Commit 909b0bad authored by anonym's avatar anonym
Browse files

Release process: split reproducibility test better and automate++.

Refs: #12629
parent 1a5b6025
......@@ -60,10 +60,6 @@ In a directory with many Tails ISO images:
## For the RM
Substitute the "variables" (prefixed with `$$`, e.g. your would
replace `$$TAG` with `3.0-rc1` if we are testing 3.0~rc1) and
`XXX...` placeholders in the next section.
<div class="note">
Beware! If your have to plug your OpenPGP smart card again after
......@@ -73,137 +69,20 @@ from the beginning.
</div>
Generate the output needed for the next section by following [[these
instructions|test/reproducibility/test/reproducibility/preparation]]!
## For anyone _but_ the RM
Find the "Trusted Reproducer" for this Tails release in the
[[contribute/calendar]]. and send this as
a signed email to this person.
[[contribute/calendar]] and send this as a signed email to this
person:
EMAIL_PLACEHOLDER
Hi, Trusted Reproducer!
You signed up for reproducing Tails $$VERSION. The deadline for doing so
is $$72_HOURS_FROM_NOW.
First, some requirements:
* You need this in your environment:
VERSION=$$VERSION
TAG=$$TAG
TAG_COMMIT=$$TAG_COMMIT
DIST=$$DIST
IUK_SOURCE_VERSIONS=$$IUK_SOURCE_VERSIONS
* And these, that you have to figure out yourself what to set to:
ISOS=<the directory where you store Tails images and IUKs>
IUK_CHECKOUT=<path to your `tails-iuk` Git repository>
ARTIFACTS=<path to your Tails Git repo, or wherever your built images end up>
* Download the published products of this Tails release to some new
directory (*not* where you will store the image and IUKs you will
soon build!):
mkdir tails-amd64-${VERSION:?}
cd tails-amd64-${VERSION:?}
wget --recursive http://dl.amnesia.boum.org/tails/${DIST:?}/tails-amd64-${VERSION:?}/tails-amd64-${VERSION:?}.iso
cd ..
for old_version in ${IUK_SOURCE_VERSIONS}; do
wget http://dl.amnesia.boum.org/tails/${DIST:?}/iuk/Tails_amd64_${old_version}_to_${VERSION:?}.iuk
done
* In your ISOS directory you need to have present each Tails release
listed in IUK_SOURCE_VERSIONS.
* Your `tails-iuk` (IUK_CHECKOUT) must be checked out at
$$TAG_OF_VERSION_INCLUDED_IN_TAILS_THIS_VERSION.
Please `cd` to your Tails Git repo, and run:
git fetch && \
git checkout "${TAG_COMMIT:?}" && \
if [ "$(git describe --tags --exact-match)" = "${TAG:?}" ]; then
git tag -v "${TAG}"
else
echo 'TAG_COMMIT and TAG does not match!'
fi
* If the last output is a "Good signature" for the expected tag, made by
Tails signing key, then we are good.
* Otherwise, if you see _anything_ else, we're _not_ good; immediately
contact the RM and tails@! Proceeding with the rest of the steps
are pointless in this case, so await instruction.
Next, let's build Tails!
export SOURCE_DATE_EPOCH=$(date --utc --date="$(dpkg-parsechangelog --show-field=Date)" '+%s') && \
rake build && \
mkdir "${ISOS:?}/tails-amd64-${VERSION:?}" && \
mv "${ARTIFACTS:?}/tails-amd64-${VERSION:?}.iso" \
"${ISOS:?}/tails-amd64-${VERSION:?}/"
Then follow the "Build the Incremental Upgrade Kits" instructions in
`wiki/src/contribute/release_process.mdwn`.
Now we'll start verifying stuff. If there is *any* type of mismatch at some
point, let the RM and tails@ know *immediately*!
Compute the SHA-512 hashes of your products with:
cd "${ISOS:?}" && \
sha512sum tails-amd64-${VERSION:?}/tails-amd64-${VERSION:?}.iso Tails_amd64_*_to_${VERSION:?}.iuk
and compare the results with what I got:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX tails-amd64-$$VERSION/tails-amd64-$$VERSION.iso
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Tails_amd64_$$VERSION~rc1_to_$$VERSION.iuk
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Tails_amd64_X.Y_to_$$VERSION.iuk
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Tails_amd64_X.Z_to_$$VERSION.iuk
and with what you get from running the same command from the directory you
downloded the "published products" (that you should have downloaded by now,
per the "requirements" section above).
Next, examine the IDF by running:
curl https://tails.boum.org/install/v1/Tails/amd64/${DIST:?}/latest.yml
and checking that:
* the `url` value is the expected ISO image URL, i.e.:
http://dl.amnesia.boum.org/tails/${DIST:?}/tails-amd64-$VERSION/tails-amd64-$VERSION.iso
* the `sha256` value is the `SHA-256` you get from your image (with
e.g. `sha256sum`).
* the `size` value is the number of bytes of your image.
Next, examine each UDF by running:
for old_version in ${IUK_SOURCE_VERSIONS}; do
url=https://tails.boum.org/upgrade/v1/Tails/${old_version}/amd64/${DIST:?}/upgrades.yml
(
echo "Looking at '${url}':"
echo
curl --silent --show-error ${url}
) | less
done
and checking that there are either one or two `target-files`
entries, where `type: full` means a full upgrade (so it refers to
the ISO image) and `type: incremental` means an incremental upgrade
(so it refers to a IUK). Verify
* that the `url` is
http://dl.amnesia.boum.org/tails/${DIST:?}/iuk/Tails_amd64_${old_version}_to_$$VERSION.iuk
* the `sha256` and `size` values just like you did for the IDF previously.
Good luck and have fun!
and attach a file named `SHA512SUMS.txt` with these contents:
SHA512SUMS_PLACEHOLDER
# Automated test suite
......
[[!meta title="Preparing the email for the Trusted Verifier"]]
Make sure you still have your variables set from following the release
process (incl. `IUK_SOURCE_VERSIONS`), then run:
DEADLINE="$(date -d 'now + 72 hours')" && \
IUK_VERSION="$(awk '/^tails-iuk\s/ { print $2 }' {${ARTIFACTS:?},${RELEASE_CHECKOUT:?}/wiki/src/torrents/files}/tails-amd64-${VERSION:?}.{,iso.}packages 2>/dev/null | head -n1)" && \
if [ -z "${IUK_VERSION}" ]; then
echo 'Failed to determine IUK_VERSION, aborting' && \
false
fi && \
IUK_CHECKOUT_TAG="debian/${IUK_VERSION}"
TAG_COMMIT="$(git rev-parse --verify ${TAG:?})"
INPUTS="DEADLINE DIST IUK_CHECKOUT_TAG IUK_SOURCE_VERSIONS TAG TAG_COMMIT VERSION"
sh <<EOF
sed --regexp-extended \
$(for var in ${INPUTS:?}; do
val="$(eval "echo \${${var}:?}")" && \
echo -n "-e 's@\\\$\\{${var}\\}@${val}@' "
done) \
wiki/src/contribute/release_process/test/reproducibility/verification-email.template
EOF
and carefully make sure there were no errors, and that each variable
was replaced (i.e. you should see no `$` in the output). If the output
looks good, replace `EMAIL_PLACEHOLDER` on the testing pad with
it. Then run:
( \
cd "${ISOS:?}" && \
sha512sum tails-amd64-${VERSION:?}/tails-amd64-${VERSION:?}.iso \
Tails_amd64_*_to_${VERSION:?}.iuk \
)
and replace `SHA512SUMS_PLACEHOLDER` in the testing pad with the
output.
Hi, Trusted Reproducer!
You signed up for reproducing Tails ${VERSION}. The deadline for doing
so is ${DEADLINE}.
Here are the inputs:
DIST=${DIST}
IUK_CHECKOUT_TAG=${IUK_CHECKOUT_TAG}
IUK_SOURCE_VERSIONS=${IUK_SOURCE_VERSIONS}
TAG=${TAG}
TAG_COMMIT=${TAG_COMMIT}
VERSION=${VERSION}
Attached you will find SHA512SUMS.txt containing all needed hashes.
Check out the ${TAG} tag in Tails' Git repo and read the instructions
from:
wiki/src/contribute/release_process/test/reproducibility/verification.mdwn
or if you build the website:
config/chroot_local-includes/usr/share/doc/tails/website/contribute/release_process/test/reproducibility/verification.html
Good luck and have fun!
[[!meta title="Trusted verification of reproducibility"]]
[[!toc levels=2]]
# Preparation
## Inputs
You will need some environment variables set when following these
instructions.
### Inputs received be email
You should receive values for the following variables:
* `DIST`
* `IUK_CHECKOUT_TAG`
* `IUK_SOURCE_VERSIONS`
* `TAG`
* `TAG_COMMIT`
* `VERSION`
as well as a `SHA512SUMS.txt` file attached.
### Your inputs
Set these variables according to the beginning of our
[[contribute/release_process]] document:
* `ARTIFACTS`
* `ISOS`
* `IUK_CHECKOUT`
Also set these accordingly:
* `ISOS_CHECKOUT`: path to your Tails ISO history repo checout.
* `PUBLISHED_ARTIFACTS`: some _new_ directory where you can download
gigabytes of data to.
* `SHA512SUMS`: the path of the `SHA512SUMS.txt` file from above.
* `TAILS_CHECKOUT`: path to your Tails Git repo checkout.
## Download published products
mkdir -p "${PUBLISHED_ARTIFACTS:?}" && \
cd "${PUBLISHED_ARTIFACTS:?}" && \
mkdir tails-amd64-${VERSION:?} && \
cd tails-amd64-${VERSION:?} && \
wget --recursive http://dl.amnesia.boum.org/tails/${DIST:?}/tails-amd64-${VERSION:?}/tails-amd64-${VERSION:?}.iso && \
cd .. && \
for old_version in ${IUK_SOURCE_VERSIONS}; do
wget http://dl.amnesia.boum.org/tails/${DIST:?}/iuk/Tails_amd64_${old_version}_to_${VERSION:?}.iuk
done
## Obtain needed old Tails releases
cd "${ISOS_CHECKOUT:?}" && \
git annex sync && \
for old_version in ${IUK_SOURCE_VERSIONS:?}; do
tails_dir="tails-amd64-${old_version}" && \
if [ ! -d "${ISOS:?}/${tails_dir}" ]; then
git annex get "${tails_dir}" && \
cp -r "${tails_dir}" "${ISOS:?}"
fi
done
## Refresh tails-iuk Git repo
cd "${IUK_CHECKOUT:?}" && \
git fetch && \
git checkout "${IUK_CHECKOUT_TAG:?}"
# Reproduce Tails
## Fetch and verify the Git tag
cd "${TAILS_CHECKOUT:?}" && \
git fetch && \
git checkout "${TAG_COMMIT:?}" && \
if [ "$(git describe --tags --exact-match)" = "${TAG:?}" ]; then
git tag -v "${TAG}"
else
echo 'TAG_COMMIT and TAG does not match!'
fi
* If the last output is a "Good signature" for the expected tag, made by
Tails signing key, then we are good.
* Otherwise, if you see _anything_ else, we're _not_ good; immediately
contact the RM and tails@! Proceeding with the rest of the steps
are pointless in this case, so await instruction.
## Reproduce the image
export SOURCE_DATE_EPOCH=$(date --utc --date="$(dpkg-parsechangelog --show-field=Date)" '+%s') && \
rake build && \
mkdir "${ISOS:?}/tails-amd64-${VERSION:?}" && \
mv "${ARTIFACTS:?}/tails-amd64-${VERSION:?}.iso" \
"${ISOS:?}/tails-amd64-${VERSION:?}/"
## Reproduce IUKs
Follow the "Build the Incremental Upgrade Kits" instructions in
`wiki/src/contribute/release_process.mdwn`. Note that the value of
`SOURCE_DATE_EPOCH` set above is needed!
# Verification
If there is *any* type of mismatch at some point below, let the RM and
tails@ know *immediately*!
## Verify your products
cd "${ISOS:?}" && \
sha512sum -c "${SHA512SUMS:?}"
## Verify published products
cd "${PUBLISHED_ARTIFACTS:?}" && \
sha512sum -c "${SHA512SUMS:?}"
## Verify IDF
Examine the IDF by running:
curl https://tails.boum.org/install/v1/Tails/amd64/${DIST:?}/latest.yml
and checking that:
* the `url` value is the expected ISO image URL, i.e.:
http://dl.amnesia.boum.org/tails/${DIST:?}/tails-amd64-$VERSION/tails-amd64-$VERSION.iso
* the `sha256` value is the `SHA-256` you get from your image (with
e.g. `sha256sum`).
* the `size` value is the number of bytes of your image.
## Verify UDFs
Examine each UDF by running:
for old_version in ${IUK_SOURCE_VERSIONS}; do
url=https://tails.boum.org/upgrade/v1/Tails/${old_version}/amd64/${DIST:?}/upgrades.yml
(
echo "Looking at '${url}':"
echo
curl --silent --show-error ${url}
) | less
done
and checking that there are either one or two `target-files`
entries, where `type: full` means a full upgrade (so it refers to
the ISO image) and `type: incremental` means an incremental upgrade
(so it refers to a IUK). Verify
* that the `url` is
http://dl.amnesia.boum.org/tails/${DIST:?}/iuk/Tails_amd64_${old_version}_to_$$VERSION.iuk
* the `sha256` and `size` values just like you did for the IDF previously.
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment