summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndreas K. Hüttel <dilfridge@gentoo.org>2022-02-05 22:18:34 +0100
committerSam James <sam@gentoo.org>2022-02-05 22:59:06 +0000
commit285d8e0166ffd72aa56ab610d93365e66d75111e (patch)
tree1430e9144d2bc01eeb07d46ca67c366ffb7a6f4b
parentTry allowing removal of metadata/install-qa-check.d (diff)
downloadmastermirror-scripts-285d8e0166ffd72aa56ab610d93365e66d75111e.tar.gz
mastermirror-scripts-285d8e0166ffd72aa56ab610d93365e66d75111e.tar.bz2
mastermirror-scripts-285d8e0166ffd72aa56ab610d93365e66d75111e.zip
sign-autobuilds: Sign the actual files (detached sig), not the file digests20220205T225935Z
The old way to do this led to no end of confusion - to verify a file, you needed to first check the inline signature of a digest file, then verify the digests there. * To my knowledge the main rationale was that a previous gnupg was bad in handling large-ish files. This is not the case anymore. * Also, gnupg is now in stage3 and @system, so verification can be done pretty much everywhere. Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org>
-rwxr-xr-xsign-autobuilds.sh19
1 files changed, 5 insertions, 14 deletions
diff --git a/sign-autobuilds.sh b/sign-autobuilds.sh
index 798b22c..df7f828 100755
--- a/sign-autobuilds.sh
+++ b/sign-autobuilds.sh
@@ -23,7 +23,7 @@ VERBOSEP=false
signone() {
f="$1"
- $DEBUGP gpg --homedir /home/gmirror/.gnupg-releng/ --armor --clearsign "${f}"
+ $DEBUGP gpg --homedir /home/gmirror/.gnupg-releng/ --armor --detach-sign "${f}"
}
gpgconf --kill all
@@ -33,9 +33,9 @@ pushd $RELEASES/$a >/dev/null || continue
#echo "ISOS:"
[[ -d autobuilds ]] || exit
-digests="$(find autobuilds -name '*.DIGESTS' )"
-sigs="$(find autobuilds -name '*.DIGESTS.asc' )"
-unsigned="$(comm -23 <(echo "$digests" |sort) <(echo "$sigs" | sed -e 's,.asc$,,g' |sort))"
+files="$(find autobuilds -name '*.tar.xz' -or -name '*.iso' -or -name '*.tar.bz2' -or -name '*.lif')"
+sigs="$(find autobuilds -name '*.asc' )"
+unsigned="$(comm -23 <(echo "$files" |sort) <(echo "$sigs" | sed -e 's,.asc$,,g' |sort))"
#$VERBOSEP echo "=== ARCH: $a"
@@ -44,7 +44,7 @@ for dgst in $unsigned ; do
$VERBOSEP echo "Signing $dgst"
signone $dgst
fi
-done
+done
for dgst in $digests ; do
if [ -f ${dgst}.asc -a ${dgst} -nt ${dgst}.asc ]; then
@@ -54,15 +54,6 @@ for dgst in $digests ; do
fi
done
-#echo "$isos"
-#latest="$(echo "$isos" | tail -n1)"
-#if [[ -n $latest ]]; then
-# #echo "latest is $latest"
-# latest=$(echo "$latest" | awk '{print $2}')
-# #pwd
-# rm current && ln -s $latest current
-#fi
-
popd >/dev/null
done