fix keystore generation, pass keystore vars to build

Changes: * Drop --keep from nix/scripts/build.sh as it does nothing * Allow scripts/release-android.sh take passwords from env * Use env file in extra-sandbox-paths to pass keystore passwords * Quote ever segment of Nix options to avoid parsing errors Signed-off-by: Jakub Sokołowski <jakub@status.im>
2020-03-13 13:01:17 +01:00 · 2020-03-13 13:01:17 +01:00 · eb5fe57e90
parent 10fab4e77c
commit eb5fe57e90
4 changed files with 55 additions and 35 deletions
--- a/nix/scripts/build.sh
+++ b/nix/scripts/build.sh
@ -49,19 +49,12 @@ nixOpts=(
  "--fallback"
  "--no-out-link"
  "--show-trace"
-  "--attr ${targetAttr}"
-  "${@}"
+  "--attr" "${targetAttr}"
 )

-# This variable allows specifying which env vars to keep for Nix pure shell.
-# The separator is a colon
-if [[ -n "${_NIX_KEEP}" ]]; then
-  nixOpts+=("--keep ${_NIX_KEEP//,/ --keep }")
-fi
-
 # Run the actual build
-echo "Running: nix-build ${nixOpts[@]} default.nix"
-nixResultPath=$(nix-build ${nixOpts[@]} default.nix)
+echo "Running: nix-build "${nixOpts[@]}" "${@}" default.nix"
+nixResultPath=$(nix-build "${nixOpts[@]}" "${@}" default.nix)

 echo "Extracting result: ${nixResultPath}"
 extractResults "${nixResultPath}"
--- a/nix/scripts/shell.sh
+++ b/nix/scripts/shell.sh
@ -18,12 +18,12 @@ source "${GIT_ROOT}/nix/scripts/source.sh"
 export TERM=xterm # fix for colors
 shift # we remove the first -c from arguments

-shellArgs=(
+nixArgs=(
  "--show-trace"
 )

 if [[ -n "${TARGET}" ]]; then
-    shellArgs+=("--argstr target ${TARGET}")
+    nixArgs+=("--argstr target ${TARGET}")
 else
    echo -e "${YLW}Env is missing TARGET, assuming default target.${RST} See nix/README.md for more details." 1>&2
 fi
@ -32,7 +32,7 @@ if [[ "$TARGET" =~ (linux|windows|darwin|macos) ]]; then
  # This is a dirty workaround because 'yarn install' is an impure operation,
  # so we need to call it from an impure shell.
  # Hopefully we'll be able to fix this later on with something like yarn2nix
-  nix-shell ${shellArgs[@]} --run "scripts/prepare-for-desktop-platform.sh" || exit
+  nix-shell ${nixArgs[@]} --run "scripts/prepare-for-desktop-platform.sh" || exit
 fi

 config=''
@ -45,13 +45,13 @@ fi
 config+="status-im.build-type=\"${BUILD_TYPE}\";"

 if [ -n "$config" ]; then
-  shellArgs+=("--arg config {$config}")
+  nixArgs+=("--arg config {$config}")
 fi

 # if _NIX_ATTR is specified we shouldn't use shell.nix, the path will be different
 entryPoint="shell.nix"
 if [ -n "${_NIX_ATTR}" ]; then
-  shellArgs+=("--attr ${_NIX_ATTR}")
+  nixArgs+=("--attr ${_NIX_ATTR}")
  entryPoint="default.nix"
 fi

@ -59,18 +59,18 @@ fi
 # It is just a special string, not a variable, and a marker to not use `--run`.
 if [[ $@ == "ENTER_NIX_SHELL" ]]; then
  echo -e "${GRN}Configuring ${_NIX_ATTR:-default} Nix shell for target '${TARGET:-default}'...${RST}" 1>&2
-  exec nix-shell ${shellArgs[@]} ${entryPoint}
+  exec nix-shell ${nixArgs[@]} ${entryPoint}
 else
  # Not all builds are ready to be run in a pure environment
  if [[ -n "${_NIX_PURE}" ]]; then
-    shellArgs+=("--pure")
+    nixArgs+=("--pure")
    pureDesc='pure '
  fi
  # This variable allows specifying which env vars to keep for Nix pure shell
  # The separator is a colon
  if [[ -n "${_NIX_KEEP}" ]]; then
-    shellArgs+=("--keep ${_NIX_KEEP//,/ --keep }")
+    nixArgs+=("--keep ${_NIX_KEEP//,/ --keep }")
  fi
  echo -e "${GRN}Configuring ${pureDesc}${_NIX_ATTR:-default} Nix shell for target '${TARGET}'...${RST}" 1>&2
-  exec nix-shell ${shellArgs[@]} --run "$@" ${entryPoint}
+  exec nix-shell ${nixArgs[@]} --run "$@" ${entryPoint}
 fi
--- a/scripts/generate-keystore.sh
+++ b/scripts/generate-keystore.sh
@ -9,19 +9,25 @@ function property() {
    grep "${2}" "${1}" | cut -d'=' -f2
 }

-function property_gradle() {
+function gradle_property() {
    property ${GIT_ROOT}/android/gradle.properties ${1}
 }

-KEYSTORE_PASSWORD=$(property_gradle 'KEYSTORE_PASSWORD')
-KEYSTORE_ALIAS=$(property_gradle 'KEYSTORE_ALIAS')
-KEYSTORE_KEY_PASSWORD=$(property_gradle 'KEYSTORE_KEY_PASSWORD')
+function env_var_or_gradle_prop() {
+    VAR_NAME="${1}"
+    if [[ -n "${!VAR_NAME}" ]]; then
+        echo "${!VAR_NAME}"
+    else
+        gradle_property "${VAR_NAME}"
+    fi
+}

-# Allow Makefile modify Keystore path if necessary
-if [[ -z ${KEYSTORE_PATH} ]]; then
-    KEYSTORE_PATH=$(property_gradle 'KEYSTORE_FILE')
-fi
-# Replace ~ with proper absolute path
+KEYSTORE_PASSWORD=$(env_var_or_gradle_prop 'KEYSTORE_PASSWORD')
+KEYSTORE_ALIAS=$(env_var_or_gradle_prop 'KEYSTORE_ALIAS')
+KEYSTORE_KEY_PASSWORD=$(env_var_or_gradle_prop 'KEYSTORE_KEY_PASSWORD')
+KEYSTORE_PATH=$(env_var_or_gradle_prop 'KEYSTORE_PATH')
+
+# Use absolute path for Keystore
 KEYSTORE_PATH=${KEYSTORE_PATH/#\~/$HOME}

 if [[ -e "${KEYSTORE_PATH}" ]]; then
@ -30,7 +36,7 @@ if [[ -e "${KEYSTORE_PATH}" ]]; then
    exit 0
 fi

-KEYSTORE_DIR=$(dirname "${S/TATUS_RELEASE_STORE_FILE}")
+KEYSTORE_DIR=$(dirname "${KEYSTORE_PATH}")
 [[ -d $KEYSTORE_DIR ]] || mkdir -p $KEYSTORE_DIR

 echo -e "${GRN}Generating keystore...${RST}" > /dev/stderr
--- a/scripts/release-android.sh
+++ b/scripts/release-android.sh
@ -16,6 +16,13 @@ function must_get_env() {
  exit 1
 }

+function append_env_export() {
+  ENV_VAR_NAME=${1}
+  if [[ -n "${!ENV_VAR_NAME}" ]]; then
+    echo "export ${ENV_VAR_NAME}=\"${!ENV_VAR_NAME}\";" >> "${SECRETS_FILE_PATH}"
+  fi
+}
+
 config=''
 if [ -n "${STATUS_GO_SRC_OVERRIDE}" ]; then
  config+="status-im.status-go.src-override=\"${STATUS_GO_SRC_OVERRIDE}\";"
@ -26,9 +33,17 @@ fi
 config+="status-im.build-type=\"$(must_get_env BUILD_TYPE)\";"
 config+="status-im.status-react.build-number=\"$(must_get_env BUILD_NUMBER)\";"
 config+="status-im.status-react.keystore-file=\"$(must_get_env KEYSTORE_PATH)\";"
-nixOpts=(
-  "--arg config {${config}}"
-  "--arg env {BUILD_ENV=\"${BUILD_ENV}\";ANDROID_ABI_SPLIT=\"${ANDROID_ABI_SPLIT}\";ANDROID_ABI_INCLUDE=\"${ANDROID_ABI_INCLUDE}\";}"
+nixOpts=()
+
+# Secrets like this can't be passed via args or they end up in derivation
+SECRETS_FILE_PATH=$(mktemp)
+chmod 644 ${SECRETS_FILE_PATH}
+trap "rm -f ${SECRETS_FILE_PATH}" EXIT
+append_env_export 'KEYSTORE_PASSWORD'
+append_env_export 'KEYSTORE_ALIAS'
+append_env_export 'KEYSTORE_KEY_PASSWORD'
+nixOpts+=(
+  "--argstr" "secrets-file" "${SECRETS_FILE_PATH}"
 )

 if [[ "$OS" =~ Darwin ]]; then
@ -37,13 +52,19 @@ if [[ "$OS" =~ Darwin ]]; then
  # we start an ad-hoc nix-shell that imports the packages from nix/nixpkgs-bootstrap.
  WATCHMAN_SOCKFILE=$(watchman get-sockname --no-pretty | jq -r .sockname)
  nixOpts+=(
-    "--argstr watchmanSockPath ${WATCHMAN_SOCKFILE}"
-    "--option extra-sandbox-paths ${KEYSTORE_PATH};${WATCHMAN_SOCKFILE}"
+    " --argstr" "watchmanSockPath" "${WATCHMAN_SOCKFILE}"
+    " --option" "extra-sandbox-paths" "${KEYSTORE_PATH} ${SECRETS_FILE_PATH} ${WATCHMAN_SOCKFILE}"
  )
 else
+  echo wtf
  nixOpts+=(
-    "--option extra-sandbox-paths ${KEYSTORE_PATH}"
+    "--option" "extra-sandbox-paths" "${KEYSTORE_PATH} ${SECRETS_FILE_PATH}"
  )
 fi

+nixOpts+=(
+  "--arg" "config" "{${config}}"
+  "--arg" "env" "{BUILD_ENV=\"${BUILD_ENV}\";ANDROID_ABI_SPLIT=\"${ANDROID_ABI_SPLIT}\";ANDROID_ABI_INCLUDE=\"${ANDROID_ABI_INCLUDE}\";}"
+)
+
 ${GIT_ROOT}/nix/scripts/build.sh targets.mobile.android.release "${nixOpts[@]}"