From d2d0fcc8506c4e583a60ea99b6340293279776d7 Mon Sep 17 00:00:00 2001 From: "Robin H. Johnson" Date: Sun, 8 Oct 2023 16:52:06 -0700 Subject: sign-autobuilds.sh: ensure all tarballs, netboots, and latest*txt are signed Some binary release artifacts were not being signed: - older tarballs with different suffix - netboot files - latest marker files. Ensure they are signed going forward, and a little bit of future proofing for other compress suffixes. Signed-off-by: Robin H. Johnson --- sign-autobuilds.sh | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/sign-autobuilds.sh b/sign-autobuilds.sh index bbb835b..cac8b7e 100755 --- a/sign-autobuilds.sh +++ b/sign-autobuilds.sh @@ -49,7 +49,31 @@ pushd $RELEASES/$a >/dev/null || continue #echo "Release files:" -files="$(find autobuilds -name '*.tar.xz' -or -name '*.iso' -or -name '*.tar.bz2' -or -name '*.lif')" +# 2023/10/08: Unknown if the latest files are consumed by any machine-readable +# process that would break if the changed into being clearsigned, so use a +# detached signature for now. +find_files_cmd=( + find autobuilds + -type f + '(' + -false + -or -name '*.tar.xz' + -or -name '*.tar.bz2' # old builds + -or -name '*.tar.gz' # old builds + -or -name '*.tar.zst' # future builds? + -or -name '*.tar.zstd' # future builds? + -or -name '*.iso' + -or -name '*.tar.bz2' + # hppa netboot + -or -name '*.lif' + # s390 netboot + -or -name 'netboot*T[0-9][0-9][0-9][0-9][0-9][0-9]Z' + # marker files to declare latest builds. + -or -name 'latest*txt' + ')' +) + +files="$( "${find_files_cmd[@]}" )" sigs="$(find autobuilds -name '*.asc' )" unsigned="$(comm -23 <(echo "$files" |sort) <(echo "$sigs" | sed -e 's,.asc$,,g' |sort))" -- cgit v1.2.3-65-gdbad