diff options
author | RJ Skerry-Ryan <rryan@mixxx.org> | 2020-07-19 22:34:53 -0700 |
---|---|---|
committer | RJ Skerry-Ryan <rryan@mixxx.org> | 2020-07-20 11:26:37 -0700 |
commit | 9226812ccb63d6d65aae5a25013d8647c3d6863d (patch) | |
tree | 3fd1b0299526e8d065ba36dcebf546b695274866 /build | |
parent | 4669ad2bdffe610acbcb2f41c996ab19c003458a (diff) |
Deploy dmg and deb files built on Travis to downloads.mixxx.org.
Adds an RSA key that is authorized to login to
downloads-hostgator.mixxx.org. This key is encrypted with a password which is
provided as a Travis secure variable.
Diffstat (limited to 'build')
-rw-r--r-- | build/certificates/README.md | 20 | ||||
-rw-r--r-- | build/certificates/downloads-hostgator.mixxx.org.key | 54 | ||||
-rw-r--r-- | build/certificates/downloads-hostgator.mixxx.org.key.pub | 1 | ||||
-rwxr-xr-x | build/travis/deploy.sh | 36 |
4 files changed, 111 insertions, 0 deletions
diff --git a/build/certificates/README.md b/build/certificates/README.md new file mode 100644 index 0000000000..7e171873c7 --- /dev/null +++ b/build/certificates/README.md @@ -0,0 +1,20 @@ + +# Key Rotation + +# downloads-hostgator.mixxx.org + +SSH access is granted via an RSA key stored in `build/certificates/downloads-hostgator.mixxx.org.key`. + +To rotate this key, generate a new RSA key with a strong password (e.g. 32 character randomly generated). + +``` +ssh-keygen -t rsa -b 4096 -f downloads-hostgator.mixxx.org.key +``` + +Copy the **public** key to `$HOME/.ssh/authorized_keys`, replacing the old file to remove access for the current key. + +Encrypt the password using `travis encrypt` and update `.travis.yml`. + +``` +travis encrypt DOWNLOADS_HOSTGATOR_DOT_MIXXX_DOT_ORG_KEY_PASSWORD=hunter2 -r mixxxdj/mixxx +``` diff --git a/build/certificates/downloads-hostgator.mixxx.org.key b/build/certificates/downloads-hostgator.mixxx.org.key new file mode 100644 index 0000000000..5bc5cc8f05 --- /dev/null +++ b/build/certificates/downloads-hostgator.mixxx.org.key @@ -0,0 +1,54 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-128-CBC,4D25AED6ED1AD07B47186093278F7F27 + +/aFQab21BJ4OnILuHd/FoXQfURebSWX/LhKrukZLqE1TvkftwDVhjHHjxFmo1yp2 +oU8B4vx15os5QZa24KNGBsFVGd59scSEIZO8MTLk+T0hvF6huA7x3B6FGE7T9prJ +swKghpM9sn72IRRBF8XPmk2lPw1XwC2AcUMSp0kqPK96jxAdsbqroKfhVMWIuNEC ++kiuZjoJNkrfnwsKd3aIEtFq7x9tSuWztyxn8y8OnQuo8Vew97DOabuX97DEzpk/ +nsTaoK239oImBbRTHj3Y2ocJpZGW+FNeUqE89IukXRPvy0vvSS/A7hAH1kB1Hyjs +/DNs5I2YNw+drhdPwlxPa6mTeDVzhY2/EQ+2m6D7jFgTe1Jt083ELVkA5EFGD4qq +rEy/G6YnLUhUrp7ssSqB6zSm+wH6F24U2Cxrzoe7IUJfanynkYamzEY0OSoCVW3b +2IOMWrytibJiP0mCWkW4yowwaIplPPhFXOY8iaMfLGvwYaa+w9bSNjip1UBjjce/ +Z+sp7MiJiXbS28SDjMe9J1Lw3hEFRR/F5YJ2za3UAlB8bwFJF30i7YwEas6RaEwu +obEca64x3CpCDFAzPYInKDORvMu6xfByuLxZ/WCq8APrAp56924+TvNFnRbqKaLh +xvOR5rM0rqGlbhBTpTY1bKXCudzosI7uMUGoPFodP8S87tFUHyZYXOi/ZBKVhi8s +Q7v2c2v+2D2oMwGaqFzPOug/QbcXfzDdND1ZBwAr18I7YgJJUBJXIPbn6LFiqpJp +8+91jSVGPdX8Z0cudn6jvBwcpj7BvG9/IBfW7/ORDxsIQq6fogk2REFwBlDtPfCQ +8OENo2pvhbXUoYGq+BNmjdT7pyYZbbKQ4ufix2B8xjjK6hpF7e6DGxpEmVr93UnP +i+lkgCKpQMME9LDtcNDcptIEIqan9YEEpCukmSz9MF1SzKG1Cp/Ych1cnAtO3FGI +LqUVKHoSf5Q35By1t3fythHe5UR++XjwAM7f+eZTPqWRg4T1z4MDV+WtFSDdW+fs +WoPsr+/AXQZJePly70liyYeu5nltwAdx+fhX6hxqGssA1eGrJwAZsTlgg7JWDwWe +bg3JKkJ4O954auUGKVWDbu0wSHletysgEumaq43vM0pv3CVknh9xKsmtG6jeGgt1 +LlDPUvCBVkReejtnncoh8v9/5WwVPwq+qNVzRmUJQ9CrxFkZFibe1EVl2olieC5E +26qK/GqiMh5WjdXU5v8GNWR4M5AGVBcuNyUtYBP4mmAuXGu3T7ceKF2wUmdF70YM +QGDuNnJdPavcg9b85r/mFvvJVRhUjcf/FWCOnkfT4fEMBrQZgMPSFz37V+d8hXO6 +u5cW2rrrbVwL/n4JT4RS1B/Mmtf/e9D0JFybne/qGgYfMv1Zp87uZIDZhCqiBSs+ +39XGccpxtn3t63bKzbH81a0QYN/SqDc0vPttw8isHKlu+tGbar/Yo6qbo5Q1aGfQ +8SIVsjMNYfUs9qeIOrpVYiyX+LiTWVQS3R1Fx6mA16DBqkpVIwgM9nJOuC5YtytM +36NJksTi73hsEQTa03P60PRKFTXrrs7pUc1mxmwk50YX2zhJrIHGw5iESFkAJ88A +f8p8zf7WUzaf1rqcXvRYghTrn6SNsew8vC/Bob7pub0p6KFRuCfU1fellTqikhKt +AWpyKyQJanoiuJ5NWcJ2E6eAqlG51U+wLC1Uv8IBhR1y/zwF0aoDcKZlv7MJlBMb +juDPmNDPa/In8lqL0CI18svUU+kAImGgJdeNr9eE5s95oiqMhOSTTTvRiX4t+PvW +FFsw6zGtyKUOygBndF91q7GPBXTrPTlvlK/S0e0P/mZImbrS8XUwqcl4iOJU3Y9L +9nwWj49v7scer68PMWZGDoCSyPKlkSFysUyk8z2W+gN13W0CecCQNl13wSf4QEJ8 +YGcxQ24AcOUAq5CFU/KvLseqKAKZVPaUBzitiCjVZER/1dIg0NqSyRTkKacuS3Em +5G8777TOVJhRJY65x9PnkXZjaGrHKYzNHHRvh+nVNu7j3PMLUhXpTkCf1BDlMTbl +8E2/ucbZmRlvX4mfL7CbR03IgUHCEtmMnZPvW4v9/qbnutOsedE6Im54MC+oXAr8 +XJxP04EJ0SgmOsZiwLIp/qoQhvT5BeML7qvP8CQxkLgg3BQMeC6e2i8wNGiM+94Q +c5yHwoLiOYMBgjSKU160/eN9aO5QFcALMz8/CT4zXT19mkXjK5QaR9Jz2f68luLf +QffYOhM+QCjMio/Z62/RiI0w3AgV1p4miyP1MPbcFL9jdWC0b2AF7/ewTnsXdmD6 +NzwPIqK2ffwNJJ1B8fDhZKRgOyMigAqU8viahx8yeWNpgwyN0Cp3zkAvrpg1/tEa +B/TqmRgVX9N2Og3OqtXcNNWgc+SNYGyS4PEAu46Fxao1mubKftw5H7RC6L3WzVHP +G50aU2ewrBox2a9IJLnaVXHe5dqiMaGbaMyZweCqZDzsIb6BfOot7+3T6NrbEZVC +57TpRDZOxAF1yaOSTO4yivsVB7PU3fPUq/YAoBIyhZt6zvi8MOhpjV7KQhwL4GZi +0v9WYGQSIYGGQ0uYzIiZ7bLloXwWIMmC4nJkpvPfVChsvVXIyy1zfNY3qrETckW8 +7jE6NzMGJ5EmK7p919J6L7+YE7E3anc+wUTJSlwrWz1K2eGIC8OmN1jyKdqZkfGj +/mE/eUFcwC5+whf7EwXaHCnd/u+e1B7lGfzPC551ovRDydGhGYT+CBNaZGqsLEnu +yq3qJCEBhbDV8kDaWgx/34ta/Vp6ZeASj7Qf6h/++645Q+yg6F/616isJrujBXO+ +qa0c99wM9rXNlyWcIAEPZ9ul0qfat4hA91Mv9LNzJd8mVSHGOpz5VEgFhix/3TKz +DSDLBpbDIyPWnPGZAo7tQg11kWCtQIgLTCB+zkfmYJklNmxKe6j3TnCC/0BjLgWF +LHHLykvZ5SxK2/m/tQwEDA7xfh1h8EqpmpIjAJVvjUbR3bu3cMrV+GRs0HuZk60I +gDM4fgUsM0JApSvgSrvJx3yMCDCqhN1VPjEwnXFHVsK39GQs6zvlCbsYjuifRzmR +AjOSGOWQfwbhDm+AdN6Zi8xi5VbYMlmaeYwYIrG00PmxxeAzqjVcAIn5Z04tCGJA +-----END RSA PRIVATE KEY----- diff --git a/build/certificates/downloads-hostgator.mixxx.org.key.pub b/build/certificates/downloads-hostgator.mixxx.org.key.pub new file mode 100644 index 0000000000..4f47da8738 --- /dev/null +++ b/build/certificates/downloads-hostgator.mixxx.org.key.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDP1q+/ayZvi1NCqVZBmajI1TP2qAO1H5pNLx80z/qfNkFMWspgrT3//xaItMfhyIjAycQfDBYOatxFCNST5y12Pjm8H1SF74dHLIVhBdAGfb7JtOt4vAqxeJp7E7T3gn7ZmcNCJnnVPnX0Wl4NRNvS/sE7Q5a/UUNOJGWyvKfrfvuvp91J+XQqhB6shUkmGmchL5ISHbq1i6EbH3ZyRqmPQSAROJ9yyQIVBuCuSisgl3teOnqDxibFP8yMOJhysw3VA8U29ERP8gtvSjcTfDJXeiMM6y6Ty4SrYJe3KUU2OQI3u4W31KREUGj9zH9SBcfh/EvUjw/bw/OSgKxsCaJIeH8bOnFz037ipgGCTbYcdvhEKIJRFqy0/kjm7hf4rWITNJ9Wvkn83MAhvEeOVPoV6cajQZd/0r54Fg8/6/mhp7J5yBBNjKNRYDW5wDpYPjwRvxVEIYS5QD1wwUHmRF1qy1YiAJK37YmoWr4Fd8fWNF5g+ozhCacaxIMcWjKneStwCsjxIG4mTBEnJAIt6mFptoX0ewA8ozgw7POBNLSW469LiGDZOf9GTBL6YsGyaV2WzWjSIFYn2dqL+TfSaKNqDBFoHLJ2SZ+Utp5a63NCaLAY5TbGUbzAMmq8j4qrJa1wu6y7GUKiYs5BByik+j9szW0/i28FkQjnZYMPtTSJ/w== mixxx@downloads-hostgator.mixxx.org diff --git a/build/travis/deploy.sh b/build/travis/deploy.sh new file mode 100755 index 0000000000..2743a4fc53 --- /dev/null +++ b/build/travis/deploy.sh @@ -0,0 +1,36 @@ +#!/bin/bash +# +# Deploy artifacts (e.g. dmg, deb files) built by Travis to downloads.mixxx.org. +# Run within the cmake_build directory. + +set -eu -o pipefail + +USER=mixxx +HOSTNAME=downloads-hostgator.mixxx.org +TRAVIS_DESTDIR=public_html/downloads/builds/travis +SSH_KEY=../build/certificates/downloads-hostgator.mixxx.org.key +SSH="ssh -i ${SSH_KEY} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" + +if [[ "${TRAVIS_PULL_REQUEST}" != "false" ]]; then + echo "Skipping deploy since we are in a pull request." + exit 0 +fi + +DEST_PATH=${TRAVIS_DESTDIR}/${TRAVIS_BRANCH}/ +TMP_PATH=${TRAVIS_DESTDIR}/.tmp/$TRAVIS_BUILD_ID/ + +echo Deploying to $TMP_PATH, then to $DEST_PATH. + +# Remove permissions for group and other users so that ssh-keygen does not +# complain about the key not being protected. +chmod go-rwx ${SSH_KEY} + +# "Unlock" the key by removing its password. This is easier than messing with ssh-agent. +ssh-keygen -p -P ${DOWNLOADS_HOSTGATOR_DOT_MIXXX_DOT_ORG_KEY_PASSWORD} -N "" -f ${SSH_KEY} + +# Always upload to a temporary path. +shopt -s extglob +rsync -e "${SSH}" --rsync-path="mkdir -p ${TMP_PATH} && rsync" -r --delete-after --quiet *.@(deb|dmg) ${USER}@${HOSTNAME}:${TMP_PATH} + +# Move from the temporary path to the final destination. +$SSH ${USER}@${HOSTNAME} "mkdir -p ${DEST_PATH} && mv ${TMP_PATH}/* ${DEST_PATH} && rmdir ${TMP_PATH}" |