diff --git a/Rakefile b/Rakefile index dac321af75..c8ce790d29 100644 --- a/Rakefile +++ b/Rakefile @@ -11,6 +11,15 @@ $: << File.join(ROOT, 'spec/shared/lib') require "rake" require "rspec/core/rake_task" require 'mrss/spec_organizer' +require 'rubygems/package' +require 'rubygems/security/policies' + +def signed_gem?(path_to_gem) + Gem::Package.new(path_to_gem, Gem::Security::HighSecurity).verify + true +rescue Gem::Security::Exception => e + false +end $LOAD_PATH.unshift File.expand_path("../lib", __FILE__) require "mongoid/version" @@ -103,3 +112,19 @@ namespace :release do end end end + +desc 'Verifies that all built gems in pkg/ are valid' +task :verify do + gems = Dir['pkg/*.gem'] + if gems.empty? + puts 'There are no gems in pkg/ to verify' + else + gems.each do |gem| + if signed_gem?(gem) + puts "#{gem} is signed" + else + abort "#{gem} is not signed" + end + end + end +end diff --git a/lib/mongoid/version.rb b/lib/mongoid/version.rb index 74df5a10a5..c147284689 100644 --- a/lib/mongoid/version.rb +++ b/lib/mongoid/version.rb @@ -1,5 +1,5 @@ # frozen_string_literal: true module Mongoid - VERSION = "8.0.4" + VERSION = "8.0.5" end diff --git a/release.sh b/release.sh index 3cc07b8ff1..39554e854c 100755 --- a/release.sh +++ b/release.sh @@ -17,32 +17,14 @@ VERSION=`ruby -Ilib -r$VERSION_REQUIRE -e "puts $VERSION_CONSTANT_NAME"` echo "Releasing $NAME $VERSION" echo -for variant in mri; do - docker build -f release/$variant/Dockerfile -t $RELEASE_NAME-$variant . - - docker kill $RELEASE_NAME-$variant || true - docker container rm $RELEASE_NAME-$variant || true - - docker run -d --name $RELEASE_NAME-$variant -it $RELEASE_NAME-$variant - - docker exec $RELEASE_NAME-$variant /app/release/$variant/build.sh - - if test $variant = jruby; then - docker cp $RELEASE_NAME-$variant:/app/pkg/$NAME-$VERSION-java.gem . - else - docker cp $RELEASE_NAME-$variant:/app/pkg/$NAME-$VERSION.gem . - fi - - docker kill $RELEASE_NAME-$variant -done +./release/mri/build.sh +cp pkg/$NAME-$VERSION.gem . echo echo Built: $NAME-$VERSION.gem -#echo Built: $NAME-$VERSION-java.gem echo git tag -a v$VERSION -m "Tagging release: $VERSION" git push origin v$VERSION gem push $NAME-$VERSION.gem -#gem push $NAME-$VERSION-java.gem diff --git a/release/mri/Dockerfile b/release/mri/Dockerfile deleted file mode 100644 index 89c98394fb..0000000000 --- a/release/mri/Dockerfile +++ /dev/null @@ -1,11 +0,0 @@ -FROM debian:11 - -ENV DEBIAN_FRONTEND=noninteractive - -RUN apt-get update && \ - apt-get -y install git ruby-bundler make gcc ruby-dev \ - libxml2-dev zlib1g-dev - -WORKDIR /app - -COPY . . diff --git a/release/mri/build.sh b/release/mri/build.sh index 5f00c14dce..c751dc7875 100755 --- a/release/mri/build.sh +++ b/release/mri/build.sh @@ -4,7 +4,4 @@ set -e rm -f *.lock rm -f *.gem pkg/*.gem -bundle install --without=test -# Uses bundler gem tasks, outputs the built gem file to pkg subdir. -rake build -/app/release/verify-signature.sh pkg/*.gem +rake build verify diff --git a/release/verify-signature.sh b/release/verify-signature.sh deleted file mode 100755 index dbac2100b9..0000000000 --- a/release/verify-signature.sh +++ /dev/null @@ -1,41 +0,0 @@ -#!/bin/bash - -set -ex - -gem="$1" -if test -z "$gem"; then - echo "Usage: `basename $0` /path/to/built.gem" 1>&2 - exit 1 -fi - -gem cert --add gem-public_cert.pem -gem install -P HighSecurity $gem - -exit - -# The verification below does not work. -# https://github.com/rubygems/rubygems/issues/3680 - -# https://docs.ruby-lang.org/en/2.7.0/Gem/Security.html - -tar xf $gem - -# Grab the public key from the gemspec - -gem spec $gem cert_chain | \ - ruby -ryaml -e 'puts YAML.load(STDIN)' > actual_public_key.crt - -for file in data.tar.gz metadata.tar.gz; do - # Generate a SHA1 hash of the data.tar.gz - - openssl dgst -sha1 < $file > actual.hash - - # Verify the signature - - openssl rsautl -verify -inkey actual_public_key.crt -certin \ - -in $file.sig > signed.hash - - # Compare your hash to the verified hash - - diff -s actual.hash signed.hash -done