Update checksums and GPG signatures, support older glibc

.github/workflows/build.yml

@@ -8,30 +8,6 @@ on:
     inputs:
 
 jobs:
-  deb_build:
-    name: deb build
-    runs-on: ubuntu-20.04
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Docker build
-        run: ./docker/build/host-refresh.sh "$GITHUB_WORKSPACE" amd64
-      - name: Import GPG key
-        uses: crazy-max/[email protected]
-        with:
-          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
-          passphrase: ${{ secrets.GPG_PASSPHRASE }}
-      - name: Docker run
-        run: ./docker/build/host-build.sh "$GITHUB_WORKSPACE" amd64 deb
-      - name: Upload artifacts
-        uses: actions/upload-artifact@v3
-        with:
-          name: wordfence_cli_deb
-          path: |
-            ${{ github.workspace }}/docker/build/volumes/output/wordfence_*.deb
-            ${{ github.workspace }}/docker/build/volumes/output/wordfence_*.deb.sha256
-            ${{ github.workspace }}/docker/build/volumes/output/wordfence_*.deb.asc
-            ${{ github.workspace }}/docker/build/volumes/output/wordfence_*.deb.sha256.asc
   linux_standalone_build:
     name: Linux standalone build
     runs-on: ubuntu-20.04
@@ -47,14 +23,9 @@ jobs:
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v2
       - name: Docker build
-        run: ./docker/build/host-refresh.sh "$GITHUB_WORKSPACE" "$ARCHITECTURE"
+        run: ./docker/build/host-refresh.sh "$GITHUB_WORKSPACE" "$ARCHITECTURE" standalone
         env:
           ARCHITECTURE: ${{ matrix.arch }}
-      - name: Import GPG key
-        uses: crazy-max/[email protected]
-        with:
-          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
-          passphrase: ${{ secrets.GPG_PASSPHRASE }}
       - name: Docker run
         run: ./docker/build/host-build.sh "$GITHUB_WORKSPACE" "$ARCHITECTURE" standalone
         env:
@@ -63,11 +34,22 @@ jobs:
         uses: actions/upload-artifact@v3
         with:
           name: wordfence_cli_${{ matrix.arch }}
-          path: |
-            ${{ github.workspace }}/docker/build/volumes/output/wordfence_*.tar.gz
-            ${{ github.workspace }}/docker/build/volumes/output/wordfence_*.tar.gz.sha256
-            ${{ github.workspace }}/docker/build/volumes/output/wordfence_*.tar.gz.asc
-            ${{ github.workspace }}/docker/build/volumes/output/wordfence_*.tar.gz.sha256.asc
+          path: ${{ github.workspace }}/docker/build/volumes/output/wordfence_*.tar.gz
+  deb_build:
+    name: deb build
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Docker build
+        run: ./docker/build/host-refresh.sh "$GITHUB_WORKSPACE" amd64 deb
+      - name: Docker run
+        run: ./docker/build/host-build.sh "$GITHUB_WORKSPACE" amd64 deb
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v3
+        with:
+          name: wordfence_cli_deb
+          path: ${{ github.workspace }}/docker/build/volumes/output/wordfence.deb
   python_build:
     name: Python build
     runs-on: ubuntu-20.04
@@ -78,25 +60,10 @@ jobs:
         uses: actions/setup-python@v4
         with:
           python-version: '3.8'
-      - name: Import GPG key
-        uses: crazy-max/[email protected]
-        with:
-          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
-          passphrase: ${{ secrets.GPG_PASSPHRASE }}
       - name: Python build
         run: |
           pip install build~=0.10
           python3 -m build
-      - name: Create checksums and signatures
-        run: |
-          VERSION=$(python3 -c "from wordfence import version; print(version.__version__)")
-          cd dist
-          sha256sum "wordfence-${VERSION}.tar.gz" > "wordfence-${VERSION}.tar.gz.sha256"
-          sha256sum "wordfence-${VERSION}-py3-none-any.whl" > "wordfence-${VERSION}-py3-none-any.whl.sha256"
-          gpg --detach-sign --armor --local-user '=Wordfence <[email protected]>' "wordfence-${VERSION}.tar.gz"
-          gpg --detach-sign --armor --local-user '=Wordfence <[email protected]>' "wordfence-${VERSION}-py3-none-any.whl"
-          gpg --detach-sign --armor --local-user '=Wordfence <[email protected]>' "wordfence-${VERSION}.tar.gz.sha256"
-          gpg --detach-sign --armor --local-user '=Wordfence <[email protected]>' "wordfence-${VERSION}-py3-none-any.whl.sha256"
       - name: Upload artifacts
         uses: actions/upload-artifact@v3
         with:
@@ -106,3 +73,41 @@ jobs:
             ${{ github.workspace }}/dist/*.whl
             ${{ github.workspace }}/dist/*.sha256
             ${{ github.workspace }}/dist/*.asc
+  generate_checksums:
+    name: Generate checksums
+    runs-on: ubuntu-22.04
+    needs:
+      - linux_standalone_build
+      - deb_build
+      - python_build
+    steps:
+      - name: Download artifacts
+        uses: actions/download-artifact@v3
+      - name: Create checksums
+        run: |
+          touch checksums.txt
+          for artifact in \
+            wordfence_cli_amd64 \
+            wordfence_cli_arm64 \
+            wordfence_cli_deb \
+            wordfence_cli_python
+          do
+            pushd "$artifact"
+            sha256sum * >> ../checksums.txt
+            popd
+          done
+          cat checksums.txt
+      - name: Import GPG key
+        uses: crazy-max/[email protected]
+        with:
+          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+          passphrase: ${{ secrets.GPG_PASSPHRASE }}
+      - name: Sign checksums file
+        run: gpg --detach-sign --armor --local-user '=Wordfence <[email protected]>' checksums.txt
+      - name: Upload checksums and signature
+        uses: actions/upload-artifact@v3
+        with:
+          name: wordfence_cli_checksums
+          path: |
+            ${{ github.workspace }}/checksums.txt
+            ${{ github.workspace }}/checksums.txt.asc

.github/workflows/release.yml

@@ -94,19 +94,13 @@ jobs:
         uses: softprops/action-gh-release@v1
         with:
           files: |
-            wordfence_cli_python/*.tar.gz
-            wordfence_cli_python/*.whl
-            wordfence_cli_python/*.sha256
-            wordfence_cli_python/*.asc
             wordfence_cli_amd64/*.tar.gz
-            wordfence_cli_amd64/*.sha256
-            wordfence_cli_amd64/*.asc
             wordfence_cli_arm64/*.tar.gz
-            wordfence_cli_arm64/*.sha256
-            wordfence_cli_arm64/*.asc
             wordfence_cli_deb/*.deb
-            wordfence_cli_deb/*.sha256
-            wordfence_cli_deb/*.asc
+            wordfence_cli_python/*.whl
+            wordfence_cli_python/*.tar.gz
+            wordfence_cli_checksums/checksums.txt
+            wordfence_cli_checksums/checksums.txt.asc
           target_commitish: ${{ steps.get-commit-hash.outputs.BUILD_COMMIT_HASH }}
           tag_name: ${{ inputs.release_tag }}
           draft: true

README.md

@@ -22,7 +22,7 @@ If you'd like to install Wordfence CLI manually or use CLI for development, you
 - Python >= 3.8
 - The C library `libpcre` >= 8.38
 - Python packages:
-	- `packaging` >= 23.1
+	- `packaging` >= 21.0 
 	- `requests` >= 2.3
 
 ### Obtaining a license

docker/build/build.Dockerfile → docker/build/build-deb.Dockerfile

@@ -1,8 +1,7 @@
 FROM ubuntu:22.04
 
 ENV DEBIAN_FRONTEND=noninteractive
-RUN apt-get update && apt-get install -y debsigs \
-    dpkg-sig \
+RUN apt-get update && apt-get install -y \
     devscripts \
     debhelper \
     dh-python \

docker/build/build-standalone.Dockerfile

@@ -0,0 +1,16 @@
+FROM ubuntu:18.04
+
+ENV DEBIAN_FRONTEND=noninteractive
+RUN apt-get update && apt-get install -y \
+    python3.8 \
+    python3.8-dev \
+    python3-pip \
+    libffi-dev
+
+COPY ./docker/build/entrypoint.sh /root/entrypoint.sh
+COPY ./ /root/wordfence-cli
+
+RUN chmod +x /root/entrypoint.sh
+
+ENTRYPOINT ["/bin/bash"]
+CMD ["/root/entrypoint.sh"]

docker/build/entrypoint.sh

@@ -4,17 +4,17 @@ set -e
 cd /root/wordfence-cli
 
 ARCHITECTURE=$(dpkg --print-architecture)
-VERSION=$(python3 -c 'from wordfence import version; print(version.__version__)')
-GPG_USER='=Wordfence <[email protected]>'
-
-# install build requirements
-pip install --upgrade pip
-pip install -r requirements.txt --force-reinstall
 
 if [ "$PACKAGE_TYPE" = 'deb' ] || [ "$PACKAGE_TYPE" = 'all' ]; then
 
   # build deb package
 
+  VERSION=$(python3 -c 'from wordfence import version; print(version.__version__)')
+
+  # install build requirements
+  python3 -m pip install --upgrade pip
+  python3 -m pip install -r requirements.txt --force-reinstall
+
   export DEBFULLNAME='Wordfence'
   export DEBEMAIL='[email protected]'
   echo 'Generating changelog'
@@ -29,37 +29,25 @@ if [ "$PACKAGE_TYPE" = 'deb' ] || [ "$PACKAGE_TYPE" = 'all' ]; then
   # build the package
   dpkg-buildpackage -us -uc -b
 
+  # copy to output volume
   pushd ..
-
-  # sign and generate checksum
   DEB_FILENAME="wordfence_${VERSION}_all"
-  sha256sum "${DEB_FILENAME}.deb" > "${DEB_FILENAME}.deb.sha256"
-  gpg \
-    --homedir "$CONTAINER_GPG_HOME_DIR" \
-    --detach-sign \
-    --armor \
-    --local-user "$GPG_USER" \
-    "${DEB_FILENAME}.deb"
-  gpg \
-    --homedir "$CONTAINER_GPG_HOME_DIR" \
-    --detach-sign \
-    --armor \
-    --local-user "$GPG_USER" \
-    "${DEB_FILENAME}.deb.sha256"
-  cp \
-    "${DEB_FILENAME}.deb" \
-    "${DEB_FILENAME}.deb.asc" \
-    "${DEB_FILENAME}.deb.sha256" \
-    "${DEB_FILENAME}.deb.sha256.asc" \
-    /root/output
-
+  cp "${DEB_FILENAME}.deb" /root/output/wordfence.deb
   popd
 
 fi
 
 if [ "$PACKAGE_TYPE" = 'standalone' ] || [ "$PACKAGE_TYPE" = 'all' ]; then
 
   # build standalone executable
+
+  VERSION=$(python3.8 -c 'from wordfence import version; print(version.__version__)')
+
+  # install build requirements
+  python3.8 -m pip install --upgrade pip
+  python3.8 -m pip install -r requirements.txt --force-reinstall
+  # Ubuntu 18.04 requires this additional package (as well as the OS package libffi-dev)
+  python3.8 -m pip install cffi
 
   pyinstaller \
     --name wordfence \
@@ -76,31 +64,11 @@ if [ "$PACKAGE_TYPE" = 'standalone' ] || [ "$PACKAGE_TYPE" = 'all' ]; then
     --hidden-import wordfence.cli.version.definition \
     main.py
 
+  # compress and copy to output volume
   pushd /root/wordfence-cli/dist
-
-  # compress the standalone executable, checksum and sign it, and copy both to the output directory
   STANDALONE_FILENAME="wordfence_${VERSION}_${ARCHITECTURE}_linux_exec"
   tar -czvf "${STANDALONE_FILENAME}.tar.gz" wordfence
-  sha256sum "${STANDALONE_FILENAME}.tar.gz" > "${STANDALONE_FILENAME}.tar.gz.sha256"
-  gpg \
-    --homedir "$CONTAINER_GPG_HOME_DIR" \
-    --detach-sign \
-    --armor \
-    --local-user "$GPG_USER" \
-    "${STANDALONE_FILENAME}.tar.gz"
-  gpg \
-    --homedir "$CONTAINER_GPG_HOME_DIR" \
-    --detach-sign \
-    --armor \
-    --local-user "$GPG_USER" \
-    "${STANDALONE_FILENAME}.tar.gz.sha256"
-  cp \
-    "${STANDALONE_FILENAME}.tar.gz" \
-    "${STANDALONE_FILENAME}.tar.gz.asc" \
-    "${STANDALONE_FILENAME}.tar.gz.sha256" \
-    "${STANDALONE_FILENAME}.tar.gz.sha256.asc" \
-    /root/output
-
+  cp "${STANDALONE_FILENAME}.tar.gz" "/root/output/wordfence_${ARCHITECTURE}.tar.gz"
   popd
 
 fi

docker/build/host-build.sh

@@ -15,24 +15,18 @@ elif [ "$2" != "amd64" ] && [ "$2" != "arm64" ]; then
 elif [ -z ${3:+x} ]; then
     echo "You must provide the package type as the third argument"
     exit 1
-elif [ "$3" != "deb" ] && [ "$3" != "standalone" ] && [ "$3" != "all" ]; then
-    echo "Invalid package type (must be deb, standalone, or all)"
+elif [ "$3" != "deb" ] && [ "$3" != "standalone" ]; then
+    echo "Invalid package type (must be deb or standalone)"
     exit 1
 fi
 
 PROJECT_DIR=$(realpath "$1")
 echo "output path: $PROJECT_DIR/docker/build/volumes/output"
 ARCHITECTURE="$2"
 PACKAGE_TYPE="$3"
-GPG_HOME_DIR=$(gpgconf --list-dirs homedir)
-GPG_SOCKET=$(gpgconf --list-dirs agent-socket)
-CONTAINER_GPG_HOME_DIR="/var/run/host_gpg_home_dir"
 docker run \
     --name "wfcli-build-container-${ARCHITECTURE}" \
     --platform "linux/${ARCHITECTURE}" \
     -v "${PROJECT_DIR}/docker/build/volumes/output/:/root/output:rw" \
-    -v "${GPG_HOME_DIR}:${CONTAINER_GPG_HOME_DIR}:rw" \
-    -v "${GPG_SOCKET}:${CONTAINER_GPG_HOME_DIR}/S.gpg-agent:rw" \
-    -e "CONTAINER_GPG_HOME_DIR=${CONTAINER_GPG_HOME_DIR}" \
     -e "PACKAGE_TYPE=${PACKAGE_TYPE}" \
     "wfcli-build-$ARCHITECTURE"

docker/build/host-refresh.sh

@@ -12,15 +12,22 @@ elif [ -z ${2:+x} ]; then
 elif [ "$2" != "amd64" ] && [ "$2" != "arm64" ]; then
     echo "Invalid architecture (must be amd64 or arm64)"
     exit 1
+elif [ -z ${3:+x} ]; then
+    echo "You must provide the package type as the third argument"
+    exit 1
+elif [ "$3" != "deb" ] && [ "$3" != "standalone" ]; then
+    echo "Invalid package type (must be deb or standalone)"
+    exit 1
 fi
 
 PROJECT_DIR=$(realpath "$1")
 ARCHITECTURE="$2"
+PACKAGE_TYPE="$3"
 
 docker rmi -f "wfcli-build-$ARCHITECTURE" 2>/dev/null
 docker build \
     --no-cache \
     -t "wfcli-build-${ARCHITECTURE}" \
     --platform "linux/${ARCHITECTURE}" \
-    -f "${PROJECT_DIR}/docker/build/build.Dockerfile" \
+    -f "${PROJECT_DIR}/docker/build/build-${PACKAGE_TYPE}.Dockerfile" \
     "$PROJECT_DIR"