52379fa76d
This is especially important for distributions like NixOS where `/bin/bash` doesn't exist, or for MacOS users who've installed a newer version of Bash than the one that comes with their OS. Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
65 lines
1.6 KiB
Bash
Executable file
65 lines
1.6 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
|
|
# This script signs the deliverables from release-deb and release-rpm
|
|
# with a designated GPG key.
|
|
|
|
: ${DOCKER_RELEASE_DIR:=$DEST}
|
|
: ${GPG_KEYID:=releasedocker}
|
|
APTDIR=$DOCKER_RELEASE_DIR/apt/repo
|
|
YUMDIR=$DOCKER_RELEASE_DIR/yum/repo
|
|
|
|
if [ -z "$GPG_PASSPHRASE" ]; then
|
|
echo >&2 'you need to set GPG_PASSPHRASE in order to sign artifacts'
|
|
exit 1
|
|
fi
|
|
|
|
if [ ! -d $APTDIR ] && [ ! -d $YUMDIR ]; then
|
|
echo >&2 'release-rpm or release-deb must be run before sign-repos'
|
|
exit 1
|
|
fi
|
|
|
|
sign_packages(){
|
|
# sign apt repo metadata
|
|
if [ -d $APTDIR ]; then
|
|
# create file with public key
|
|
gpg --armor --export "$GPG_KEYID" > "$DOCKER_RELEASE_DIR/apt/gpg"
|
|
|
|
# sign the repo metadata
|
|
for F in $(find $APTDIR -name Release); do
|
|
if test "$F" -nt "$F.gpg" ; then
|
|
gpg -u "$GPG_KEYID" --passphrase "$GPG_PASSPHRASE" \
|
|
--digest-algo "sha512" \
|
|
--armor --sign --detach-sign \
|
|
--batch --yes \
|
|
--output "$F.gpg" "$F"
|
|
fi
|
|
inRelease="$(dirname "$F")/InRelease"
|
|
if test "$F" -nt "$inRelease" ; then
|
|
gpg -u "$GPG_KEYID" --passphrase "$GPG_PASSPHRASE" \
|
|
--digest-algo "sha512" \
|
|
--clearsign \
|
|
--batch --yes \
|
|
--output "$inRelease" "$F"
|
|
fi
|
|
done
|
|
fi
|
|
|
|
# sign yum repo metadata
|
|
if [ -d $YUMDIR ]; then
|
|
# create file with public key
|
|
gpg --armor --export "$GPG_KEYID" > "$DOCKER_RELEASE_DIR/yum/gpg"
|
|
|
|
# sign the repo metadata
|
|
for F in $(find $YUMDIR -name repomd.xml); do
|
|
if test "$F" -nt "$F.asc" ; then
|
|
gpg -u "$GPG_KEYID" --passphrase "$GPG_PASSPHRASE" \
|
|
--digest-algo "sha512" \
|
|
--armor --sign --detach-sign \
|
|
--batch --yes \
|
|
--output "$F.asc" "$F"
|
|
fi
|
|
done
|
|
fi
|
|
}
|
|
|
|
sign_packages
|