diff options
| author | Nicolás Reynolds <apoyosis@correo.inta.gob.ar> | 2011-12-14 14:45:11 -0300 |
|---|---|---|
| committer | Nicolás Reynolds <apoyosis@correo.inta.gob.ar> | 2011-12-14 14:45:11 -0300 |
| commit | 54ba056b200a5ef141f8d589a2f45478c6bd8a6b (patch) | |
| tree | d97679dc76728e0f2763a1ed82d8e52fe2195dc3 | |
| parent | ade30f1b9db8e10b23439a1c90b384b93483fcc7 (diff) | |
Do batch signing
* Removed signing code from librestage
* Make package signatures mandatory
* Make librerelease sign all packages at once
* Verify existing signatures before releasing
| -rwxr-xr-x | librerelease | 31 | ||||
| -rwxr-xr-x | librestage | 29 |
2 files changed, 32 insertions, 28 deletions
diff --git a/librerelease b/librerelease index 56cf856..64f8887 100755 --- a/librerelease +++ b/librerelease @@ -46,6 +46,30 @@ function list_packages { unset repos } +function sign_packages { + if [ -z "${GPG_AGENT_INFO}" ]; then + warning "It's better to use gpg-agent to sign packages in batches" + fi + + packages=($(find "${WORKDIR}/staging/" -type f -iname '*.pkg.tar.?z')) + for package in ${packages[@]}; do + if [ -f "${package}${SIGEXT}" ]; then + + warning "Package signature found, verifying..." + +# Verify that the signature is correct, else remove for re-signing + if ! gpg --quiet --verify "${package}${SIGEXT}" >/dev/null 2>&1; then + error "Failed! Resigning..." + rm -f "${package}${SIGEXT}" + else + continue + fi + fi + + gpg --default-key "${SIGID}" --output "${package}${SIGEXT}" --detach-sig "${package}" + done +} + # Remove everything that's not a package or a signature function clean_non_packages { find $WORKDIR/staging/ -type f \ @@ -73,6 +97,13 @@ done [[ ! -z ${HOOKPRERELEASE} ]] && bash -c "${HOOKPRERELEASE}" clean_non_packages +if [ ! -z "${SIGID}" ]; then + sign_packages +else + error "Package signing is *required*" + exit 1 +fi + msg "Uploading packages..." rsync --recursive \ ${dryrun} \ @@ -85,17 +85,7 @@ for _arch in ${ARCHES[@]}; do pkgfile=$(basename ${pkgpath}) - if [ ! -z "${SIGID}" ]; then - sigpath=${pkgpath}${SIGEXT} - sigfile=${pkgfile}${SIGEXT} - - msg "Signing package with ID ${SIGID}" - gpg --default-key "${SIGID}" --output ${sigpath} --detach-sig ${pkgpath} || { - error "Couldn't sign ${pkgfile}, aborting..." - exit 1 - } - fi - +# TODO refactor this if [ -e "${pkgpath}" ]; then msg "Found ${pkgfile}" @@ -113,15 +103,6 @@ for _arch in ${ARCHES[@]}; do staged=true } - if [ ! -z "${SIGID}" ]; then - canonical_sig="${WORKDIR}/staging/${_repo}/${pkgfile}${SIGEXT}" - cp "${sigpath}" "${WORKDIR}/staging/${_repo}/" || { - error "Can't put ${sigfile} on [staging]" - exit 1 - } && { - msg2 "${pkg} signature on [${_repo}]" - } - fi else ln "${canonical}" "${WORKDIR}/staging/${_repo}/${pkgfile}" || { error "Can't put ${pkgfile} on [staging]" @@ -131,14 +112,6 @@ for _arch in ${ARCHES[@]}; do staged=true } - if [ ! -z "${SIGID}" ]; then - ln "${canonical_sig}" "${WORKDIR}/staging/${_repo}/${sigfile}" || { - error "Can't put ${sigfile} on [staging]" - exit 1 - } && { - msg2 "${pkg} signature on [${_repo}]" - } - fi fi done fi |