summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNicolás Reynolds <apoyosis@correo.inta.gob.ar>2011-12-14 14:45:11 -0300
committerNicolás Reynolds <apoyosis@correo.inta.gob.ar>2011-12-14 14:45:11 -0300
commit54ba056b200a5ef141f8d589a2f45478c6bd8a6b (patch)
treed97679dc76728e0f2763a1ed82d8e52fe2195dc3
parentade30f1b9db8e10b23439a1c90b384b93483fcc7 (diff)
Do batch signing
* Removed signing code from librestage * Make package signatures mandatory * Make librerelease sign all packages at once * Verify existing signatures before releasing
-rwxr-xr-xlibrerelease31
-rwxr-xr-xlibrestage29
2 files changed, 32 insertions, 28 deletions
diff --git a/librerelease b/librerelease
index 56cf856..64f8887 100755
--- a/librerelease
+++ b/librerelease
@@ -46,6 +46,30 @@ function list_packages {
unset repos
}
+function sign_packages {
+ if [ -z "${GPG_AGENT_INFO}" ]; then
+ warning "It's better to use gpg-agent to sign packages in batches"
+ fi
+
+ packages=($(find "${WORKDIR}/staging/" -type f -iname '*.pkg.tar.?z'))
+ for package in ${packages[@]}; do
+ if [ -f "${package}${SIGEXT}" ]; then
+
+ warning "Package signature found, verifying..."
+
+# Verify that the signature is correct, else remove for re-signing
+ if ! gpg --quiet --verify "${package}${SIGEXT}" >/dev/null 2>&1; then
+ error "Failed! Resigning..."
+ rm -f "${package}${SIGEXT}"
+ else
+ continue
+ fi
+ fi
+
+ gpg --default-key "${SIGID}" --output "${package}${SIGEXT}" --detach-sig "${package}"
+ done
+}
+
# Remove everything that's not a package or a signature
function clean_non_packages {
find $WORKDIR/staging/ -type f \
@@ -73,6 +97,13 @@ done
[[ ! -z ${HOOKPRERELEASE} ]] && bash -c "${HOOKPRERELEASE}"
clean_non_packages
+if [ ! -z "${SIGID}" ]; then
+ sign_packages
+else
+ error "Package signing is *required*"
+ exit 1
+fi
+
msg "Uploading packages..."
rsync --recursive \
${dryrun} \
diff --git a/librestage b/librestage
index e851dd4..65ee19b 100755
--- a/librestage
+++ b/librestage
@@ -85,17 +85,7 @@ for _arch in ${ARCHES[@]}; do
pkgfile=$(basename ${pkgpath})
- if [ ! -z "${SIGID}" ]; then
- sigpath=${pkgpath}${SIGEXT}
- sigfile=${pkgfile}${SIGEXT}
-
- msg "Signing package with ID ${SIGID}"
- gpg --default-key "${SIGID}" --output ${sigpath} --detach-sig ${pkgpath} || {
- error "Couldn't sign ${pkgfile}, aborting..."
- exit 1
- }
- fi
-
+# TODO refactor this
if [ -e "${pkgpath}" ]; then
msg "Found ${pkgfile}"
@@ -113,15 +103,6 @@ for _arch in ${ARCHES[@]}; do
staged=true
}
- if [ ! -z "${SIGID}" ]; then
- canonical_sig="${WORKDIR}/staging/${_repo}/${pkgfile}${SIGEXT}"
- cp "${sigpath}" "${WORKDIR}/staging/${_repo}/" || {
- error "Can't put ${sigfile} on [staging]"
- exit 1
- } && {
- msg2 "${pkg} signature on [${_repo}]"
- }
- fi
else
ln "${canonical}" "${WORKDIR}/staging/${_repo}/${pkgfile}" || {
error "Can't put ${pkgfile} on [staging]"
@@ -131,14 +112,6 @@ for _arch in ${ARCHES[@]}; do
staged=true
}
- if [ ! -z "${SIGID}" ]; then
- ln "${canonical_sig}" "${WORKDIR}/staging/${_repo}/${sigfile}" || {
- error "Can't put ${sigfile} on [staging]"
- exit 1
- } && {
- msg2 "${pkg} signature on [${_repo}]"
- }
- fi
fi
done
fi