artc 0.1.1

A program for downloading artifacts and verifying the sha hashes and pgp signatures
Documentation

Artifact Configuration

A program for downloading artifacts and verifying the sha hashes and pgp signatures.

Downloading artifacts

To begin the build process, you will need to create an input file, called say urls.txt.

Next run the following command

artc download --input urls.txt

This will generate files under the target directory:./target/artc

The asc.tsv file contains the fingerprint and the URL of the main artifact

The keys directory contains any of the downloaded keys used in verifying signatures

Finally the pubring.kbx file is the keystore with the imported keys.

The sha.tsv file contains the sha256, followed by a gen/ver field value.

The gen value means that the sha256 was generated by the build. There was not an associated ${url}.sha2 file to download and verify against.

For example, this URL does not exist so its field value is gen

The ver field value means that the ${url}.sha2 file exists and the build verified the main artifact sha256 against this value.

RBM

This command generates Tor RBM config files.

The keyring option specifies the name of the keyring that you will use for the downloaded artifacts. Say that you specify the the keyring as android.gpg. Then the pubring.kbx file will be renamed to android.gpg.

The following entries will be found in the rbm/config file. Notice that the config has a comment if the sha has not been verified. The build will only use the sha256 in if the asc file can't be used.

Since RBM uses flat directory structure for downloads, a script is also generated that can place the artifacts in a maven repo structure. It is found in rbm/create_maven_repo.sh

Package

As an alternative to generating RBM files you can package the artifacts into a maven repo format.

This copies the artifacts from artifacts directory to to the m2 directory and then archives the m2 directory as maven-repo.tar.gz.

It outputs the hash value to use in an RBM config (or other build).

Note that for an RBM build, this archive will need to be uploaded to some location. The URL of the archive will then need to be added to the config file.

Additional info

Reproducible Build Manager - https://rbm.torproject.org/