diff --git a/buildnumber.dat b/buildnumber.dat index 573541ac97..d00491fd7e 100644 --- a/buildnumber.dat +++ b/buildnumber.dat @@ -1 +1 @@ -0 +1 diff --git a/data/transactions/logic/eval.go b/data/transactions/logic/eval.go index 210d7a3164..2bf6f2f272 100644 --- a/data/transactions/logic/eval.go +++ b/data/transactions/logic/eval.go @@ -5509,18 +5509,15 @@ func opItxnSubmit(cx *EvalContext) (err error) { parent = cx.currentTxID() } for itx := range cx.subtxns { - // The goal is to follow the same invariants used by the - // transaction pool. Namely that any transaction that makes it - // to Perform (which is equivalent to eval.applyTransaction) - // is authorized, and WellFormed. - txnErr := authorizedSender(cx, cx.subtxns[itx].Txn.Sender) - if txnErr != nil { - return txnErr - } + // The goal is to follow the same invariants used by the transaction + // pool. Namely that any transaction that makes it to Perform (which is + // equivalent to eval.applyTransaction) is WellFormed. Authorization + // must be checked later, to take state changes from earlier in the + // group into account. // Recall that WellFormed does not care about individual // transaction fees because of fee pooling. Checked above. - txnErr = cx.subtxns[itx].Txn.WellFormed(*cx.Specials, *cx.Proto) + txnErr := cx.subtxns[itx].Txn.WellFormed(*cx.Specials, *cx.Proto) if txnErr != nil { return txnErr } @@ -5639,7 +5636,11 @@ func opItxnSubmit(cx *EvalContext) (err error) { ep.Tracer.BeforeTxn(ep, i) } - err := cx.Ledger.Perform(i, ep) + err := authorizedSender(cx, ep.TxnGroup[i].Txn.Sender) + if err != nil { + return err + } + err = cx.Ledger.Perform(i, ep) if ep.Tracer != nil { ep.Tracer.AfterTxn(ep, i, ep.TxnGroup[i].ApplyData, err) diff --git a/data/transactions/logic/evalAppTxn_test.go b/data/transactions/logic/evalAppTxn_test.go index 9a6d0ebc41..562142fdec 100644 --- a/data/transactions/logic/evalAppTxn_test.go +++ b/data/transactions/logic/evalAppTxn_test.go @@ -375,6 +375,34 @@ func TestRekeyBack(t *testing.T) { }) } +// TestRekeyInnerGroup ensures that in an inner group, if an account is +// rekeyed, it can not be used (by the previously owning app) later in the +// group. +func TestRekeyInnerGroup(t *testing.T) { + partitiontest.PartitionTest(t) + t.Parallel() + + rekeyAndUse := ` + itxn_begin + // pay 0 to the zero address, and rekey a junk addr + int pay; itxn_field TypeEnum + global ZeroAddress; byte 0x01; b|; itxn_field RekeyTo + itxn_next + // try to perform the same 0 pay, but fail because tx0 gave away control + int pay; itxn_field TypeEnum + itxn_submit + int 1 +` + + // v6 added inner rekey + TestLogicRange(t, 6, 0, func(t *testing.T, ep *EvalParams, tx *transactions.Transaction, ledger *Ledger) { + ledger.NewApp(tx.Receiver, 888, basics.AppParams{}) + // fund the app account + ledger.NewAccount(basics.AppIndex(888).Address(), 1_000_000) + TestApp(t, rekeyAndUse, ep, "unauthorized AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAVIOOBQA") + }) +} + func TestDefaultSender(t *testing.T) { partitiontest.PartitionTest(t) t.Parallel() diff --git a/package-deploy.yaml b/package-deploy.yaml index 8daf262acc..9b67a2fe6c 100644 --- a/package-deploy.yaml +++ b/package-deploy.yaml @@ -56,7 +56,6 @@ agents: - NETWORK=$NETWORK - NO_DEPLOY=$NO_DEPLOY - PACKAGES_DIR=$PACKAGES_DIR - - S3_SOURCE=$S3_SOURCE - STAGING=$STAGING - VERSION=$VERSION volumes: diff --git a/scripts/release/mule/common/ensure_centos8_image.sh b/scripts/release/mule/common/ensure_centos8_image.sh new file mode 100755 index 0000000000..1ebd3475fe --- /dev/null +++ b/scripts/release/mule/common/ensure_centos8_image.sh @@ -0,0 +1,17 @@ +#!/usr/bin/env bash + +set -exo pipefail + +# Ensure the centos8 docker image is built and available + +DOCKER_IMAGE="algorand/go-algorand-ci-linux-centos8:amd64-$(sha1sum scripts/configure_dev-deps.sh | cut -f1 -d' ')" +MATCH=${DOCKER_IMAGE/:*/} + +echo "Checking for RPM image" +if docker images $DOCKER_IMAGE | grep -qs $MATCH > /dev/null 2>&1; then + echo "Image exists" +else + echo "RPM image doesn't exist, building" + docker build --platform=linux/amd64 --build-arg ARCH=amd64 \ + --build-arg GOLANG_VERSION=$(./scripts/get_golang_version.sh) -t $DOCKER_IMAGE -f docker/build/cicd.centos8.Dockerfile . +fi diff --git a/scripts/release/mule/deploy/deb/deploy.sh b/scripts/release/mule/deploy/deb/deploy.sh index c9c4b4b6c4..2584b84123 100755 --- a/scripts/release/mule/deploy/deb/deploy.sh +++ b/scripts/release/mule/deploy/deb/deploy.sh @@ -2,28 +2,13 @@ set -ex -if [ -z "$NETWORK" ] -then - echo "[$0] Network is a required parameter." - exit 1 -fi - -if [ -z "$STAGING" ] -then - echo "[$0] Staging is a required parameter." - exit 1 -fi - -CHANNEL=$("./scripts/release/mule/common/get_channel.sh" "$NETWORK") +CHANNEL=${CHANNEL:-$("./scripts/release/mule/common/get_channel.sh" "$NETWORK")} VERSION=${VERSION:-$(./scripts/compute_build_number.sh -f)} +PACKAGES_DIR=${PACKAGES_DIR:-~/packages} +SNAPSHOT=${SNAPSHOT:-"${CHANNEL}-${VERSION}"} -if [ -z "$SNAPSHOT" ] -then - SNAPSHOT="$CHANNEL-$VERSION" -fi - -PACKAGES_DIR=/root/packages -mkdir -p /root/packages +mkdir -p $PACKAGES_DIR +rm -f $PACKAGES_DIR/*.deb aptly mirror update stable aptly mirror update beta diff --git a/scripts/release/mule/deploy/docker/docker.sh b/scripts/release/mule/deploy/docker/docker.sh index ee0c55fe0c..093922fd3d 100755 --- a/scripts/release/mule/deploy/docker/docker.sh +++ b/scripts/release/mule/deploy/docker/docker.sh @@ -13,9 +13,9 @@ if [ -z "$NETWORK" ] || [ -z "$VERSION" ]; then exit 1 fi -if [[ ! "$NETWORK" =~ ^mainnet$|^testnet$|^betanet$|^alphanet$ ]] +if [[ ! "$NETWORK" =~ ^mainnet$|^testnet$|^betanet$ ]] then - echo "[$0] Network values must be either \`mainnet\`, \`testnet\`, \`betanet\`, or \`alphanet\`." + echo "[$0] Network values must be either \`mainnet\`, \`testnet\`, or \`betanet\`." exit 1 fi @@ -28,7 +28,7 @@ then # Build and push testnet. ./build_releases.sh --tagname "$VERSION" --network testnet --cached -elif [ "$NETWORK" = betanet ] || [ "$NETWORK" = alphanet ] +elif [ "$NETWORK" = betanet ] then ./build_releases.sh --tagname "$VERSION" --network "$NETWORK" fi diff --git a/scripts/release/mule/deploy/releases_page/generate_releases_page.sh b/scripts/release/mule/deploy/releases_page/generate_releases_page.sh index 5b6a488ce2..75df10d524 100755 --- a/scripts/release/mule/deploy/releases_page/generate_releases_page.sh +++ b/scripts/release/mule/deploy/releases_page/generate_releases_page.sh @@ -8,13 +8,8 @@ set -ex -if [ -z "$NETWORK" ] || [ -z "$VERSION" ] -then - echo "[$0] Network and version are required parameters." - exit 1 -fi - -CHANNEL=$(./scripts/release/mule/common/get_channel.sh "$NETWORK") +CHANNEL=${CHANNEL:-$(./scripts/release/mule/common/get_channel.sh "$NETWORK")} +VERSION=${VERSION:-$(./scripts/compute_build_number.sh -f)} cd scripts/release/mule/deploy/releases_page diff --git a/scripts/release/mule/deploy/rpm/deploy.sh b/scripts/release/mule/deploy/rpm/deploy.sh index f660f1d01b..b96cccd6cb 100755 --- a/scripts/release/mule/deploy/rpm/deploy.sh +++ b/scripts/release/mule/deploy/rpm/deploy.sh @@ -7,28 +7,25 @@ echo date "+build_release begin DEPLOY rpm stage %Y%m%d_%H%M%S" echo -if [ -z "$NETWORK" ]; then - echo "[$0] NETWORK is missing." - exit 1 -fi - -CHANNEL=$(./scripts/release/mule/common/get_channel.sh "$NETWORK") +CHANNEL=${CHANNEL:-$(./scripts/release/mule/common/get_channel.sh "$NETWORK")} VERSION=${VERSION:-$(./scripts/compute_build_number.sh -f)} NO_DEPLOY=${NO_DEPLOY:-false} -OS_TYPE=$(./scripts/release/mule/common/ostype.sh) -PACKAGES_DIR=${PACKAGES_DIR:-"./tmp/node_pkgs/$OS_TYPE/$ARCH_TYPE"} -STAGING=${STAGING:-"algorand-staging/releases"} +PACKAGES_DIR=${PACKAGES_DIR:-"tmp"} if [ -n "$S3_SOURCE" ] then PREFIX="$S3_SOURCE/$CHANNEL/$VERSION" if [ "$CHANNEL" == "beta" ] then - aws s3 cp "s3://$PREFIX/algorand-beta-$VERSION-1.x86_64.rpm" /root - aws s3 cp "s3://$PREFIX/algorand-devtools-beta-$VERSION-1.x86_64.rpm" /root + aws s3 cp "s3://$PREFIX/algorand-beta-$VERSION-1.x86_64.rpm" $PACKAGES_DIR + aws s3 cp "s3://$PREFIX/algorand-devtools-beta-$VERSION-1.x86_64.rpm" $PACKAGES_DIR + aws s3 cp "s3://$PREFIX/algorand-beta-$VERSION-1.aarch64.rpm" $PACKAGES_DIR + aws s3 cp "s3://$PREFIX/algorand-devtools-beta-$VERSION-1.aarch64.rpm" $PACKAGES_DIR else - aws s3 cp "s3://$PREFIX/algorand-$VERSION-1.x86_64.rpm" /root - aws s3 cp "s3://$PREFIX/algorand-devtools-$VERSION-1.x86_64.rpm" /root + aws s3 cp "s3://$PREFIX/algorand-$VERSION-1.x86_64.rpm" $PACKAGES_DIR + aws s3 cp "s3://$PREFIX/algorand-devtools-$VERSION-1.x86_64.rpm" $PACKAGES_DIR + aws s3 cp "s3://$PREFIX/algorand-$VERSION-1.aarch64.rpm" $PACKAGES_DIR + aws s3 cp "s3://$PREFIX/algorand-devtools-$VERSION-1.aarch64.rpm" $PACKAGES_DIR fi else cp "$PACKAGES_DIR"/*"$VERSION"*.rpm /root @@ -56,11 +53,7 @@ cat << EOF > .rpmmacros EOF mkdir rpmrepo -for rpm in $(ls *"$VERSION"*.rpm) -do - rpmsign --addsign "$rpm" - cp -p "$rpm" rpmrepo -done +mv -f *"$VERSION"*.rpm rpmrepo createrepo --database rpmrepo rm -f rpmrepo/repodata/repomd.xml.asc @@ -72,8 +65,19 @@ then cp -r /root/rpmrepo . else aws s3 sync rpmrepo "s3://algorand-releases/rpm/$CHANNEL/" + # sync signatures to releases so that the .sig files load from there - aws s3 sync s3://$STAGING/releases/$CHANNEL/ s3://algorand-releases/rpm/sigs/$CHANNEL/ --exclude='*' --include='*.rpm.sig' + if [ -n "$S3_SOURCE" ]; then + # if S3_SOURCE exists, we copied files from s3 + echo "Copy signatures from s3 staging to s3 releases" + aws s3 sync s3://algorand-staging/releases/$CHANNEL/ s3://algorand-releases/rpm/sigs/$CHANNEL/ --exclude='*' --include='*.rpm.sig' + + else + # We are working with files locally + popd + echo "Copy local signatures to s3 releases" + aws s3 sync "$PACKAGES_DIR" "s3://algorand-releases/rpm/sigs/$CHANNEL/" --exclude='*' --include='*.rpm.sig' + fi fi echo diff --git a/scripts/release/mule/sign/sign.sh b/scripts/release/mule/sign/sign.sh index e08e2d52d3..89baedb9ce 100755 --- a/scripts/release/mule/sign/sign.sh +++ b/scripts/release/mule/sign/sign.sh @@ -10,18 +10,13 @@ echo date "+build_release begin SIGN stage %Y%m%d_%H%M%S" echo -if [ -z "$NETWORK" ]; then - echo "[$0] NETWORK is missing." - exit 1 -fi - -CHANNEL=$(./scripts/release/mule/common/get_channel.sh "$NETWORK") +CHANNEL=${CHANNEL:-$(./scripts/release/mule/common/get_channel.sh "$NETWORK")} VERSION=${VERSION:-$(./scripts/compute_build_number.sh -f)} PKG_DIR="./tmp/node_pkgs" SIGNING_KEY_ADDR=dev@algorand.com OS_TYPE=$(./scripts/release/mule/common/ostype.sh) -ARCHS=(amd64 arm arm64) -ARCH_BITS=(x86_64 armv7l aarch64) +ARCHS=(amd64 arm64) +ARCH_BITS=(x86_64 aarch64) # Note that we don't want to use $GNUPGHOME here because that is a documented env var for the gnupg # project and if it's set in the environment mule will automatically pick it up, which could have # unintended consequences and be hard to debug. @@ -40,6 +35,14 @@ then find "$GPG_DIR" -type f -exec chmod 600 {} \; fi +pushd /root +cat << EOF > .rpmmacros +%_gpg_name Algorand RPM +%__gpg /usr/bin/gpg2 +%__gpg_check_password_cmd true +EOF +popd + # Note that when downloading from the cloud that we'll get all packages for all architectures. if [ -n "$S3_SOURCE" ] then @@ -87,13 +90,14 @@ for os in "${OS_TYPES[@]}"; do for file in *.rpm do + rpmsign --addsign "$file" gpg -u rpm@algorand.com --detach-sign "$file" done HASHFILE="hashes_${CHANNEL}_${os}_${arch}_${VERSION}" md5sum *.tar.gz *.deb *.rpm >> "$HASHFILE" - shasum -a 256 *.tar.gz *.deb *.rpm >> "$HASHFILE" - shasum -a 512 *.tar.gz *.deb *.rpm >> "$HASHFILE" + sha256sum *.tar.gz *.deb *.rpm >> "$HASHFILE" + sha512sum *.tar.gz *.deb *.rpm >> "$HASHFILE" gpg -u "$SIGNING_KEY_ADDR" --detach-sign "$HASHFILE" gpg -u "$SIGNING_KEY_ADDR" --clearsign "$HASHFILE" diff --git a/test/muleCI/mule.yaml b/test/muleCI/mule.yaml index cb75187db4..afa73ae2c1 100644 --- a/test/muleCI/mule.yaml +++ b/test/muleCI/mule.yaml @@ -61,22 +61,6 @@ agents: - GOLANG_VERSION=`./scripts/get_golang_version.sh` - ARCH=arm64v8 - GOARCH=arm64 - - name: cicd.ubuntu.arm - dockerFilePath: docker/build/cicd.ubuntu.Dockerfile - image: algorand/go-algorand-ci-linux - version: scripts/configure_dev-deps.sh - arch: arm32v7 - env: - - TRAVIS_BRANCH=${GIT_BRANCH} - - NETWORK=$NETWORK - - VERSION=$VERSION - - BUILD_NUMBER=$BUILD_NUMBER - - GOHOSTARCH=arm - - FULLVERSION=${FULLVERSION} - buildArgs: - - GOLANG_VERSION=`./scripts/get_golang_version.sh` - - ARCH=arm32v7 - - GOARCH=armv6l - name: docker-ubuntu dockerFilePath: docker/build/docker.ubuntu.Dockerfile image: algorand/go-algorand-docker-linux-ubuntu @@ -122,10 +106,6 @@ tasks: name: build.arm64 agent: cicd.ubuntu.arm64 target: ci-build - - task: docker.Make - name: build.arm - agent: cicd.ubuntu.arm - target: ci-build - task: docker.Make name: archive @@ -167,12 +147,6 @@ tasks: stashId: ${JENKINS_JOB_CACHE_ID}/linux-arm64 globSpecs: - tmp/node_pkgs/**/* - - task: stash.Stash - name: linux-arm - bucketName: go-algorand-ci-cache - stashId: ${JENKINS_JOB_CACHE_ID}/linux-arm - globSpecs: - - tmp/node_pkgs/**/* - task: stash.Stash name: packages bucketName: go-algorand-ci-cache @@ -193,10 +167,6 @@ tasks: name: darwin-amd64 bucketName: go-algorand-ci-cache stashId: ${JENKINS_JOB_CACHE_ID}/darwin-amd64 - - task: stash.Unstash - name: linux-arm - bucketName: go-algorand-ci-cache - stashId: ${JENKINS_JOB_CACHE_ID}/linux-arm - task: stash.Unstash name: darwin-arm64 bucketName: go-algorand-ci-cache @@ -233,15 +203,10 @@ jobs: tasks: - docker.Make.build.arm64 - stash.Stash.linux-arm64 - build-linux-arm32: - tasks: - - docker.Make.build.arm - - stash.Stash.linux-arm package-all: tasks: - stash.Unstash.linux-amd64 - stash.Unstash.linux-arm64 - - stash.Unstash.linux-arm - stash.Unstash.darwin-arm64 - stash.Unstash.darwin-amd64 - docker.Make.deb.amd64