su3 for dev builds #441

comment:14 Changed 6 years ago by zzz

Status:accepted →
testing

in cc146ec3a494bf27d04177d6dd9e2d22bc634348 0.9.19-17

[comment:14](https://trac.i2p2.de/\#comment:14) Changed [6 years ago](https://trac.i2p2.de//timeline?from=2015-05-07T13%3A07%3A11Z&precision=second "See timeline at May 7, 2015 1:07:11 PM") by zzz Status:accepted → testing in cc146ec3a494bf27d04177d6dd9e2d22bc634348 0.9.19-17

idk commented

comment:13 in reply to: 12 Changed 6 years ago by killyourtv

Replying to zzz:

Your build.xml changes two comments up look fine, thank you.

Excellent. I'll go check it in.

[comment:13](https://trac.i2p2.de/\#comment:13) in reply to: [12](https://trac.i2p2.de/\#comment:12) Changed [6 years ago](https://trac.i2p2.de//timeline?from=2015-05-06T23%3A25%3A38Z&precision=second "See timeline at May 6, 2015 11:25:38 PM") by killyourtv Replying to [zzz](https://trac.i2p2.de//ticket/1381#comment:12 "Comment 12"): > Your build.xml changes two comments up look fine, thank you. Excellent. I'll go check it in.

idk commented

comment:12follow-up: 13 Changed 6 years ago by zzz

After discussion on IRC I think the build number as version is the best approach.

psi likely does not have any subscribers, and builds hourly even if no checkin at all, so he would need to modify his scripts anyway to provide a useful service.

ech confirmed he wants to reuse his reseed cert. He doesn't do automatic builds and doesn't do them very often.

Your build.xml changes two comments up look fine, thank you.

I tested enough to get the 0.9.19-16 version out of your su3 file but haven't actually downloaded and updated to it yet. More testing to follow.

[comment:12](https://trac.i2p2.de/\#comment:12)follow-up: [13](https://trac.i2p2.de/\#comment:13) Changed [6 years ago](https://trac.i2p2.de//timeline?from=2015-05-06T22%3A49%3A58Z&precision=second "See timeline at May 6, 2015 10:49:58 PM") by zzz After discussion on IRC I think the build number as version is the best approach. psi likely does not have any subscribers, and builds hourly even if no checkin at all, so he would need to modify his scripts anyway to provide a useful service. ech confirmed he wants to reuse his reseed cert. He doesn't do automatic builds and doesn't do them very often. Your build.xml changes two comments up look fine, thank you. I tested enough to get the 0.9.19-16 version out of your su3 file but haven't actually downloaded and updated to it yet. More testing to follow.

idk commented

http://update.killyourtv.i2p/mtn/i2pupdate.su3

comment:11 in reply to: 7 Changed 6 years ago by killyourtv

Replying to zzz:

I will be testing locally soon, and whenever kytv and echelon have their su3 files built, please pass along a URL so I may test.

The current file has the following specs:

-sign-update:
    [input] skipping input as property release.privkey.su3 has already been set.
    [input] skipping input as property release.signer.su3 has already been set.
    [input] skipping input as property release.password.su3 has already been set.
     [java] Enter password for key "killyourtv@mail.i2p": Input file 'i2pupdate200.zip' signed and written to 'i2pupdate.su3'
     [echo] Verify version and VALID signature:
     [java] Signature VALID (signed by killyourtv@mail.i2p RSA_SHA512_4096)
     [java] Version:  0.9.19-16
     [java] Signer:   killyourtv@mail.i2p
     [java] SigType:  RSA_SHA512_4096
     [java] Content:  ROUTER
     [java] FileType: ZIP

[comment:11](https://trac.i2p2.de/\#comment:11) in reply to: [7](https://trac.i2p2.de/\#comment:7) Changed [6 years ago](https://trac.i2p2.de//timeline?from=2015-05-06T21%3A24%3A47Z&precision=second "See timeline at May 6, 2015 9:24:47 PM") by killyourtv Replying to [zzz](https://trac.i2p2.de//ticket/1381#comment:7 "Comment 7"): > I will be testing locally soon, and whenever kytv and echelon have their su3 files built, please pass along a URL so I may test. [http://update.killyourtv.i2p/mtn/i2pupdate.su3](https://trac.i2p2.de/http://update.killyourtv.i2p/mtn/i2pupdate.su3) The current file has the following specs: ``` -sign-update: [input] skipping input as property release.privkey.su3 has already been set. [input] skipping input as property release.signer.su3 has already been set. [input] skipping input as property release.password.su3 has already been set. [java] Enter password for key "killyourtv@mail.i2p": Input file 'i2pupdate200.zip' signed and written to 'i2pupdate.su3' [echo] Verify version and VALID signature: [java] Signature VALID (signed by killyourtv@mail.i2p RSA_SHA512_4096) [java] Version: 0.9.19-16 [java] Signer: killyourtv@mail.i2p [java] SigType: RSA_SHA512_4096 [java] Content: ROUTER [java] FileType: ZIP ```

idk commented

comment:10 Changed 6 years ago by killyourtv

Assuming we go with build numbers, this would do the right thing.

#
# patch "build.xml"
#  from [e213b3ed89ebccb6e37fe1d4d15afb60de7667c1]
#    to [89719c6332ab1baff8a0598b8d465f93825abe28]
#
============================================================
--- build.xml   e213b3ed89ebccb6e37fe1d4d15afb60de7667c1
+++ build.xml   89719c6332ab1baff8a0598b8d465f93825abe28
@@ -175,6 +175,7 @@
         <attribute name="infile" />
         <attribute name="outfile" />
         <attribute name="sigtype" />
+        <attribute name="su3.ver" />
         <sequential>
         <input message="Enter su3 private signing key store:" addproperty="release.privkey.su3" />
         <fail message="You must enter an existing file path." >
@@ -211,7 +212,7 @@
                 <arg value="@{infile}" />
                 <arg value="@{outfile}" />
                 <arg value="${release.privkey.su3}" />
-                <arg value="${release.number}" />
+                <arg value="@{su3.ver}" />
                 <arg value="${release.signer.su3}" />
             </java>
             <echo message="Verify version and VALID signature:" />
@@ -257,6 +258,14 @@
          so the build will go faster.
       -->

+    <target name="-setepoch">
+        <script language="javascript">
+            <![CDATA[
+              property = project.setProperty("epoch",Math.floor((new Date()).getTime()/1000));
+            ]]>
+        </script>
+    </target>
+
     <target name="buildBOB" depends="buildStreaming" >
         <ant dir="apps/BOB/" target="jar" />
         <copy file="apps/BOB/dist/BOB.jar" todir="build/" />
@@ -1219,11 +1228,11 @@
         </fail>
     </target>

-    <target name="i2pseeds" depends="-areRouterInfosEnabled, prepRouterInfos">
+    <target name="i2pseeds" depends="-setepoch, -areRouterInfosEnabled, prepRouterInfos">
         <delete file="i2pseeds.zip" />
         <delete file="i2pseeds.su3" />
         <zip destfile="i2pseeds.zip" basedir="pkg-temp/netDb" whenempty="fail" />
-        <su3sign infile="i2pseeds.zip" sigtype="RESEED" outfile="i2pseeds.su3" />
+        <su3sign infile="i2pseeds.zip" sigtype="RESEED" outfile="i2pseeds.su3" su3.ver="${epoch}" />
     </target>

     <!-- this is no longer required, izpack 4.3.0 supports headless installs with java -jar i2pinstall.exe -console -->
@@ -1289,7 +1298,7 @@
     <target name="updaterRouter" depends="prepupdateRouter, zipit" />

     <target name="-sign-update" depends="buildrouter">
-        <su3sign infile="i2pupdate200.zip" sigtype="ROUTER" outfile="i2pupdate.su3" />
+        <su3sign infile="i2pupdate200.zip" sigtype="ROUTER" outfile="i2pupdate.su3" su3.ver="${full.version}" />
     </target>

     <target name="signed-updater200" depends="updater200, -sign-update" />
@@ -1769,7 +1778,7 @@
         <!-- now build and verify the packed su2 from the packed zip -->
         <sudsign infile="i2pupdate200.zip" outfile="i2pupdate.su2" />
         <!-- now build and verify the packed su3 from the packed zip -->
-        <su3sign infile="i2pupdate200.zip" sigtype="ROUTER" outfile="i2pupdate.su3" />
+        <su3sign infile="i2pupdate200.zip" sigtype="ROUTER" outfile="i2pupdate.su3" su3.ver="${release.number}" />
         <!-- this will use the monotonerc file in the current workspace -->
         <echo message="Checking out fresh copy into ../i2p-${release.number} for tarballing:" />
         <delete dir="../i2p-${release.number}" />

[comment:10](https://trac.i2p2.de/\#comment:10) Changed [6 years ago](https://trac.i2p2.de//timeline?from=2015-05-06T17%3A44%3A50Z&precision=second "See timeline at May 6, 2015 5:44:50 PM") by killyourtv Assuming we go with build numbers, this would do the right thing. ``` # # patch "build.xml" # from [e213b3ed89ebccb6e37fe1d4d15afb60de7667c1] # to [89719c6332ab1baff8a0598b8d465f93825abe28] # ============================================================ --- build.xml e213b3ed89ebccb6e37fe1d4d15afb60de7667c1 +++ build.xml 89719c6332ab1baff8a0598b8d465f93825abe28 @@ -175,6 +175,7 @@ <attribute name="infile" /> <attribute name="outfile" /> <attribute name="sigtype" /> + <attribute name="su3.ver" /> <sequential> <input message="Enter su3 private signing key store:" addproperty="release.privkey.su3" /> <fail message="You must enter an existing file path." > @@ -211,7 +212,7 @@ <arg value="@{infile}" /> <arg value="@{outfile}" /> <arg value="${release.privkey.su3}" /> - <arg value="${release.number}" /> + <arg value="@{su3.ver}" /> <arg value="${release.signer.su3}" /> </java> <echo message="Verify version and VALID signature:" /> @@ -257,6 +258,14 @@ so the build will go faster. --> + <target name="-setepoch"> + <script language="javascript"> + <![CDATA[ + property = project.setProperty("epoch",Math.floor((new Date()).getTime()/1000)); + ]]> + </script> + </target> + <target name="buildBOB" depends="buildStreaming" > <ant dir="apps/BOB/" target="jar" /> <copy file="apps/BOB/dist/BOB.jar" todir="build/" /> @@ -1219,11 +1228,11 @@ </fail> </target> - <target name="i2pseeds" depends="-areRouterInfosEnabled, prepRouterInfos"> + <target name="i2pseeds" depends="-setepoch, -areRouterInfosEnabled, prepRouterInfos"> <delete file="i2pseeds.zip" /> <delete file="i2pseeds.su3" /> <zip destfile="i2pseeds.zip" basedir="pkg-temp/netDb" whenempty="fail" /> - <su3sign infile="i2pseeds.zip" sigtype="RESEED" outfile="i2pseeds.su3" /> + <su3sign infile="i2pseeds.zip" sigtype="RESEED" outfile="i2pseeds.su3" su3.ver="${epoch}" /> </target>  @@ -1289,7 +1298,7 @@ <target name="updaterRouter" depends="prepupdateRouter, zipit" /> <target name="-sign-update" depends="buildrouter"> - <su3sign infile="i2pupdate200.zip" sigtype="ROUTER" outfile="i2pupdate.su3" /> + <su3sign infile="i2pupdate200.zip" sigtype="ROUTER" outfile="i2pupdate.su3" su3.ver="${full.version}" /> </target> <target name="signed-updater200" depends="updater200, -sign-update" /> @@ -1769,7 +1778,7 @@  <sudsign infile="i2pupdate200.zip" outfile="i2pupdate.su2" />  - <su3sign infile="i2pupdate200.zip" sigtype="ROUTER" outfile="i2pupdate.su3" /> + <su3sign infile="i2pupdate200.zip" sigtype="ROUTER" outfile="i2pupdate.su3" su3.ver="${release.number}" />  <echo message="Checking out fresh copy into ../i2p-${release.number} for tarballing:" /> <delete dir="../i2p-${release.number}" /> ```

idk commented

comment:9 in reply to: 8 Changed 6 years ago by killyourtv

Replying to zzz:

@kytv I think we need an enhancement to build.xml, so the full dev version e.g. 0.9.19-16 is set in the su3 file, not just e.g. 0.9.19. But only for dev su3's.

I'll have something to check in soon

..

I guess it depends if dev builders are posting them only when the -x number increments, or anytime anything is checked in. If the latter, then what version should we put in there? A date stamp, or 0.9.19-16, or 0.9.19-16-b5, or what? We could auto-detect a 10-digit unix date and convert it, else use the version in there? Don't know.

New devbuilds are not made by my cronjob unless the build number changes.

psi's build system makes new builds hourly. AFAIK echelon made new builds manually.

[comment:9](https://trac.i2p2.de/\#comment:9) in reply to: [8](https://trac.i2p2.de/\#comment:8) Changed [6 years ago](https://trac.i2p2.de//timeline?from=2015-05-06T17%3A16%3A12Z&precision=second "See timeline at May 6, 2015 5:16:12 PM") by killyourtv Replying to [zzz](https://trac.i2p2.de//ticket/1381#comment:8 "Comment 8"): > @kytv I think we need an enhancement to build.xml, so the full dev version e.g. 0.9.19-16 is set in the su3 file, not just e.g. 0.9.19. But only for dev su3's. I'll have something to check in soon [..](https://trac.i2p2.de//ticket) > I guess it depends if dev builders are posting them only when the -x number increments, or anytime anything is checked in. If the latter, then what version should we put in there? A date stamp, or 0.9.19-16, or 0.9.19-16-b5, or what? We could auto-detect a 10-digit unix date and convert it, else use the version in there? Don't know. New devbuilds are not made by my cronjob unless the build number changes. psi's build system makes new builds hourly. AFAIK echelon made new builds manually.

idk commented

comment:8follow-up: 9 Changed 6 years ago by zzz

@kytv I think we need an enhancement to build.xml, so the full dev version e.g. 0.9.19-16 is set in the su3 file, not just e.g. 0.9.19. But only for dev su3's.

Either that or we could put in the timestamp instead, like for news and reseed, but that would be less pleasing to the user when we put it in the summary bar. For unsigned updates, we convert the HTTP last-mod date to a timestamp and then convert it back to a formatted date for the summary bar.

I guess it depends if dev builders are posting them only when the -x number increments, or anytime anything is checked in. If the latter, then what version should we put in there? A date stamp, or 0.9.19-16, or 0.9.19-16-b5, or what? We could auto-detect a 10-digit unix date and convert it, else use the version in there? Don't know.

[comment:8](https://trac.i2p2.de/\#comment:8)follow-up: [9](https://trac.i2p2.de/\#comment:9) Changed [6 years ago](https://trac.i2p2.de//timeline?from=2015-05-06T14%3A40%3A36Z&precision=second "See timeline at May 6, 2015 2:40:36 PM") by zzz @kytv I think we need an enhancement to build.xml, so the full dev version e.g. 0.9.19-16 is set in the su3 file, not just e.g. 0.9.19. But only for dev su3's. Either that or we could put in the timestamp instead, like for news and reseed, but that would be less pleasing to the user when we put it in the summary bar. For unsigned updates, we convert the HTTP last-mod date to a timestamp and then convert it back to a formatted date for the summary bar. I guess it depends if dev builders are posting them only when the -x number increments, or anytime anything is checked in. If the latter, then what version should we put in there? A date stamp, or 0.9.19-16, or 0.9.19-16-b5, or what? We could auto-detect a 10-digit unix date and convert it, else use the version in there? Don't know.

idk commented

comment:7follow-up: 11 Changed 6 years ago by zzz

OK started work on this, and made some decisions:

Given the common code in build.xml and the update subsystem, it's far easier to use the same SU3 content type (i.e. ROUTER) than to make a new one. This makes more sense anyway, there's only one group to trust for router updates. Users may still add certs.
So kytv can use his existing cert in certificates/router to sign dev builds. Still need a cert for echelon, I may have asked him already whether to reuse his reseed cert, can't remember
I'm going to add separate fields in the form on /configupdate for a signed dev build, not going to try fancy auto-conversion of URLs, too complex.

I will be testing locally soon, and whenever kytv and echelon have their su3 files built, please pass along a URL so I may test.

[comment:7](https://trac.i2p2.de/\#comment:7)follow-up: [11](https://trac.i2p2.de/\#comment:11) Changed [6 years ago](https://trac.i2p2.de//timeline?from=2015-05-06T13%3A59%3A44Z&precision=second "See timeline at May 6, 2015 1:59:44 PM") by zzz OK started work on this, and made some decisions: - Given the common code in build.xml and the update subsystem, it's far easier to use the same SU3 content type (i.e. ROUTER) than to make a new one. This makes more sense anyway, there's only one group to trust for router updates. Users may still add certs. - So kytv can use his existing cert in certificates/router to sign dev builds. Still need a cert for echelon, I may have asked him already whether to reuse his reseed cert, can't remember - I'm going to add separate fields in the form on /configupdate for a signed dev build, not going to try fancy auto-conversion of URLs, too complex. I will be testing locally soon, and whenever kytv and echelon have their su3 files built, please pass along a URL so I may test.

idk commented

comment:6 in reply to: 5 Changed 6 years ago by killyourtv

Replying to zzz:

great, one thing I missed is that you checked in the signed-xxx targets from comment 1 above, last November.

…and they still work.

zipit200:
      [zip] Building zip: /home/kytv/mtn/i2p/i2pupdate200.zip

updater200:

-sign-update:
    [input] skipping input as property release.privkey.su3 has already been set.
    [input] skipping input as property release.signer.su3 has already been set.
    [input] skipping input as property release.password.su3 has already been set.
     [java] Enter password for key "killyourtv@mail.i2p": Input file 'i2pupdate200.zip' signed and written to 'i2pupdate.su3'
     [echo] Verify version and VALID signature:
     [java] Signature VALID (signed by killyourtv@mail.i2p RSA_SHA512_4096)
     [java] Version:  0.9.19
     [java] Signer:   killyourtv@mail.i2p
     [java] SigType:  RSA_SHA512_4096
     [java] Content:  ROUTER
     [java] FileType: ZIP

signed-updater200:

BUILD SUCCESSFUL
Total time: 1 minute 29 seconds

[comment:6](https://trac.i2p2.de/\#comment:6) in reply to: [5](https://trac.i2p2.de/\#comment:5) Changed [6 years ago](https://trac.i2p2.de//timeline?from=2015-04-15T20%3A06%3A45Z&precision=second "See timeline at Apr 15, 2015 8:06:45 PM") by killyourtv Replying to [zzz](https://trac.i2p2.de//ticket/1381#comment:5 "Comment 5"): > great, one thing I missed is that you checked in the signed-xxx targets from comment 1 above, last November. …and they still work. ![:)](https://trac.i2p2.de//chrome/wikiextras-icons-16/smiley.png) ``` zipit200: [zip] Building zip: /home/kytv/mtn/i2p/i2pupdate200.zip updater200: -sign-update: [input] skipping input as property release.privkey.su3 has already been set. [input] skipping input as property release.signer.su3 has already been set. [input] skipping input as property release.password.su3 has already been set. [java] Enter password for key "killyourtv@mail.i2p": Input file 'i2pupdate200.zip' signed and written to 'i2pupdate.su3' [echo] Verify version and VALID signature: [java] Signature VALID (signed by killyourtv@mail.i2p RSA_SHA512_4096) [java] Version: 0.9.19 [java] Signer: killyourtv@mail.i2p [java] SigType: RSA_SHA512_4096 [java] Content: ROUTER [java] FileType: ZIP signed-updater200: BUILD SUCCESSFUL Total time: 1 minute 29 seconds ```

idk commented

comment:5follow-up: 6 Changed 6 years ago by zzz

great, one thing I missed is that you checked in the signed-xxx targets from comment 1 above, last November.

[comment:5](https://trac.i2p2.de/\#comment:5)follow-up: [6](https://trac.i2p2.de/\#comment:6) Changed [6 years ago](https://trac.i2p2.de//timeline?from=2015-04-15T19%3A27%3A00Z&precision=second "See timeline at Apr 15, 2015 7:27:00 PM") by zzz great, one thing I missed is that you checked in the signed-xxx targets from comment 1 above, last November.

idk commented

comment:4 in reply to: 2 Changed 6 years ago by killyourtv

Replying to zzz:

I'd like to do this for 0.9.20 if you guys will be ready.

On my side I'd just need to change my build command from updater200 to signed-updater200 and copy the .zip and su3 to my webspace.

Need public key for each of you and also need to decide if it goes in certificates/router with the rest of them, or keep them separate e.g. certificates/devrouter

..and I'd possibly need to generate a new certificate, depending on what's chosen here.

Anyway, when/if I need to do something on my side I'll (likely) be ready within 0-4 hours.

[comment:4](https://trac.i2p2.de/\#comment:4) in reply to: [2](https://trac.i2p2.de/\#comment:2) Changed [6 years ago](https://trac.i2p2.de//timeline?from=2015-04-15T16%3A11%3A24Z&precision=second "See timeline at Apr 15, 2015 4:11:24 PM") by killyourtv Replying to [zzz](https://trac.i2p2.de//ticket/1381#comment:2 "Comment 2"): > I'd like to do this for 0.9.20 if you guys will be ready. On my side I'd just need to change my build command from updater200 to signed-updater200 and copy the .zip and su3 to my webspace. > Need public key for each of you and also need to decide if it goes in certificates/router with the rest of them, or keep them separate e.g. certificates/devrouter ..and I'd possibly need to generate a new certificate, depending on what's chosen here. Anyway, when/if I need to do something on my side I'll (likely) be ready within 0-4 hours.

idk commented

comment:3 Changed 6 years ago by zzz

More to decide:

Do we bundle the public keys or make the user install them?
Do we auto-convert the dev build URL to an su3 variant? (could only do this if we bundle the certs)

[comment:3](https://trac.i2p2.de/\#comment:3) Changed [6 years ago](https://trac.i2p2.de//timeline?from=2015-04-15T15%3A54%3A48Z&precision=second "See timeline at Apr 15, 2015 3:54:48 PM") by zzz More to decide: - Do we bundle the public keys or make the user install them? - Do we auto-convert the dev build URL to an su3 variant? (could only do this if we bundle the certs)

idk commented

comment:2follow-up: 4 Changed 6 years ago by zzz

Milestone:0.9.18 →
0.9.20Owner:
set to _zzz_Status:new →
accepted

I'd like to do this for 0.9.20 if you guys will be ready.

Need public key for each of you and also need to decide if it goes in certificates/router with the rest of them, or keep them separate e.g. certificates/devrouter

[comment:2](https://trac.i2p2.de/\#comment:2)follow-up: [4](https://trac.i2p2.de/\#comment:4) Changed [6 years ago](https://trac.i2p2.de//timeline?from=2015-04-15T15%3A25%3A10Z&precision=second "See timeline at Apr 15, 2015 3:25:10 PM") by zzz Milestone:0.9.18 → 0.9.20Owner: set to _zzz_Status:new → accepted I'd like to do this for 0.9.20 if you guys will be ready. Need public key for each of you and also need to decide if it goes in certificates/router with the rest of them, or keep them separate e.g. certificates/devrouter

idk commented