[thirdparty/openssl.git] / dev / release.sh

#! /bin/bash -e
# Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License").  You may not use
# this file except in compliance with the License.  You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html

# This is the most shell agnostic way to specify that POSIX rules.
POSIXLY_CORRECT=1

usage () {
    cat <<EOF
Usage: release.sh [ options ... ]

--alpha         Start or increase the "alpha" pre-release tag.
--next-beta     Switch to the "beta" pre-release tag after alpha release.
                It can only be given with --alpha.
--beta          Start or increase the "beta" pre-release tag.
--final         Get out of "alpha" or "beta" and make a final release.
                Implies --branch.

--branch        Create a release branch 'openssl-{major}.{minor}.x',
                where '{major}' and '{minor}' are the major and minor
                version numbers.

--reviewer=<id> The reviewer of the commits.
--local-user=<keyid>
                For the purpose of signing tags and tar files, use this
                key (default: use the default e-mail address’ key).

--no-upload     Don't upload to upload@dev.openssl.org.
--no-update     Don't perform 'make update'.
--verbose       Verbose output.
--debug         Include debug output.  Implies --no-upload.

--force         Force execution

--help          This text
--manual        The manual

If none of --alpha, --beta, or --final are given, this script tries to
figure out the next step.
EOF
    exit 0
}

# Set to one of 'major', 'minor', 'alpha', 'beta' or 'final'
next_method=
next_method2=

do_branch=false
warn_branch=false

do_clean=true
do_upload=true
do_update=true
DEBUG=:
VERBOSE=:
git_quiet=-q

force=false

do_help=false
do_manual=false

tagkey=' -s'
gpgkey=
reviewers=

upload_address=upload@dev.openssl.org

TEMP=$(getopt -l 'alpha,next-beta,beta,final' \
              -l 'branch' \
              -l 'no-upload,no-update' \
              -l 'verbose,debug' \
              -l 'local-user:' \
              -l 'reviewer:' \
              -l 'force' \
              -l 'help,manual' \
              -n release.sh -- - "$@")
eval set -- "$TEMP"
while true; do
    case $1 in
    --alpha | --beta | --final )
        next_method=$(echo "x$1" | sed -e 's|^x--||')
        if [ -z "$next_method2" ]; then
            next_method2=$next_method
        fi
        shift
        if [ "$next_method" = 'final' ]; then
            do_branch=true
        fi
        ;;
    --next-beta )
        next_method2=$(echo "x$1" | sed -e 's|^x--next-||')
        shift
        ;;
    --branch )
        do_branch=true
        warn_branch=true
        shift
        ;;
    --no-upload )
        do_upload=false
        shift
        ;;
    --no-update )
        do_update=false
        shift
        ;;
    --verbose )
        VERBOSE=echo
        git_quiet=
        shift
        ;;
    --debug )
        DEBUG=echo
        do_upload=false
        shift
        ;;
    --local-user )
        shift
        tagley=" -u $1"
        gpgkey=" -u $1"
        shift
        ;;
    --reviewer )
        reviewers="$reviewers $1=$2"
        shift
        shift
        ;;
    --force )
        force=true
        shift
        ;;
    --help )
        usage
        exit 0
        ;;
    --manual )
        sed -e '1,/^### BEGIN MANUAL/d' \
            -e '/^### END MANUAL/,$d' \
            < "$0" \
            | pod2man \
            | man -l -
        exit 0
        ;;
    -- )
        shift
        break
        ;;
    * )
        echo >&2 "Unknown option $1"
        shift
        exit 1
        ;;
    esac
done

$DEBUG >&2 "DEBUG: \$next_method=$next_method"
$DEBUG >&2 "DEBUG: \$next_method2=$next_method2"

$DEBUG >&2 "DEBUG: \$do_branch=$do_branch"

$DEBUG >&2 "DEBUG: \$do_upload=$do_upload"
$DEBUG >&2 "DEBUG: \$do_update=$do_update"
$DEBUG >&2 "DEBUG: \$DEBUG=$DEBUG"
$DEBUG >&2 "DEBUG: \$VERBOSE=$VERBOSE"
$DEBUG >&2 "DEBUG: \$git_quiet=$git_quiet"

case "$next_method+$next_method2" in
    major+major | minor+minor )
        # These are expected
        ;;
    alpha+alpha | alpha+beta | beta+beta | final+final | + | +beta )
        # These are expected
        ;;
    * )
        echo >&2 "Internal option error ($next_method, $next_method2)"
        exit 1
        ;;
esac

# Verbosity feed for certain commands
VERBOSITY_FIFO=/tmp/openssl-$$.fifo
mkfifo -m 600 $VERBOSITY_FIFO
( cat $VERBOSITY_FIFO | while read L; do $VERBOSE "> $L"; done ) &
exec 42>$VERBOSITY_FIFO
trap "exec 42>&-; rm $VERBOSITY_FIFO" 0 2

# Setup ##############################################################

# Make sure we're in the work directory
cd $(dirname $0)/..
HERE=$(pwd)

# Check that we have the scripts that define functions we use
found=true
for fn in "$HERE/dev/release-aux/release-version-fn.sh" \
          "$HERE/dev/release-aux/release-state-fn.sh"; do
    if ! [ -f "$fn" ]; then
        echo >&2 "'$fn' is missing"
        found=false
    fi
done
if ! $found; then
    exit 1
fi

# Load version functions
. $HERE/dev/release-aux/release-version-fn.sh
. $HERE/dev/release-aux/release-state-fn.sh

# Make sure it's a branch we recognise
orig_branch=$(git rev-parse --abbrev-ref HEAD)
if (echo "$orig_branch" \
        | grep -E -q \
               -e '^master$' \
               -e '^OpenSSL_[0-9]+_[0-9]+_[0-9]+[a-z]*-stable$' \
               -e '^openssl-[0-9]+\.[0-9]+\.x$'); then
    :
elif $force; then
    :
else
    echo >&2 "Not in master or any recognised release branch"
    echo >&2 "Please 'git checkout' an approprite branch"
    exit 1
fi

# Initialize #########################################################

echo "== Initializing work tree"

get_version

# Generate a cloned directory name
clone_branch="openssl-$SERIES.x"
release_clone="$clone_branch-release-tmp"

echo "== Work tree will be in $release_clone"

# Make a clone in a subdirectory and move there
if ! [ -d "$release_clone" ]; then
    $VERBOSE "== Cloning to $release_clone"
    git clone $git_quiet -b "$orig_branch" . "$release_clone"
fi
cd "$release_clone"

get_version

current_branch="$(git rev-parse --abbrev-ref HEAD)"
new_branch="openssl-$SERIES.x"

# Check that we're still on the same branch, or on a release branch
if [ "$current_branch" = "$orig_branch" ]; then
    :
elif [ "$current_branch" = "$new_branch" ]; then
    :
else
   echo >&2 "The cloned sub-directory '$release_clone' is on a branch"
   echo >&2 "other than '$current_branch' or '$new_branch'"
   echo >&2 "Please 'cd \"$(pwd)\"; git checkout $current_branch'"
   exit 1
fi

if $do_branch; then
    if [ "$current_branch" = "$new_branch" ]; then
        do_branch=false
    fi
    if ! $do_branch && $warn_branch; then
        echo >&2 "Warning: --branch ignored, we're already in a release branch"
    fi
fi

SOURCEDIR=$(pwd)
$DEBUG >&2 "DEBUG: Source directory is $SOURCEDIR"

# Release ############################################################

# We always expect to start from a state of development
if [ "$TYPE" != 'dev' ]; then
    echo >&2 "Not in a development branch"
    echo >&2 "Have a look at the git log in $release_clone, it may be that"
    echo >&2 "a previous crash left it in an intermediate state and that"
    echo >&2 "need to drop the top commit:"
    echo >&2 ""
    echo >&2 "(cd $release_clone; git reset --hard HEAD^)"
    echo >&2 "# WARNING! LOOK BEFORE YOU ACT"
    exit 1
fi

# We only create a release branch if the patch number is zero
if [ $PATCH -ne 0 ]; then
    if $do_branch; then
        echo >&2 "Warning! We're already in a release branch; --branch ignored"
    fi
    do_branch=false
fi

# Update the version information.  This won't save anything anywhere, yet,
# but does check for possible next_method errors before we do bigger work.
next_release_state "$next_method"

if $do_branch; then
    $VERBOSE "== Creating a release branch: $new_branch"
    git checkout $git_quiet -b "$new_branch"
fi

echo "== Configuring OpenSSL for update and release.  This may take a bit of time"

./Configure cc >&42

$VERBOSE "== Checking source file updates"

make update >&42

if [ -n "$(git status --porcelain)" ]; then
    $VERBOSE "== Committing updates"
    git add -u
    git commit $git_quiet -m 'make update'
    if [ -n "$reviewers" ]; then
        addrev --nopr $reviewers
    fi
fi

# Write the version information we updated
set_version

if [ -n "$PRE_LABEL" ]; then
    release="$VERSION-$PRE_RELEASE_TAG$BUILD_METADATA"
    release_text="$SERIES$BUILD_METADATA $PRE_LABEL $PRE_NUM"
    announce_template=openssl-announce-pre-release.tmpl
else
    release="$VERSION$BUILD_METADATA"
    release_text="$release"
    announce_template=openssl-announce-release.tmpl
fi
tag="openssl-$release"
$VERBOSE "== Updated version information to $release"

$VERBOSE "== Updating files with release date for $release : $RELEASE_DATE"
for fixup in "$HERE/dev/release-aux"/fixup-*-release.pl; do
    file="$(basename "$fixup" | sed -e 's|^fixup-||' -e 's|-release\.pl$||')"
    $VERBOSE "> $file"
    RELEASE="$release" RELEASE_TEXT="$release_text" RELEASE_DATE="$RELEASE_DATE" \
        perl -pi $fixup $file
done

$VERBOSE "== Comitting updates and tagging"
git add -u
git commit $git_quiet -m "Prepare for release of $release_text"
if [ -n "$reviewers" ]; then
    addrev --nopr $reviewers
fi
echo "Tagging release with tag $tag.  You may need to enter a pass phrase"
git tag$tagkey "$tag" -m "OpenSSL $release release tag"

tarfile=openssl-$release.tar
tgzfile=$tarfile.gz
announce=openssl-$release.txt

echo "== Generating tar, hash and announcement files.  This make take a bit of time"

$VERBOSE "== Making tarfile: $tgzfile"
# Unfortunately, util/mktar.sh does verbose output on STDERR...  for good
# reason, but it means we don't display errors unless --verbose
./util/mktar.sh --tarfile="../$tarfile" 2>&1 \
    | while read L; do $VERBOSE "> $L"; done

if ! [ -f "../$tgzfile" ]; then
    echo >&2 "Where did the tarball end up? (../$tgzfile)"
    exit 1
fi

$VERBOSE "== Generating checksums: $tgzfile.sha1 $tgzfile.sha256"
openssl sha1 < "../$tgzfile" | \
    (IFS='='; while read X H; do echo $H; done) > "../$tgzfile.sha1"
openssl sha256 < "../$tgzfile" | \
    (IFS='='; while read X H; do echo $H; done) > "../$tgzfile.sha256"
length=$(wc -c < "../$tgzfile")
sha1hash=$(cat "../$tgzfile.sha1")
sha256hash=$(cat "../$tgzfile.sha256")

$VERBOSE "== Generating announcement text: $announce"
# Hack the announcement template
cat "$HERE/dev/release-aux/$announce_template" \
    | sed -e "s|\\\$release_text|$release_text|g" \
          -e "s|\\\$release|$release|g" \
          -e "s|\\\$series|$SERIES|g" \
          -e "s|\\\$label|$PRE_LABEL|g" \
          -e "s|\\\$tarfile|$tgzfile|" \
          -e "s|\\\$length|$length|" \
          -e "s|\\\$sha1hash|$sha1hash|" \
          -e "s|\\\$sha256hash|$sha256hash|" \
    | perl -p "$HERE/dev/release-aux/fix-title.pl" \
    > "../$announce"
              
$VERBOSE "== Generating signatures: $tgzfile.asc $announce.asc"
rm -f "../$tgzfile.asc" "../$announce.asc"
echo "Signing the release files.  You may need to enter a pass phrase"
gpg$gpgkey --use-agent -sba "../$tgzfile"
gpg$gpgkey --use-agent -sta --clearsign "../$announce"

# We finish off by resetting all files, so we don't have to update
# files with release dates again
$VERBOSE "== Reset all files to their pre-commit contents"
git reset $git_quiet HEAD^ -- .
git checkout -- .

if $do_upload; then
    (
        if [ "$VERBOSE" != ':' ]; then
            echo "progress"
        fi
        echo "put ../$tgzfile"
        echo "put ../$tgzfile.sha1"
        echo "put ../$tgzfile.sha256"
        echo "put ../$tgzfile.asc"
        echo "put ../$announce.asc"
    ) \
    | sftp "$upload_address"
fi

# Post-release #######################################################

prev_release_text="$release_text"
prev_release_date="$RELEASE_DATE"

next_release_state "$next_method2"
set_version

release="$VERSION-$PRE_RELEASE_TAG$BUILD_METADATA"
release_text="$VERSION$BUILD_METADATA"
if [ -n "$PRE_LABEL" ]; then
    release_text="$SERIES$BUILD_METADATA $PRE_LABEL $PRE_NUM"
fi
$VERBOSE "== Updated version information to $release"

$VERBOSE "== Updating files for $release :"
for fixup in "$HERE/dev/release-aux"/fixup-*-postrelease.pl; do
    file="$(basename "$fixup" | sed -e 's|^fixup-||' -e 's|-postrelease\.pl$||')"
    $VERBOSE "> $file"
    RELEASE="$release" RELEASE_TEXT="$release_text" \
        PREV_RELEASE_TEXT="$prev_release_text" \
        PREV_RELEASE_DATE="$prev_release_date" \
        perl -pi $fixup $file
done

$VERBOSE "== Comitting updates"
git add -u
git commit $git_quiet -m "Prepare for $release_text"
if [ -n "$reviewers" ]; then
    addrev --nopr $reviewers
fi

if $do_branch; then
    $VERBOSE "== Going back to the main branch $current_branch"
    git checkout $git_quiet "$current_branch"

    get_version
    next_release_state "minor"
    set_version

    release="$VERSION-$PRE_RELEASE_TAG$BUILD_METADATA"
    release_text="$SERIES$BUILD_METADATA"
    $VERBOSE "== Updated version information to $release"

    $VERBOSE "== Updating files for $release :"
    for fixup in "$HERE/dev/release-aux"/fixup-*-postrelease.pl; do
        file="$(basename "$fixup" | sed -e 's|^fixup-||' -e 's|-postrelease\.pl$||')"
        $VERBOSE "> $file"
        RELEASE="$release" RELEASE_TEXT="$release_text" \
            perl -pi $fixup $file
    done

    $VERBOSE "== Comitting updates"
    git add -u
    git commit $git_quiet -m "Prepare for $release_text"
    if [ -n "$reviewers" ]; then
        addrev --nopr $reviewers
    fi
fi

# Done ###############################################################
    
$VERBOSE "== Done"

cat <<EOF

======================================================================
The release is done, and involves a few commits for you to deal with.
It has all been done in a clone of this workspace, see details below.
EOF
if $do_branch; then
    cat <<EOF
Additionally, a release branch has been created for you, so you need
to look for new commits in two places.
EOF
fi

if $do_release; then
    cat <<EOF

These files were uploaded to $upload_address:

    ../$tgzfile
    ../$tgzfile.sha1
    ../$tgzfile.sha256
    ../$tgzfile.asc
    ../$announce.asc
EOF
fi

cat <<EOF

Release worktree:   $release_clone
EOF
if [ "$current_branch" != "$new_branch" ]; then
    cat <<EOF
Current branch:     $current_branch
EOF
fi
if $do_branch; then
    cat <<EOF
New release branch: $new_branch
EOF
fi

cat <<EOF
======================================================================
EOF

cat <<EOF
If something went wrong and you want to start over, all you need is to
remove the release worktree:

    rm -rf $release_clone

If a tarball was uploaded, you must also clean that away, or ask you
kind OpenSSL sysadmin to do so.
EOF

exit 0

# cat is inconsequential, it's only there to fend off zealous shell parsers
# that parse all the way here.
cat <<EOF
### BEGIN MANUAL
=pod

=head1 NAME

release.sh - OpenSSL release script

=head1 SYNOPSIS

B<release.sh>
[
B<--alpha> |
B<--next-beta> |
B<--beta> |
B<--final> |
B<--branch> |
B<--local-user>=I<keyid> |
B<--reviewer>=I<id> |
B<--no-upload> |
B<--no-update> |
B<--verbose> |
B<--debug> |
B<--help> |
B<--manual>
]

=head1 DESCRIPTION

B<release.sh> creates an OpenSSL release, given current worktree conditions.
It will refuse to work unless the current branch is C<master> or a release
branch (see L</RELEASE BRANCHES AND TAGS> below for a discussion on those).

B<release.sh> tries to be smart and figure out the next release if no hints
are given through options, and will exit with an error in ambiguous cases.

B<release.sh> always clones the current workspace into a sub-directory
named C<< openssl-I<SERIES>-tmp >>, where C<< I<SERIES> >> is taken from
the available version information in the source.

=head1 OPTIONS

=over 4

=item B<--alpha>, B<--beta>

Set the state of this branch to indicate that alpha or beta releases are
to be done.

B<--alpha> is only acceptable if the I<PATCH> version number is zero and
the current state is "in development" or that alpha releases are ongoing.

B<--beta> is only acceptable if the I<PATCH> version number is zero and
that alpha or beta releases are ongoing.

=item B<--next-beta>

Use together with B<--alpha> to switch to beta releases after the current
release is done.

=item B<--final>

Set the state of this branch to indicate that regular releases are to be
done.  This is only valid if alpha or beta releases are currently ongoing.

This implies B<--branch>.

=item B<--branch>

Create a branch specific for the I<SERIES>.x release series, if it doesn't
already exist, and switch to it.  The exact branch name will be
C<< openssl-I<SERIES>.x >>.

=item B<--no-upload>

Don't upload the produced files.

=item B<--no-update>

Don't run C<make update>.

=item B<--verbose>

Verbose output.

=item B<--debug>

Display extra debug output.  Implies B<--no-upload>

=item B<--local-user>=I<keyid>

Use I<keyid> as the local user for C<git tag> and for signing with C<gpg>.

If not given, then the default e-mail address' key is used.

=item B<--reviewer>=I<id>

Add I<id> to the set of reviewers for the commits performed by this script.
Multiple reviewers are allowed.

If no reviewer is given, you will have to run C<addrev> manually, which
means retagging a release commit manually as well.

=item B<--force>

Force execution.  Precisely, the check that the current branch is C<master>
or a release branch is not done.

=item B<--help>

Display a quick help text and exit.

=item B<--manual>

Display this manual and exit.

=back

=head1 RELEASE BRANCHES AND TAGS

Prior to OpenSSL 3.0, the release branches were named
C<< OpenSSL_I<SERIES>-stable >>, and the release tags were named
C<< OpenSSL_I<VERSION> >> for regular releases, or
C<< OpenSSL_I<VERSION>-preI<n> >> for pre-releases.

From OpenSSL 3.0 ongoing, the release branches are named
C<< openssl-I<SERIES>.x >>, and the release tags are named
C<< openssl-I<VERSION> >> for regular releases, or
C<< openssl-I<VERSION>-alphaI<n> >> for alpha releases
and C<< openssl-I<VERSION>-betaI<n> >> for beta releases.

B<release.sh> recognises both forms.

=head1 VERSION AND STATE

With OpenSSL 3.0, all the version and state information is in the file
F<VERSION>, where the following variables are used and changed:

=over 4

=item B<MAJOR>, B<MINOR>, B<PATCH>

The three part of the version number.

=item B<PRE_RELEASE_TAG>

The indicator of the current state of the branch.  The value may be one pf:

=over 4

=item C<dev>

This branch is "in development".  This is typical for the C<master> branch
unless there are ongoing alpha or beta releases.

=item C<< alphaI<n> >> or C<< alphaI<n>-dev >>

This branch has alpha releases going on.  C<< alphaI<n>-dev >> is what
should normally be seen in the git workspace, indicating that
C<< alphaI<n> >> is in development.  C<< alphaI<n> >> is what should be
found in the alpha release tar file.

=item C<< alphaI<n> >> or C<< alphaI<n>-dev >>

This branch has beta releases going on.  The details are otherwise exactly
as for alpha.

=item I<no value>

This is normally not seen in the git workspace, but should always be what's
found in the tar file of a regular release.

=back

=item B<RELEASE_DATE>

This is normally empty in the git workspace, but should always have the
release date in the tar file of any release.

=back

=head1 COPYRIGHT

Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the "License").  You may not use
this file except in compliance with the License.  You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

=cut
### END MANUAL
EOF
Commit	Line	Data
b0b0b6a4 RL	1	#! /bin/bash -e
	2	# Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
	3	#
	4	# Licensed under the Apache License 2.0 (the "License"). You may not use
	5	# this file except in compliance with the License. You can obtain a copy
	6	# in the file LICENSE in the source distribution or at
	7	# https://www.openssl.org/source/license.html
	8
	9	# This is the most shell agnostic way to specify that POSIX rules.
	10	POSIXLY_CORRECT=1
	11
	12	usage () {
	13	cat <<EOF
	14	Usage: release.sh [ options ... ]
	15
	16	--alpha Start or increase the "alpha" pre-release tag.
	17	--next-beta Switch to the "beta" pre-release tag after alpha release.
	18	It can only be given with --alpha.
	19	--beta Start or increase the "beta" pre-release tag.
	20	--final Get out of "alpha" or "beta" and make a final release.
	21	Implies --branch.
	22
	23	--branch Create a release branch 'openssl-{major}.{minor}.x',
	24	where '{major}' and '{minor}' are the major and minor
	25	version numbers.
	26
64af3aec	27	--reviewer=<id> The reviewer of the commits.
b0b0b6a4 RL	28	--local-user=<keyid>
	29	For the purpose of signing tags and tar files, use this
	30	key (default: use the default e-mail address’ key).
	31
	32	--no-upload Don't upload to upload@dev.openssl.org.
	33	--no-update Don't perform 'make update'.
	34	--verbose Verbose output.
	35	--debug Include debug output. Implies --no-upload.
	36
	37	--force Force execution
	38
	39	--help This text
	40	--manual The manual
	41
	42	If none of --alpha, --beta, or --final are given, this script tries to
	43	figure out the next step.
	44	EOF
	45	exit 0
	46	}
	47
	48	# Set to one of 'major', 'minor', 'alpha', 'beta' or 'final'
	49	next_method=
	50	next_method2=
	51
	52	do_branch=false
	53	warn_branch=false
	54
	55	do_clean=true
	56	do_upload=true
	57	do_update=true
	58	DEBUG=:
	59	VERBOSE=:
	60	git_quiet=-q
	61
	62	force=false
	63
	64	do_help=false
	65	do_manual=false
	66
	67	tagkey=' -s'
	68	gpgkey=
64af3aec	69	reviewers=
b0b0b6a4 RL	70
	71	upload_address=upload@dev.openssl.org
	72
	73	TEMP=$(getopt -l 'alpha,next-beta,beta,final' \
	74	-l 'branch' \
	75	-l 'no-upload,no-update' \
	76	-l 'verbose,debug' \
	77	-l 'local-user:' \
64af3aec	78	-l 'reviewer:' \
b0b0b6a4 RL	79	-l 'force' \
	80	-l 'help,manual' \
	81	-n release.sh -- - "$@")
	82	eval set -- "$TEMP"
	83	while true; do
	84	case $1 in
	85	--alpha \| --beta \| --final )
	86	next_method=$(echo "x$1" \| sed -e 's\|^x--\|\|')
	87	if [ -z "$next_method2" ]; then
	88	next_method2=$next_method
	89	fi
	90	shift
	91	if [ "$next_method" = 'final' ]; then
	92	do_branch=true
	93	fi
	94	;;
	95	--next-beta )
	96	next_method2=$(echo "x$1" \| sed -e 's\|^x--next-\|\|')
	97	shift
	98	;;
	99	--branch )
	100	do_branch=true
	101	warn_branch=true
	102	shift
	103	;;
	104	--no-upload )
	105	do_upload=false
	106	shift
	107	;;
	108	--no-update )
	109	do_update=false
	110	shift
	111	;;
	112	--verbose )
	113	VERBOSE=echo
	114	git_quiet=
	115	shift
	116	;;
	117	--debug )
	118	DEBUG=echo
	119	do_upload=false
	120	shift
	121	;;
	122	--local-user )
	123	shift
	124	tagley=" -u $1"
	125	gpgkey=" -u $1"
	126	shift
	127	;;
64af3aec RL	128	--reviewer )
	129	reviewers="$reviewers $1=$2"
	130	shift
	131	shift
	132	;;
b0b0b6a4 RL	133	--force )
	134	force=true
	135	shift
	136	;;
	137	--help )
	138	usage
	139	exit 0
	140	;;
	141	--manual )
	142	sed -e '1,/^### BEGIN MANUAL/d' \
	143	-e '/^### END MANUAL/,$d' \
	144	< "$0" \
	145	\| pod2man \
	146	\| man -l -
	147	exit 0
	148	;;
	149	-- )
	150	shift
	151	break
	152	;;
	153	* )
	154	echo >&2 "Unknown option $1"
	155	shift
	156	exit 1
	157	;;
	158	esac
	159	done
	160
	161	$DEBUG >&2 "DEBUG: \$next_method=$next_method"
	162	$DEBUG >&2 "DEBUG: \$next_method2=$next_method2"
	163
	164	$DEBUG >&2 "DEBUG: \$do_branch=$do_branch"
	165
	166	$DEBUG >&2 "DEBUG: \$do_upload=$do_upload"
	167	$DEBUG >&2 "DEBUG: \$do_update=$do_update"
	168	$DEBUG >&2 "DEBUG: \$DEBUG=$DEBUG"
	169	$DEBUG >&2 "DEBUG: \$VERBOSE=$VERBOSE"
	170	$DEBUG >&2 "DEBUG: \$git_quiet=$git_quiet"
	171
	172	case "$next_method+$next_method2" in
	173	major+major \| minor+minor )
	174	# These are expected
	175	;;
	176	alpha+alpha \| alpha+beta \| beta+beta \| final+final \| + \| +beta )
	177	# These are expected
	178	;;
	179	* )
	180	echo >&2 "Internal option error ($next_method, $next_method2)"
	181	exit 1
	182	;;
	183	esac
	184
	185	# Verbosity feed for certain commands
	186	VERBOSITY_FIFO=/tmp/openssl-$$.fifo
	187	mkfifo -m 600 $VERBOSITY_FIFO
	188	( cat $VERBOSITY_FIFO \| while read L; do $VERBOSE "> $L"; done ) &
	189	exec 42>$VERBOSITY_FIFO
	190	trap "exec 42>&-; rm $VERBOSITY_FIFO" 0 2
	191
	192	# Setup ##############################################################
	193
	194	# Make sure we're in the work directory
	195	cd $(dirname $0)/..
	196	HERE=$(pwd)
197
198	# Check that we have the scripts that define functions we use
199	found=true
200	for fn in "$HERE/dev/release-aux/release-version-fn.sh" \
201	"$HERE/dev/release-aux/release-state-fn.sh"; do
202	if ! [ -f "$fn" ]; then
203	echo >&2 "'$fn' is missing"
204	found=false
205	fi
206	done
207	if ! $found; then
208	exit 1
209	fi
210
211	# Load version functions
212	. $HERE/dev/release-aux/release-version-fn.sh
213	. $HERE/dev/release-aux/release-state-fn.sh
214
215	# Make sure it's a branch we recognise
216	orig_branch=$(git rev-parse --abbrev-ref HEAD)
217	if (echo "$orig_branch" \
218	\| grep -E -q \
219	-e '^master$' \
220	-e '^OpenSSL_[0-9]+_[0-9]+_[0-9]+[a-z]*-stable$' \
221	-e '^openssl-[0-9]+\.[0-9]+\.x$'); then
222	:
223	elif $force; then
224	:
225	else
226	echo >&2 "Not in master or any recognised release branch"
227	echo >&2 "Please 'git checkout' an approprite branch"
228	exit 1
229	fi
230
231	# Initialize #########################################################
232
233	echo "== Initializing work tree"
234
235	get_version
236
237	# Generate a cloned directory name
238	clone_branch="openssl-$SERIES.x"
239	release_clone="$clone_branch-release-tmp"
240
241	echo "== Work tree will be in $release_clone"
242
243	# Make a clone in a subdirectory and move there
244	if ! [ -d "$release_clone" ]; then
245	$VERBOSE "== Cloning to $release_clone"
246	git clone $git_quiet -b "$orig_branch" . "$release_clone"
247	fi
248	cd "$release_clone"
249
250	get_version
251
252	current_branch="$(git rev-parse --abbrev-ref HEAD)"
253	new_branch="openssl-$SERIES.x"
254
255	# Check that we're still on the same branch, or on a release branch
256	if [ "$current_branch" = "$orig_branch" ]; then
257	:
258	elif [ "$current_branch" = "$new_branch" ]; then
259	:
260	else
261	echo >&2 "The cloned sub-directory '$release_clone' is on a branch"
262	echo >&2 "other than '$current_branch' or '$new_branch'"
263	echo >&2 "Please 'cd \"$(pwd)\"; git checkout $current_branch'"
264	exit 1
265	fi
266
267	if $do_branch; then
268	if [ "$current_branch" = "$new_branch" ]; then
269	do_branch=false
270	fi
271	if ! $do_branch && $warn_branch; then
272	echo >&2 "Warning: --branch ignored, we're already in a release branch"
273	fi
274	fi
275
276	SOURCEDIR=$(pwd)
277	$DEBUG >&2 "DEBUG: Source directory is $SOURCEDIR"
278
279	# Release ############################################################
280
281	# We always expect to start from a state of development
282	if [ "$TYPE" != 'dev' ]; then
283	echo >&2 "Not in a development branch"
284	echo >&2 "Have a look at the git log in $release_clone, it may be that"
285	echo >&2 "a previous crash left it in an intermediate state and that"
286	echo >&2 "need to drop the top commit:"
287	echo >&2 ""
288	echo >&2 "(cd $release_clone; git reset --hard HEAD^)"
289	echo >&2 "# WARNING! LOOK BEFORE YOU ACT"
290	exit 1
291	fi
292
293	# We only create a release branch if the patch number is zero
294	if [ $PATCH -ne 0 ]; then
295	if $do_branch; then
296	echo >&2 "Warning! We're already in a release branch; --branch ignored"
297	fi
298	do_branch=false
299	fi
300
301	# Update the version information. This won't save anything anywhere, yet,
302	# but does check for possible next_method errors before we do bigger work.
303	next_release_state "$next_method"
304
305	if $do_branch; then
306	$VERBOSE "== Creating a release branch: $new_branch"
307	git checkout $git_quiet -b "$new_branch"
308	fi
309
310	echo "== Configuring OpenSSL for update and release. This may take a bit of time"
311
312	./Configure cc >&42
313
314	$VERBOSE "== Checking source file updates"
315
316	make update >&42
317
318	if [ -n "$(git status --porcelain)" ]; then
319	$VERBOSE "== Committing updates"
320	git add -u
321	git commit $git_quiet -m 'make update'
64af3aec RL	322	if [ -n "$reviewers" ]; then
	323	addrev --nopr $reviewers
	324	fi
b0b0b6a4 RL	325	fi
	326
	327	# Write the version information we updated
	328	set_version
	329
	330	if [ -n "$PRE_LABEL" ]; then
	331	release="$VERSION-$PRE_RELEASE_TAG$BUILD_METADATA"
	332	release_text="$SERIES$BUILD_METADATA $PRE_LABEL $PRE_NUM"
	333	announce_template=openssl-announce-pre-release.tmpl
	334	else
	335	release="$VERSION$BUILD_METADATA"
	336	release_text="$release"
	337	announce_template=openssl-announce-release.tmpl
	338	fi
	339	tag="openssl-$release"
	340	$VERBOSE "== Updated version information to $release"
	341
	342	$VERBOSE "== Updating files with release date for $release : $RELEASE_DATE"
	343	for fixup in "$HERE/dev/release-aux"/fixup-*-release.pl; do
	344	file="$(basename "$fixup" \| sed -e 's\|^fixup-\|\|' -e 's\|-release\.pl$\|\|')"
	345	$VERBOSE "> $file"
	346	RELEASE="$release" RELEASE_TEXT="$release_text" RELEASE_DATE="$RELEASE_DATE" \
	347	perl -pi $fixup $file
	348	done
	349
	350	$VERBOSE "== Comitting updates and tagging"
	351	git add -u
	352	git commit $git_quiet -m "Prepare for release of $release_text"
64af3aec RL	353	if [ -n "$reviewers" ]; then
	354	addrev --nopr $reviewers
	355	fi
b0b0b6a4 RL	356	echo "Tagging release with tag $tag. You may need to enter a pass phrase"
	357	git tag$tagkey "$tag" -m "OpenSSL $release release tag"
	358
	359	tarfile=openssl-$release.tar
	360	tgzfile=$tarfile.gz
	361	announce=openssl-$release.txt
	362
	363	echo "== Generating tar, hash and announcement files. This make take a bit of time"
	364
	365	$VERBOSE "== Making tarfile: $tgzfile"
	366	# Unfortunately, util/mktar.sh does verbose output on STDERR... for good
	367	# reason, but it means we don't display errors unless --verbose
	368	./util/mktar.sh --tarfile="../$tarfile" 2>&1 \
	369	\| while read L; do $VERBOSE "> $L"; done
	370
	371	if ! [ -f "../$tgzfile" ]; then
	372	echo >&2 "Where did the tarball end up? (../$tgzfile)"
	373	exit 1
	374	fi
	375
	376	$VERBOSE "== Generating checksums: $tgzfile.sha1 $tgzfile.sha256"
	377	openssl sha1 < "../$tgzfile" \| \
	378	(IFS='='; while read X H; do echo $H; done) > "../$tgzfile.sha1"
	379	openssl sha256 < "../$tgzfile" \| \
	380	(IFS='='; while read X H; do echo $H; done) > "../$tgzfile.sha256"
	381	length=$(wc -c < "../$tgzfile")
	382	sha1hash=$(cat "../$tgzfile.sha1")
	383	sha256hash=$(cat "../$tgzfile.sha256")
	384
	385	$VERBOSE "== Generating announcement text: $announce"
	386	# Hack the announcement template
	387	cat "$HERE/dev/release-aux/$announce_template" \
	388	\| sed -e "s\|\\\$release_text\|$release_text\|g" \
	389	-e "s\|\\\$release\|$release\|g" \
	390	-e "s\|\\\$series\|$SERIES\|g" \
	391	-e "s\|\\\$label\|$PRE_LABEL\|g" \
	392	-e "s\|\\\$tarfile\|$tgzfile\|" \
	393	-e "s\|\\\$length\|$length\|" \
	394	-e "s\|\\\$sha1hash\|$sha1hash\|" \
	395	-e "s\|\\\$sha256hash\|$sha256hash\|" \
	396	\| perl -p "$HERE/dev/release-aux/fix-title.pl" \
	397	> "../$announce"
	398
	399	$VERBOSE "== Generating signatures: $tgzfile.asc $announce.asc"
	400	rm -f "../$tgzfile.asc" "../$announce.asc"
	401	echo "Signing the release files. You may need to enter a pass phrase"
	402	gpg$gpgkey --use-agent -sba "../$tgzfile"
	403	gpg$gpgkey --use-agent -sta --clearsign "../$announce"
	404
	405	# We finish off by resetting all files, so we don't have to update
	406	# files with release dates again
	407	$VERBOSE "== Reset all files to their pre-commit contents"
	408	git reset $git_quiet HEAD^ -- .
	409	git checkout -- .
	410
	411	if $do_upload; then
	412	(
	413	if [ "$VERBOSE" != ':' ]; then
	414	echo "progress"
	415	fi
	416	echo "put ../$tgzfile"
	417	echo "put ../$tgzfile.sha1"
	418	echo "put ../$tgzfile.sha256"
	419	echo "put ../$tgzfile.asc"
420	echo "put ../$announce.asc"
421	) \
422	\| sftp "$upload_address"
423	fi
424
425	# Post-release #######################################################
426
427	prev_release_text="$release_text"
428	prev_release_date="$RELEASE_DATE"
429
430	next_release_state "$next_method2"
431	set_version
432
433	release="$VERSION-$PRE_RELEASE_TAG$BUILD_METADATA"
434	release_text="$VERSION$BUILD_METADATA"
435	if [ -n "$PRE_LABEL" ]; then
436	release_text="$SERIES$BUILD_METADATA $PRE_LABEL $PRE_NUM"
437	fi
438	$VERBOSE "== Updated version information to $release"
439
440	$VERBOSE "== Updating files for $release :"
441	for fixup in "$HERE/dev/release-aux"/fixup-*-postrelease.pl; do
442	file="$(basename "$fixup" \| sed -e 's\|^fixup-\|\|' -e 's\|-postrelease\.pl$\|\|')"
443	$VERBOSE "> $file"
444	RELEASE="$release" RELEASE_TEXT="$release_text" \
445	PREV_RELEASE_TEXT="$prev_release_text" \
446	PREV_RELEASE_DATE="$prev_release_date" \
447	perl -pi $fixup $file
448	done
449
450	$VERBOSE "== Comitting updates"
451	git add -u
452	git commit $git_quiet -m "Prepare for $release_text"
64af3aec RL	453	if [ -n "$reviewers" ]; then
	454	addrev --nopr $reviewers
	455	fi
b0b0b6a4 RL	456
	457	if $do_branch; then
	458	$VERBOSE "== Going back to the main branch $current_branch"
	459	git checkout $git_quiet "$current_branch"
	460
	461	get_version
	462	next_release_state "minor"
	463	set_version
	464
	465	release="$VERSION-$PRE_RELEASE_TAG$BUILD_METADATA"
	466	release_text="$SERIES$BUILD_METADATA"
	467	$VERBOSE "== Updated version information to $release"
	468
	469	$VERBOSE "== Updating files for $release :"
	470	for fixup in "$HERE/dev/release-aux"/fixup-*-postrelease.pl; do
	471	file="$(basename "$fixup" \| sed -e 's\|^fixup-\|\|' -e 's\|-postrelease\.pl$\|\|')"
	472	$VERBOSE "> $file"
	473	RELEASE="$release" RELEASE_TEXT="$release_text" \
	474	perl -pi $fixup $file
	475	done
	476
	477	$VERBOSE "== Comitting updates"
	478	git add -u
	479	git commit $git_quiet -m "Prepare for $release_text"
64af3aec RL	480	if [ -n "$reviewers" ]; then
	481	addrev --nopr $reviewers
	482	fi
b0b0b6a4 RL	483	fi
	484
	485	# Done ###############################################################
	486
	487	$VERBOSE "== Done"
	488
	489	cat <<EOF
	490
	491	======================================================================
	492	The release is done, and involves a few commits for you to deal with.
	493	It has all been done in a clone of this workspace, see details below.
	494	EOF
	495	if $do_branch; then
	496	cat <<EOF
	497	Additionally, a release branch has been created for you, so you need
	498	to look for new commits in two places.
	499	EOF
	500	fi
	501
	502	if $do_release; then
	503	cat <<EOF
	504
	505	These files were uploaded to $upload_address:
	506
	507	../$tgzfile
	508	../$tgzfile.sha1
	509	../$tgzfile.sha256
	510	../$tgzfile.asc
	511	../$announce.asc
	512	EOF
	513	fi
	514
	515	cat <<EOF
	516
	517	Release worktree: $release_clone
	518	EOF
	519	if [ "$current_branch" != "$new_branch" ]; then
	520	cat <<EOF
	521	Current branch: $current_branch
	522	EOF
	523	fi
	524	if $do_branch; then
	525	cat <<EOF
	526	New release branch: $new_branch
	527	EOF
	528	fi
	529
	530	cat <<EOF
	531	======================================================================
	532	EOF
	533
	534	cat <<EOF
	535	If something went wrong and you want to start over, all you need is to
	536	remove the release worktree:
	537
	538	rm -rf $release_clone
	539
	540	If a tarball was uploaded, you must also clean that away, or ask you
	541	kind OpenSSL sysadmin to do so.
	542	EOF
	543
	544	exit 0
	545
	546	# cat is inconsequential, it's only there to fend off zealous shell parsers
547	# that parse all the way here.
548	cat <<EOF
549	### BEGIN MANUAL
550	=pod
551
552	=head1 NAME
553
554	release.sh - OpenSSL release script
555
556	=head1 SYNOPSIS
557
558	B<release.sh>
559	[
560	B<--alpha> \|
561	B<--next-beta> \|
562	B<--beta> \|
563	B<--final> \|
564	B<--branch> \|
565	B<--local-user>=I<keyid> \|
64af3aec	566	B<--reviewer>=I<id> \|
b0b0b6a4 RL	567	B<--no-upload> \|
	568	B<--no-update> \|
	569	B<--verbose> \|
	570	B<--debug> \|
	571	B<--help> \|
	572	B<--manual>
	573	]
	574
	575	=head1 DESCRIPTION
	576
	577	B<release.sh> creates an OpenSSL release, given current worktree conditions.
	578	It will refuse to work unless the current branch is C<master> or a release
	579	branch (see L</RELEASE BRANCHES AND TAGS> below for a discussion on those).
	580
	581	B<release.sh> tries to be smart and figure out the next release if no hints
	582	are given through options, and will exit with an error in ambiguous cases.
	583
	584	B<release.sh> always clones the current workspace into a sub-directory
	585	named C<< openssl-I<SERIES>-tmp >>, where C<< I<SERIES> >> is taken from
	586	the available version information in the source.
	587
	588	=head1 OPTIONS
	589
	590	=over 4
	591
	592	=item B<--alpha>, B<--beta>
	593
	594	Set the state of this branch to indicate that alpha or beta releases are
	595	to be done.
	596
	597	B<--alpha> is only acceptable if the I<PATCH> version number is zero and
	598	the current state is "in development" or that alpha releases are ongoing.
	599
	600	B<--beta> is only acceptable if the I<PATCH> version number is zero and
	601	that alpha or beta releases are ongoing.
	602
	603	=item B<--next-beta>
	604
	605	Use together with B<--alpha> to switch to beta releases after the current
	606	release is done.
	607
	608	=item B<--final>
	609
	610	Set the state of this branch to indicate that regular releases are to be
	611	done. This is only valid if alpha or beta releases are currently ongoing.
	612
	613	This implies B<--branch>.
	614
	615	=item B<--branch>
	616
	617	Create a branch specific for the I<SERIES>.x release series, if it doesn't
	618	already exist, and switch to it. The exact branch name will be
	619	C<< openssl-I<SERIES>.x >>.
	620
	621	=item B<--no-upload>
	622
	623	Don't upload the produced files.
	624
	625	=item B<--no-update>
	626
	627	Don't run C<make update>.
	628
	629	=item B<--verbose>
	630
631	Verbose output.
632
633	=item B<--debug>
634
635	Display extra debug output. Implies B<--no-upload>
636
637	=item B<--local-user>=I<keyid>
638
639	Use I<keyid> as the local user for C<git tag> and for signing with C<gpg>.
640
641	If not given, then the default e-mail address' key is used.
642
64af3aec RL	643	=item B<--reviewer>=I<id>
	644
	645	Add I<id> to the set of reviewers for the commits performed by this script.
	646	Multiple reviewers are allowed.
	647
	648	If no reviewer is given, you will have to run C<addrev> manually, which
	649	means retagging a release commit manually as well.
	650
b0b0b6a4 RL	651	=item B<--force>
	652
	653	Force execution. Precisely, the check that the current branch is C<master>
	654	or a release branch is not done.
	655
	656	=item B<--help>
	657
	658	Display a quick help text and exit.
	659
	660	=item B<--manual>
	661
	662	Display this manual and exit.
	663
	664	=back
	665
	666	=head1 RELEASE BRANCHES AND TAGS
	667
	668	Prior to OpenSSL 3.0, the release branches were named
	669	C<< OpenSSL_I<SERIES>-stable >>, and the release tags were named
	670	C<< OpenSSL_I<VERSION> >> for regular releases, or
	671	C<< OpenSSL_I<VERSION>-preI<n> >> for pre-releases.
	672
	673	From OpenSSL 3.0 ongoing, the release branches are named
	674	C<< openssl-I<SERIES>.x >>, and the release tags are named
	675	C<< openssl-I<VERSION> >> for regular releases, or
	676	C<< openssl-I<VERSION>-alphaI<n> >> for alpha releases
	677	and C<< openssl-I<VERSION>-betaI<n> >> for beta releases.
	678
	679	B<release.sh> recognises both forms.
	680
	681	=head1 VERSION AND STATE
	682
	683	With OpenSSL 3.0, all the version and state information is in the file
	684	F<VERSION>, where the following variables are used and changed:
	685
	686	=over 4
	687
	688	=item B<MAJOR>, B<MINOR>, B<PATCH>
	689
	690	The three part of the version number.
	691
	692	=item B<PRE_RELEASE_TAG>
	693
	694	The indicator of the current state of the branch. The value may be one pf:
	695
	696	=over 4
	697
	698	=item C<dev>
	699
	700	This branch is "in development". This is typical for the C<master> branch
	701	unless there are ongoing alpha or beta releases.
	702
	703	=item C<< alphaI<n> >> or C<< alphaI<n>-dev >>
	704
	705	This branch has alpha releases going on. C<< alphaI<n>-dev >> is what
	706	should normally be seen in the git workspace, indicating that
	707	C<< alphaI<n> >> is in development. C<< alphaI<n> >> is what should be
	708	found in the alpha release tar file.
	709
	710	=item C<< alphaI<n> >> or C<< alphaI<n>-dev >>
	711
	712	This branch has beta releases going on. The details are otherwise exactly
	713	as for alpha.
	714
715	=item I<no value>
716
717	This is normally not seen in the git workspace, but should always be what's
718	found in the tar file of a regular release.
719
720	=back
721
722	=item B<RELEASE_DATE>
723
724	This is normally empty in the git workspace, but should always have the
725	release date in the tar file of any release.
726
727	=back
728
729	=head1 COPYRIGHT
730
731	Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
732
733	Licensed under the Apache License 2.0 (the "License"). You may not use
734	this file except in compliance with the License. You can obtain a copy
735	in the file LICENSE in the source distribution or at
736	L<https://www.openssl.org/source/license.html>.
737
738	=cut
739	### END MANUAL
740	EOF