blob: 61d8874d3102ea92dc3d9bb7544b82acfafb83b4 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
#!/bin/bash
# Copyright 2023 Gentoo Authors; Distributed under the GPL v2
# might be earlier copyright, no history available
# NOTE 1: This script is SLOW. It should run at most once per day.
# NOTE 2: This script requires that the signing key has its ownertrust
# set to ultimate. Which makes sense anyway, since we have the
# secret key.
# NOTE 3: This script has to run as gmirror user.
# for testing
ARCHES="sparc"
# Keep this variable in sync
_ARCHES="alpha amd64 arm64 arm hppa ia64 loong m68k mips ppc riscv s390 sh sparc x86"
#alpha amd64 arm64 arm hppa ia64 loong m68k mips ppc riscv s390 sh sparc x86
ARCHES=${ARCHES:-${_ARCHES}}
INTREE=/release/weekly/binpackages
SIGTREE=/release/binpackages
export BINPKG_GPG_SIGNING_GPG_HOME=/home/gmirror/.gnupg-releng
export BINPKG_GPG_SIGNING_KEY=13EBBDBEDE7A12775DFDB1BABB572E0E2D182910
export BINPKG_GPG_VERIFY_GPG_HOME=${BINPKG_GPG_SIGNING_GPG_HOME}
[[ $(whoami) == "gmirror" ]] || exit 111
gpgconf --kill all
# step 1: rsync from the dirs where the arches copy in
# make sure to *not* overwrite existing newer files (obviously
# the signature changed them)...
for a in $ARCHES ; do
rsync --archive --delete --delete-after --update --mkpath ${INTREE}/${a}/* ${SIGTREE}/${a}/
done
# step 2: iterate over all binary package trees, sign
# all unsigned files
# we assume the directory structure to be
# .../binpackages/amd64/17.1/x86-64
# .../binpackages/amd64/17.1/x86-64_musl
# .../binpackages/mips/17.0/mipsel3_n32
# .../binpackages/x86/17.0/x86_musl_hardened
for t in ${SIGTREE}/*/*/* ; do
find "${t}" -name '*.gpkg.tar' -exec gpkg-sign --skip-signed \{\} \; > /dev/null
PKGDIR=${t} emaint -f binhost > /dev/null
done
# unfortunately these commands make much noise... let's hope we notice errors
|