Commit 2ca22f37 authored by intrigeri's avatar intrigeri
Browse files

Release process: fetch the ISO from Jenkins and ensure it matches the...

Release process: fetch the ISO from Jenkins and ensure it matches the signature created by the release manager (refs: #12629).
parent b4d16835
......@@ -784,20 +784,6 @@ Sanity check
Verify once more that the TBB we ship is still the most recent (see
above).
## Announce, seed and test the Torrents
Announce and seed the Torrents.
Test them with a BitTorrent client running in a different place.
## Download and seed image from lizard
scp "${ISOS:?}/tails-amd64-${VERSION:?}.torrent" \
bittorrent.lizard: && \
ssh bittorrent.lizard \
transmission-remote --add tails-amd64-${VERSION:?}.torrent \
--find /var/lib/transmission-daemon/downloads/
<a id="publish-iuk"></a>
Publish the ISO and IUK over HTTP
......@@ -811,25 +797,42 @@ Upload the IUKs to the primary rsync mirror:
rsync.lizard:
done
Upload the ISO to the primary rsync mirror:
Upload the ISO signature to the primary rsync mirror:
scp \
"${ISOS:?}/tails-amd64-${VERSION:?}/tails-amd64-${VERSION:?}.iso.sig" \
rsync.lizard:
Pick a build from `$RELEASE_BRANCH` that produced an ISO identical to
the one you've built locally (`XXX` must be the job ID, i.e.
an integer):
MATCHING_JENKINS_BUILD_ID=XXX
ssh lizard.tails.boum.org \
scp -3 -r \
bittorrent.lizard:/var/lib/transmission-daemon/downloads/tails-amd64-${VERSION:?} \
rsync.lizard:
Copy the ISO to the primary rsync mirror and verify the signature:
cat "${RELEASE_CHECKOUT:?}/wiki/src/tails-signing.key" \
| ssh rsync.lizard gpg --import
ssh rsync.lizard << EOF
wget \
"https://nightly.tails.boum.org/build_Tails_ISO_${RELEASE_BRANCH:?}/builds/${MATCHING_JENKINS_BUILD_ID:?}/archive/build-artifacts/tails-amd64-${VERSION:?}.iso" && \
gpg --verify tails-amd64-${VERSION:?}.iso{.sig,}
EOF
Move files in place with proper ownership and permissions:
ssh rsync.lizard << EOF
sudo chown -R root:rsync_tails \
tails-amd64-${VERSION:?} \
Tails_amd64_${PREVIOUS_VERSION:?}_to_${VERSION:?}.iuk && \
sudo chmod -R u=rwX,go=rX \
tails-amd64-${VERSION:?} \
Tails_amd64_${PREVIOUS_VERSION:?}_to_${VERSION:?}.iuk && \
sudo mv tails-amd64-${VERSION:?} \
/srv/rsync/tails/tails/${DIST:?}/ && \
sudo mv Tails_amd64_${PREVIOUS_VERSION:?}_to_${VERSION:?}.iuk \
sudo install -o root -g rsync_tails -m 0755 -d \
/srv/rsync/tails/tails/${DIST:?}/tails-amd64-${VERSION:?} && \
sudo chown root:rsync_tails \
tails-amd64-${VERSION:?}.iso* \
Tails_amd64_*_to_${VERSION:?}.iuk && \
sudo chmod u=rwX,go=rX \
tails-amd64-${VERSION:?}.iso* \
Tails_amd64_*_to_${VERSION:?}.iuk && \
sudo mv tails-amd64-${VERSION:?}.iso* \
/srv/rsync/tails/tails/${DIST:?}/tails-amd64-${VERSION:?} && \
sudo mv Tails_amd64_*_to_${VERSION:?}.iuk \
/srv/rsync/tails/tails/${DIST:?}/iuk/
EOF
......@@ -847,6 +850,34 @@ and on the live wiki (even for a release candidate):
git push origin master
)
## Announce, seed and test the Torrents
cat "${RELEASE_CHECKOUT:?}/wiki/src/tails-signing.key" \
| ssh bittorrent.lizard gpg --import
scp \
"${ISOS:?}/tails-amd64-${VERSION:?}.torrent" \
"${ISOS:?}/tails-amd64-${VERSION:?}/tails-amd64-${VERSION:?}.iso.sig" \
bittorrent.lizard: && \
ssh bittorrent.lizard << EOF
mkdir --mode 0755 "tails-amd64-${VERSION:?}" && \
mv "tails-amd64-${VERSION:?}.iso.sig" \
"tails-amd64-${VERSION:?}/" && \
cd "tails-amd64-${VERSION:?}" && \
wget \
"https://nightly.tails.boum.org/build_Tails_ISO_${RELEASE_BRANCH:?}/builds/${MATCHING_JENKINS_BUILD_ID:?}/archive/build-artifacts/tails-amd64-${VERSION:?}.iso" && \
gpg --verify tails-amd64-${VERSION:?}.iso{.sig,} && \
cd && \
chmod -R go+rX "tails-amd64-${VERSION:?}" && \
sudo mv \
"tails-amd64-${VERSION:?}" \
/var/lib/transmission-daemon/downloads/ && \
transmission-remote --add tails-amd64-${VERSION:?}.torrent \
--find /var/lib/transmission-daemon/downloads/
EOF
Test that you can start downloading the ISO with a BitTorrent client.
ISO history
-----------
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment