Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Split generate and sign steps; add more CI checks #202

Merged
merged 3 commits into from
Oct 17, 2024
Merged

Split generate and sign steps; add more CI checks #202

merged 3 commits into from
Oct 17, 2024

Conversation

legoktm
Copy link
Member

@legoktm legoktm commented Sep 19, 2024

Status

Ready for review

Description

One of the biggest frustrations I have with this process is that the
generation and signing steps are combined. I really want to generate
everything, review it, and then move ahead with signing.

This splits the two steps and inlines them into the Makefile as separate
make generate and make sign. Also change the default goal to help,
which is what all of our other Makefiles do.

This necessitates checking in the default.rulesets file that's used as
the input for signing.

As requested in #21, this verifies:

  • generated rulesets files match the XML files. (In some sense it's just
    a reimplementation of the upstream/merge-rulesets.py script, but would
    stop a zero-length ruleset from being deployed)
  • there are no extra nor missing signatures

Fixes #21.

Review Checklist

  • Visual review
  • CI passes

@legoktm legoktm mentioned this pull request Sep 26, 2024
Merged
5 tasks
@legoktm
Copy link
Member Author

legoktm commented Sep 26, 2024

Rebased this on top of #205, which I used this for. So it works :)

zenmonkeykstop
zenmonkeykstop requested changes Sep 30, 2024
View reviewed changes
Copy link
Contributor

@zenmonkeykstop zenmonkeykstop left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Workflow is documented in the README - in the interests of future users' onboarding, the change in the workflow should be documented there too.

@legoktm
Split generate and sign steps
4d39a13 
One of the biggest frustrations I have with this process is that the
generation and signing steps are combined. I really want to generate
everything, review it, and then move ahead with signing.

This splits the two steps and inlines them into the Makefile as separate
`make generate` and `make sign`. Also change the default goal to `help`,
which is what all of our other Makefiles do.

This necessitates checking in the default.rulesets file that's used as
the input for signing.
@legoktm
Add more CI checks
56bbd81 
As requested in #21, this verifies:

* generated rulesets files match the XML files. (In some sense it's just
a reimplementation of the `upstream/merge-rulesets.py` script, but
would
  stop a zero-length ruleset from being deployed)
* there are no extra nor missing signatures

Fixes #21.
@legoktm
Update README for split of generate and signing steps
c94b549 
And update the reference that Tor Browser now correctly checks
the -2021 variant.
@legoktm
Copy link
Member Author

legoktm commented Sep 30, 2024

Done!

@zenmonkeykstop zenmonkeykstop added this pull request to the merge queue Oct 17, 2024
@legoktm legoktm merged commit 4c5bc54 into main Oct 17, 2024
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zenmonkeykstop zenmonkeykstop zenmonkeykstop approved these changes

Assignees
No one assigned
Labels
None yet
Projects
SecureDrop dev cycle
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Strengthen CI checks to sanity check rulesets
2 participants
@legoktm @zenmonkeykstop