2 releases
Uses old Rust 2015
0.1.1 | Sep 27, 2018 |
---|---|
0.1.0 | Sep 10, 2018 |
#1490 in Cryptography
34KB
618 lines
Artifact Configuration
A program for downloading artifacts and verifying the sha hashes and pgp signatures.
Downloading artifacts
To begin the build process, you will need to create an input file, called say urls.txt.
https://jcenter.bintray.com/com/android/tools/annotations/24.5.0/annotations-24.5.0.pom https://jcenter.bintray.com/com/google/guava/guava/22.0/guava-22.0.jar https://jcenter.bintray.com/com/google/guava/guava/22.0/guava-22.0.pom https://maven.google.com/com/android/tools/repository/26.0.1/repository-26.0.1.pom https://maven.google.com/com/android/tools/sdk-common/26.0.1/sdk-common-26.0.1.jar
Next run the following command
artc download --input urls.txt
This will generate files under the target directory:./target/artc
The asc.tsv file contains the fingerprint and the URL of the main artifact
3872ED7D5904493D23D78FA2C4C8CB73B1435348 https://jcenter.bintray.com/com/android/tools/annotations/24.5.0/annotations-24.5.0.pom 694621A7227D8D5289699830ABE9F3126BB741C1 https://jcenter.bintray.com/com/google/guava/guava/22.0/guava-22.0.jar 694621A7227D8D5289699830ABE9F3126BB741C1 https://jcenter.bintray.com/com/google/guava/guava/22.0/guava-22.0.pom
The keys directory contains any of the downloaded keys used in verifying signatures
-rw-r--r-- 1 shane shane 2020 Sep 7 23:11 0374CF2E8DD1BDFD -rw-r--r-- 1 shane shane 1700 Sep 7 23:08 0DA8A5EC02D11EAD -rw-r--r-- 1 shane shane 3136 Sep 7 23:04 16AE34E5C9C3E2BB -rw-r--r-- 1 shane shane 12289 Sep 7 23:09 205C8673DC742C7C
Finally the pubring.kbx file is the keystore with the imported keys.
The sha.tsv file contains the sha256, followed by a gen/ver field value.
c3c99bf58182889fe86315e9a01473ee2c95540b9dedef898cec64554d925c54 gen https://jcenter.bintray.com/com/android/tools/annotations/24.5.0/annotations-24.5.0.pom 1158e94c7de4da480873f0b4ab4a1da14c0d23d4b1902cc94a58a6f0f9ab579e ver https://jcenter.bintray.com/com/google/guava/guava/22.0/guava-22.0.jar bfadb3b40f65dd6de1666d6b29f8bb54031396c76eeef4146cf9f28255f8bf33 ver https://jcenter.bintray.com/com/google/guava/guava/22.0/guava-22.0.pom a20fb26c8de5b0ff7a3069e681fcf01ebefd2f3d24b832c3af22d981d7d4376b gen https://maven.google.com/com/android/tools/repository/26.0.1/repository-26.0.1.pom 7e8bdca281bdcb6dad48a80854837f1c0ab46f31a0b292370e320f471f5b9cfd gen https://maven.google.com/com/android/tools/sdk-common/26.0.1/sdk-common-26.0.1.jar
The gen value means that the sha256 was generated by the build. There was not an associated ${url}.sha2 file to download and verify against.
For example, this URL does not exist so its field value is gen
https://maven.google.com/com/android/tools/sdk-common/26.0.1/sdk-common-26.0.1.jar.sha2
The ver field value means that the ${url}.sha2 file exists and the build verified the main artifact sha256 against this value.
RBM
This command generates Tor RBM config files.
artc rbm --keyring android.gpg
The keyring option specifies the name of the keyring that you will use for the downloaded artifacts. Say that you specify the the keyring as android.gpg. Then the pubring.kbx file will be renamed to android.gpg.
The following entries will be found in the rbm/config file. Notice that the config has a comment if the sha has not been verified. The build will only use the sha256 in if the asc file can't be used.
#Sha not verified from original source - URL: https://maven.google.com/com/android/tools/sdk-common/26.0.1/sdk-common-26.0.1.jar sha256Sum: 7e8bdca281bdcb6dad48a80854837f1c0ab46f31a0b292370e320f471f5b9cfd - URL: https://jcenter.bintray.com/com/google/guava/guava/22.0/guava-22.0.jar sig_ext: asc file_gpg_id: 694621A7227D8D5289699830ABE9F3126BB741C1 gpg_keyring: android.gpg - URL: https://jcenter.bintray.com/com/google/guava/guava/22.0/guava-22.0.pom sig_ext: asc file_gpg_id: 694621A7227D8D5289699830ABE9F3126BB741C1 gpg_keyring: android.gpg - URL: https://jcenter.bintray.com/com/android/tools/annotations/24.5.0/annotations-24.5.0.pom sig_ext: asc file_gpg_id: 3872ED7D5904493D23D78FA2C4C8CB73B1435348 gpg_keyring: android.gpg #Sha not verified from original source - URL: https://maven.google.com/com/android/tools/repository/26.0.1/repository-26.0.1.pom sha256Sum: a20fb26c8de5b0ff7a3069e681fcf01ebefd2f3d24b832c3af22d981d7d4376b
Since RBM uses flat directory structure for downloads, a script is also generated that can place the artifacts in a maven repo structure. It is found in rbm/create_maven_repo.sh
# TODO: Set $M2_REPO to location of maven repository mkdir -p $M2_REPO/com/android/tools/sdk-common/26.0.1 && cp "sdk-common-26.0.1.jar" "$_" mkdir -p $M2_REPO/com/google/guava/guava/22.0 && cp "guava-22.0.jar" "$_" mkdir -p $M2_REPO/com/google/guava/guava/22.0 && cp "guava-22.0.pom" "$_" mkdir -p $M2_REPO/com/android/tools/annotations/24.5.0 && cp "annotations-24.5.0.pom" "$_" mkdir -p $M2_REPO/com/android/tools/repository/26.0.1 && cp "repository-26.0.1.pom" "$_"
Package
As an alternative to generating RBM files you can package the artifacts into a maven repo format.
artc package
This copies the artifacts from artifacts directory to to the m2 directory and then archives the m2 directory as maven-repo.tar.gz.
It outputs the hash value to use in an RBM config (or other build).
Note that for an RBM build, this archive will need to be uploaded to some location. The URL of the archive will then need to be added to the config file.
- URL: https://example.com/repo/maven-repo.tar.gz sha256Sum: a20fb26c8de5b0ff7a3069e681fcf01ebefd2f3d24b832c3af22d981d7d4376b
Additional info
Reproducible Build Manager - https://rbm.torproject.org/
Dependencies
~19–30MB
~542K SLoC