Travis: GPG sign Linux binaries/source tarballs

Since we're still deploying our Linux/macOS CI artifacts to a web server
(specifically SourceForge Project Web Services) that doesn't support
HTTPS, it's a good idea to sign them.  But since the private key has to
be checked into the repository, we use a different key for signing the
pre-releases (per project policy, the private signing keys for our
release binaries are never made available on any public server.)

diff --git a/.travis.yml b/.travis.yml
index 31c41e7fbcf566e66e1de299db7d0925658384a1..e352fd565d9103f340af79a35a5e81bffb2143af 100644 (file)
--- a/.travis.yml
+++ b/.travis.yml
@@ -43,8 +43,14 @@ before_install:
         docker pull dcommander/buildljt;
       fi &&
       git clone --depth=1 https://github.com/libjpeg-turbo/buildscripts.git ~/src/buildscripts &&
-      openssl aes-256-cbc -K $encrypted_f92e8533f6f1_key -iv $encrypted_f92e8533f6f1_iv -in ci/deploy_ljt.enc -out ~/.ssh/id_rsa -d &&
-      chmod 600 ~/.ssh/id_rsa;
+      openssl aes-256-cbc -K $encrypted_f92e8533f6f1_key -iv $encrypted_f92e8533f6f1_iv -in ci/keys.enc -out ci/keys -d &&
+      tar xf ci/keys &&
+      rm ci/keys &&
+      mv ci/deploy_ljt ~/.ssh/id_rsa &&
+      chmod 600 ~/.ssh/id_rsa &&
+      mv ci/gpgsign ~/src/buildscripts &&
+      gpg --import ci/sign_ljt &&
+      rm ci/sign_ljt;
     fi
   - if [ "$TRAVIS_OS_NAME" = "osx" ]; then
       brew install nasm homebrew/versions/gcc5 md5sha1sum Caskroom/versions/java6 &&
@@ -59,7 +65,7 @@ script:
         mv .git/shallow .git/shallow.bak;
       fi &&
       if [ "$TRAVIS_OS_NAME" = "linux" ]; then
-        docker run -v $HOME/src/ljt.nightly:/root/src/ljt.nightly -v $HOME/src/buildscripts:/root/src/buildscripts -v $TRAVIS_BUILD_DIR:/root/src/libjpeg-turbo -t dcommander/buildljt:latest bash -c "~/src/buildscripts/buildljt -r file:///root/src/libjpeg-turbo $TRAVIS_BRANCH -v" &&
+        docker run -v $HOME/src/ljt.nightly:/root/src/ljt.nightly -v $HOME/src/buildscripts:/root/src/buildscripts -v $TRAVIS_BUILD_DIR:/root/src/libjpeg-turbo -v $HOME/.gnupg:/root/.gnupg -t dcommander/buildljt:latest bash -c "rpm --import http://pgp.mit.edu/pks/lookup?op=get\&search=0x0575F26BD5B3FDB1 && ~/src/buildscripts/buildljt -r file:///root/src/libjpeg-turbo $TRAVIS_BRANCH -v" &&
         sudo chown -R travis:travis ~/src/ljt.nightly;
       else
         PATH=$PATH:~/src/gas-preprocessor ~/src/buildscripts/buildljt -r file://$TRAVIS_BUILD_DIR $TRAVIS_BRANCH -v;

diff --git a/ci/deploy_ljt.enc b/ci/deploy_ljt.enc
deleted file mode 100644 (file)
index 86bdb1e..0000000
Binary files a/ci/deploy_ljt.enc and /dev/null differ

diff --git a/ci/keys.enc b/ci/keys.enc
new file mode 100644 (file)
index 0000000..7dbbbf4
Binary files /dev/null and b/ci/keys.enc differ