Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/sign-autobuilds.sh
blob: cac8b7e0aa36dd3863c4249b7cf683a0dbc31c41 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107

#!/bin/bash
# Copyright 2010-2015 Gentoo Authors; Distributed under the GPL v2
# might be earlier copyright, no history available

# Keep this variable in sync in both sign-autobuilds.sh & sync-autobuilds.sh
_ARCHES="alpha amd64 arm64 arm hppa ia64 loong m68k mips ppc riscv s390 sh sparc x86"
        #alpha amd64 arm64 arm hppa ia64 loong m68k mips ppc riscv s390 sh sparc x86
ARCHES=${ARCHES:-${_ARCHES}}

RELEASES=/var/tmp/gmirror-releases/releases/
[[ $HOSTNAME == TODO ]] && RELEASES=/var/tmp/gmirror/releases/

: ${DEBUG:=''}
: ${VERBOSE=''}
GPG='gpg --homedir /home/gmirror/.gnupg-releng/ --batch --no-tty'

# Do not change
DEBUGP=
VERBOSEP=false
[ -n "$DEBUG" ] && DEBUGP=echo
[ -n "$VERBOSE" ] && VERBOSEP=
[ -n "$DEBUG" ] && RSYNC_OPTS="${RSYNC_OPTS} -n"
[ -n "$VERBOSE" ] && RSYNC_OPTS="${RSYNC_OPTS} -v"

# needs more debugging
# set -e

signone() {
	f="$1"
	$DEBUGP ${GPG} --armor --detach-sign "${f}"
}

signone_clearsign() {
	# only for text files!
	f="$1"
	d="${1}.asc.tmp"
	rm -f "$d"
	# Clearsign aborts if the destfile exists
	$DEBUGP ${GPG} --armor --clearsign --output "$d" "${f}"
	$DEBUGP mv "${d}" "${f}"
}

gpgconf --kill all

for a in $ARCHES ; do
pushd $RELEASES/$a >/dev/null || continue

[[ -d autobuilds ]] || exit

#echo "Release files:"

# 2023/10/08: Unknown if the latest files are consumed by any machine-readable
# process that would break if the changed into being clearsigned, so use a
# detached signature for now.
find_files_cmd=(
	find autobuilds
	-type f
	'('
		-false
		-or -name '*.tar.xz'
		-or -name '*.tar.bz2' # old builds
		-or -name '*.tar.gz' # old builds
		-or -name '*.tar.zst' # future builds?
		-or -name '*.tar.zstd' # future builds?
		-or -name '*.iso'
		-or -name '*.tar.bz2'
		# hppa netboot
		-or -name '*.lif'
		# s390 netboot
		-or -name 'netboot*T[0-9][0-9][0-9][0-9][0-9][0-9]Z'
		# marker files to declare latest builds.
		-or -name 'latest*txt'
	')'
)

files="$( "${find_files_cmd[@]}" )"
sigs="$(find autobuilds -name '*.asc' )"
unsigned="$(comm -23 <(echo "$files" |sort) <(echo "$sigs" | sed -e 's,.asc$,,g' |sort))"

#$VERBOSEP echo "=== ARCH: $a"

for dgst in $unsigned ; do
	if [ ! -f ${dgst}.asc ]; then
		$VERBOSEP echo "Signing $dgst"
		signone $dgst
	fi
done

for dgst in $digests ; do
	if [ -f ${dgst}.asc -a ${dgst} -nt ${dgst}.asc ]; then
		$VERBOSEP echo "Resigning $dgst"
		rm -f ${dgst}.asc
		signone $dgst
	fi
done

#echo "Text helper files:"

unsigned="$(find autobuilds \( -name '*.sha256' -or -name '*.DIGESTS' \) -exec grep -L -e '^-----BEGIN PGP SIGNED MESSAGE-----$' \{} \+ )"
for dgst in $unsigned ; do
	$VERBOSEP echo "Signing (inline/cleartext) $dgst"
	signone_clearsign $dgst
done

popd >/dev/null

done