diff options
| author |   Andreas K. Hüttel <dilfridge@gentoo.org> | 2022-02-05 22:18:34 +0100 |
|---|---|---|
| committer |   Sam James <sam@gentoo.org> | 2022-02-05 22:59:06 +0000 |
| commit | 285d8e0166ffd72aa56ab610d93365e66d75111e (patch) | |
| tree | 1430e9144d2bc01eeb07d46ca67c366ffb7a6f4b | |
| parent | Try allowing removal of metadata/install-qa-check.d (diff) | |
| download | mastermirror-scripts-285d8e0166ffd72aa56ab610d93365e66d75111e.tar.gz mastermirror-scripts-285d8e0166ffd72aa56ab610d93365e66d75111e.tar.bz2 mastermirror-scripts-285d8e0166ffd72aa56ab610d93365e66d75111e.zip | |
sign-autobuilds: Sign the actual files (detached sig), not the file digests20220205T225935Z
The old way to do this led to no end of confusion - to verify a file,
you needed to first check the inline signature of a digest file,
then verify the digests there.
* To my knowledge the main rationale was that a previous gnupg was
bad in handling large-ish files. This is not the case anymore.
* Also, gnupg is now in stage3 and @system, so verification can be
done pretty much everywhere.
Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>
Signed-off-by: Sam James <sam@gentoo.org>
| -rwxr-xr-x | sign-autobuilds.sh | 19 |
1 files changed, 5 insertions, 14 deletions
diff --git a/sign-autobuilds.sh b/sign-autobuilds.sh index 798b22c..df7f828 100755 --- a/sign-autobuilds.sh +++ b/sign-autobuilds.sh @@ -23,7 +23,7 @@ VERBOSEP=false signone() { f="$1" - $DEBUGP gpg --homedir /home/gmirror/.gnupg-releng/ --armor --clearsign "${f}" + $DEBUGP gpg --homedir /home/gmirror/.gnupg-releng/ --armor --detach-sign "${f}" } gpgconf --kill all @@ -33,9 +33,9 @@ pushd $RELEASES/$a >/dev/null || continue #echo "ISOS:" [[ -d autobuilds ]] || exit -digests="$(find autobuilds -name '*.DIGESTS' )" -sigs="$(find autobuilds -name '*.DIGESTS.asc' )" -unsigned="$(comm -23 <(echo "$digests" |sort) <(echo "$sigs" | sed -e 's,.asc$,,g' |sort))" +files="$(find autobuilds -name '*.tar.xz' -or -name '*.iso' -or -name '*.tar.bz2' -or -name '*.lif')" +sigs="$(find autobuilds -name '*.asc' )" +unsigned="$(comm -23 <(echo "$files" |sort) <(echo "$sigs" | sed -e 's,.asc$,,g' |sort))" #$VERBOSEP echo "=== ARCH: $a" @@ -44,7 +44,7 @@ for dgst in $unsigned ; do $VERBOSEP echo "Signing $dgst" signone $dgst fi -done +done for dgst in $digests ; do if [ -f ${dgst}.asc -a ${dgst} -nt ${dgst}.asc ]; then @@ -54,15 +54,6 @@ for dgst in $digests ; do fi done -#echo "$isos" -#latest="$(echo "$isos" | tail -n1)" -#if [[ -n $latest ]]; then -# #echo "latest is $latest" -# latest=$(echo "$latest" | awk '{print $2}') -# #pwd -# rm current && ln -s $latest current -#fi - popd >/dev/null done |