| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465 |
- #!/usr/bin/env bash
- # This script signs the deliverables from release-deb and release-rpm
- # with a designated GPG key.
- : ${DOCKER_RELEASE_DIR:=$DEST}
- : ${GPG_KEYID:=releasedocker}
- APTDIR=$DOCKER_RELEASE_DIR/apt/repo
- YUMDIR=$DOCKER_RELEASE_DIR/yum/repo
- if [ -z "$GPG_PASSPHRASE" ]; then
- echo >&2 'you need to set GPG_PASSPHRASE in order to sign artifacts'
- exit 1
- fi
- if [ ! -d $APTDIR ] && [ ! -d $YUMDIR ]; then
- echo >&2 'release-rpm or release-deb must be run before sign-repos'
- exit 1
- fi
- sign_packages(){
- # sign apt repo metadata
- if [ -d $APTDIR ]; then
- # create file with public key
- gpg --armor --export "$GPG_KEYID" > "$DOCKER_RELEASE_DIR/apt/gpg"
- # sign the repo metadata
- for F in $(find $APTDIR -name Release); do
- if test "$F" -nt "$F.gpg" ; then
- gpg -u "$GPG_KEYID" --passphrase "$GPG_PASSPHRASE" \
- --digest-algo "sha512" \
- --armor --sign --detach-sign \
- --batch --yes \
- --output "$F.gpg" "$F"
- fi
- inRelease="$(dirname "$F")/InRelease"
- if test "$F" -nt "$inRelease" ; then
- gpg -u "$GPG_KEYID" --passphrase "$GPG_PASSPHRASE" \
- --digest-algo "sha512" \
- --clearsign \
- --batch --yes \
- --output "$inRelease" "$F"
- fi
- done
- fi
- # sign yum repo metadata
- if [ -d $YUMDIR ]; then
- # create file with public key
- gpg --armor --export "$GPG_KEYID" > "$DOCKER_RELEASE_DIR/yum/gpg"
- # sign the repo metadata
- for F in $(find $YUMDIR -name repomd.xml); do
- if test "$F" -nt "$F.asc" ; then
- gpg -u "$GPG_KEYID" --passphrase "$GPG_PASSPHRASE" \
- --digest-algo "sha512" \
- --armor --sign --detach-sign \
- --batch --yes \
- --output "$F.asc" "$F"
- fi
- done
- fi
- }
- sign_packages
|
