lib')
 require "rake"
 require "rspec/core/rake_task"
 require 'mrss/spec_organizer'
+require 'rubygems/package'
+require 'rubygems/security/policies'
+
+def signed_gem?(path_to_gem)
+  Gem::Package.new(path_to_gem, Gem::Security::HighSecurity).verify
+  true
+rescue Gem::Security::Exception => e
+  false
+end
 
 $LOAD_PATH.unshift File.expand_path("../lib", __FILE__)
 require "mongoid/version"
@@ -103,3 +112,19 @@ namespace :release do
     end
   end
 end
+
+desc 'Verifies that all built gems in pkg/ are valid'
+task :verify do
+  gems = Dir['pkg/*.gem']
+  if gems.empty?
+    puts 'There are no gems in pkg/ to verify'
+  else
+    gems.each do |gem|
+      if signed_gem?(gem)
+        puts "#{gem} is signed"
+      else
+        abort "#{gem} is not signed"
+      end
+    end
+  end
+end
diff --git a/docs/release-notes/mongoid-8.1.txt b/docs/release-notes/mongoid-8.1.txt
index baeb4bdd52..d397ae8ae4 100644
--- a/docs/release-notes/mongoid-8.1.txt
+++ b/docs/release-notes/mongoid-8.1.txt
@@ -324,7 +324,7 @@ Added ``:replace`` option to ``#upsert``
 ----------------------------------------
 
 Mongoid 8.1 adds the ``:replace`` option to the ``#upsert`` method. This option
-is ``false`` by default.
+is ``true`` by default.
 
 In Mongoid 8 and earlier, and in Mongoid 8.1 when passing ``replace: true``
 (the default) the upserted document will overwrite the current document in the
@@ -396,7 +396,7 @@ Added ``none_of`` Query Method
 ------------------------------
 
 With the addition of ``none_of``, Mongoid 8.1 allows queries to exclude
-conditions in bulk. The emitted query will encapsulate the specified 
+conditions in bulk. The emitted query will encapsulate the specified
 criteria in a ``$nor`` operation. For example:
 
 .. code:: ruby
diff --git a/lib/mongoid/version.rb b/lib/mongoid/version.rb
index 7ef12601f4..1f997e0675 100644
--- a/lib/mongoid/version.rb
+++ b/lib/mongoid/version.rb
@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Mongoid
-  VERSION = "8.1.0"
+  VERSION = "8.1.1"
 end
diff --git a/release.sh b/release.sh
index 3cc07b8ff1..39554e854c 100755
--- a/release.sh
+++ b/release.sh
@@ -17,32 +17,14 @@ VERSION=`ruby -Ilib -r$VERSION_REQUIRE -e "puts $VERSION_CONSTANT_NAME"`
 echo "Releasing $NAME $VERSION"
 echo
 
-for variant in mri; do
-  docker build -f release/$variant/Dockerfile -t $RELEASE_NAME-$variant .
-
-  docker kill $RELEASE_NAME-$variant || true
-  docker container rm $RELEASE_NAME-$variant || true
-
-  docker run -d --name $RELEASE_NAME-$variant -it $RELEASE_NAME-$variant
-
-  docker exec $RELEASE_NAME-$variant /app/release/$variant/build.sh
-
-  if test $variant = jruby; then
-    docker cp $RELEASE_NAME-$variant:/app/pkg/$NAME-$VERSION-java.gem .
-  else
-    docker cp $RELEASE_NAME-$variant:/app/pkg/$NAME-$VERSION.gem .
-  fi
-
-  docker kill $RELEASE_NAME-$variant
-done
+./release/mri/build.sh
+cp pkg/$NAME-$VERSION.gem .
 
 echo
 echo Built: $NAME-$VERSION.gem
-#echo Built: $NAME-$VERSION-java.gem
 echo
 
 git tag -a v$VERSION -m "Tagging release: $VERSION"
 git push origin v$VERSION
 
 gem push $NAME-$VERSION.gem
-#gem push $NAME-$VERSION-java.gem
diff --git a/release/mri/Dockerfile b/release/mri/Dockerfile
deleted file mode 100644
index 89c98394fb..0000000000
--- a/release/mri/Dockerfile
+++ /dev/null
@@ -1,11 +0,0 @@
-FROM debian:11
-
-ENV DEBIAN_FRONTEND=noninteractive
-
-RUN apt-get update && \
-  apt-get -y install git ruby-bundler make gcc ruby-dev \
-    libxml2-dev zlib1g-dev
-
-WORKDIR /app
-
-COPY . .
diff --git a/release/mri/build.sh b/release/mri/build.sh
index 5f00c14dce..c751dc7875 100755
--- a/release/mri/build.sh
+++ b/release/mri/build.sh
@@ -4,7 +4,4 @@ set -e
 
 rm -f *.lock
 rm -f *.gem pkg/*.gem
-bundle install --without=test
-# Uses bundler gem tasks, outputs the built gem file to pkg subdir.
-rake build
-/app/release/verify-signature.sh pkg/*.gem
+rake build verify
diff --git a/release/verify-signature.sh b/release/verify-signature.sh
deleted file mode 100755
index dbac2100b9..0000000000
--- a/release/verify-signature.sh
+++ /dev/null
@@ -1,41 +0,0 @@
-#!/bin/bash
-
-set -ex
-
-gem="$1"
-if test -z "$gem"; then
-  echo "Usage: `basename $0` /path/to/built.gem" 1>&2
-  exit 1
-fi
-
-gem cert --add gem-public_cert.pem
-gem install -P HighSecurity $gem
-
-exit
-
-# The verification below does not work.
-# https://github.com/rubygems/rubygems/issues/3680
-
-# https://docs.ruby-lang.org/en/2.7.0/Gem/Security.html
-
-tar xf $gem
-
-# Grab the public key from the gemspec
-
-gem spec $gem cert_chain | \
-  ruby -ryaml -e 'puts YAML.load(STDIN)' > actual_public_key.crt
-
-for file in data.tar.gz metadata.tar.gz; do
-  # Generate a SHA1 hash of the data.tar.gz
-
-  openssl dgst -sha1 < $file > actual.hash
-
-  # Verify the signature
-
-  openssl rsautl -verify -inkey actual_public_key.crt -certin \
-    -in $file.sig > signed.hash
-
-  # Compare your hash to the verified hash
-
-  diff -s actual.hash signed.hash
-done