|
|
|
|
#!/bin/sh
|
|
|
|
|
|
|
|
|
|
set -e
|
|
|
|
|
|
|
|
|
|
if [ $# -eq 0 ]; then
|
|
|
|
|
echo "No arguments provided. Aborting..."
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
if [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
|
|
|
|
|
echo "usage: ./repo-sign.sh [-h] [REPO_PATH PUB_KEY_FULLPATH GPG_SUBKEY_ID]
|
|
|
|
|
|
|
|
|
|
Deploys packages for you.
|
|
|
|
|
|
|
|
|
|
Possible values for the arguments:
|
|
|
|
|
|
|
|
|
|
REPO_PATH path of the repositpry
|
|
|
|
|
GPG_SUBKEY_ID fingerprint of the (sub)key to use to sign
|
|
|
|
|
|
|
|
|
|
Dependencies: -
|
|
|
|
|
"
|
|
|
|
|
exit 0
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
if [ $# -lt 2 ]; then
|
|
|
|
|
echo "Mandatory arguments: 'REPO_PATH', 'PUB_KEY_FULLPATH'. Aborting..."
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
REPO_PATH="${1}"
|
|
|
|
|
PUB_KEY_FULLPATH="${1}"
|
|
|
|
|
[ -n "${3+x}" ] && GPG_SUBKEY_ID="${3}"
|
|
|
|
|
|
|
|
|
|
if [ ! -f "${GNUPGHOME}/pubring.kbx" ]; then
|
|
|
|
|
echo "The file 'pubring.kbx' file has not been found. Generating automatically a new one with a new set of keys..."
|
|
|
|
|
KEY_NAME="Joe Tester"
|
|
|
|
|
KEY_PASSPHRASE="over-the-lazy-dog"
|
|
|
|
|
cat >foo_keys <<EOF
|
|
|
|
|
%echo Generating a basic OpenPGP key
|
|
|
|
|
Key-Type: RSA
|
|
|
|
|
Key-Usage: sign
|
|
|
|
|
Key-Length: 4096
|
|
|
|
|
Subkey-Type: RSA
|
|
|
|
|
Subkey-Usage: sign
|
|
|
|
|
Subkey-Length: 4096
|
|
|
|
|
Name-Real: ${KEY_NAME}
|
|
|
|
|
Name-Comment: with stupid passphrase
|
|
|
|
|
Name-Email: joe@foo.bar
|
|
|
|
|
Expire-Date: 0
|
|
|
|
|
Passphrase: ${KEY_PASSPHRASE}
|
|
|
|
|
# Do a commit here, so that we can later print "done" :-)
|
|
|
|
|
%commit
|
|
|
|
|
%echo done
|
|
|
|
|
EOF
|
|
|
|
|
gpg --batch --generate-key foo_keys
|
|
|
|
|
echo "${KEY_PASSPHRASE}" > "${GNUPGHOME}/passphrase"
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
if [ -z "${GPG_SUBKEY_ID+x}" ]; then
|
|
|
|
|
echo "A GPG key id has not been defined. Automatically selecting a fingerprint..."
|
|
|
|
|
# List key and its subkey with their respective fingerprints | filter fingerprints of both keys | pick fingerprint of the second row
|
|
|
|
|
# (the subkey seems to be listed always after its respective subkey)
|
|
|
|
|
GPG_SUBKEY_ID="$(gpg --list-secret-key --with-subkey-fingerprint --with-colons | awk -F: '$1 == "fpr" {print $10;}' | sed -n '2 p')"
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
# - Generate the armored pub key (NEW_KEY) that has to be published;
|
|
|
|
|
# - If the key does not exists in PUB_KEY_FULLPATH, place NEW_KEY;
|
|
|
|
|
# - If PUB_KEY_FULLPATH exixts but is not identical to NEW_KEY, then backup
|
|
|
|
|
# the old key (PUB_KEY_FULLPATH) and replace it with the new one (NEW_KEY).
|
|
|
|
|
# - Else do nothing.
|
|
|
|
|
NEW_KEY="$(mktemp)"
|
|
|
|
|
gpg --armor --export "${GPG_SUBKEY_ID}" > "${NEW_KEY}"
|
|
|
|
|
if [ ! -f "${PUB_KEY_FULLPATH}" ];then
|
|
|
|
|
echo "Public key not published. Generating and publishing it..."
|
|
|
|
|
mv "${NEW_KEY}" "${PUB_KEY_FULLPATH}"
|
|
|
|
|
elif [ -f "${PUB_KEY_FULLPATH}" ] && ! cmp --silent "${PUB_KEY_FULLPATH}" "${NEW_KEY}"; then
|
|
|
|
|
mv "${PUB_KEY_FULLPATH}" "${PUB_KEY_FULLPATH}".bak
|
|
|
|
|
mv "${NEW_KEY}" "${PUB_KEY_FULLPATH}"
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
echo "Signing the repo..."
|
|
|
|
|
gpg --passphrase-file "${GNUPGHOME}/passphrase" --pinentry-mode loopback --default-key "${GPG_SUBKEY_ID}" -abs -o - "${REPO_PATH}/Release" > "${REPO_PATH}/Release.gpg"
|
|
|
|
|
gpg --passphrase-file "${GNUPGHOME}/passphrase" --pinentry-mode loopback --default-key "${GPG_SUBKEY_ID}" --clearsign -o - "${REPO_PATH}/Release" > "${REPO_PATH}/InRelease"
|
