abuild-sign.in 1.98 KB
Newer Older
Natanael Copa's avatar
Natanael Copa committed
1 2
#!/bin/sh

3
# abuild-sign - sign indexes
Natanael Copa's avatar
Natanael Copa committed
4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
# Copyright (c) 2009 Natanael Copa <ncopa@alpinelinux.org>
#
# Distributed under GPL-2
#

abuild_ver=@VERSION@
sysconfdir=@sysconfdir@

abuild_conf=${ABUILD_CONF:-"$sysconfdir/abuild.conf"}
abuild_home=${ABUILD_USERDIR:-"$HOME/.abuild"}
abuild_userconf=${ABUILD_USERCONF:-"$abuild_home/abuild.conf"}

die() {
	echo "$@" >&2
	exit 1
}

usage() {
	echo "abuild-sign $abuild_ver"
23
	echo "usage: abuild-sign [-hq] [-k PRIVKEY] [-p PUBKEY] INDEXFILE..."
Natanael Copa's avatar
Natanael Copa committed
24
	echo "options:"
25 26 27
	echo " -h  Show this help"
	echo " -k  The private key to use for signing"
	echo " -p  The name of public key. apk add will look for /etc/apk/keys/PUBKEY"
Natanael Copa's avatar
Natanael Copa committed
28 29 30 31 32 33 34 35 36 37 38
	exit 1
}

# read config
[ -f "$abuild_conf" ] && . "$abuild_conf"

# read user config if exists
[ -f "$abuild_userconf" ] && . "$abuild_userconf"

privkey="$PACKAGER_PRIVKEY"

39
while getopts "hk:p:q" opt; do
Natanael Copa's avatar
Natanael Copa committed
40 41 42 43
	case $opt in
	h) usage;;
	k) privkey=$OPTARG;;
	p) pubkey=$OPTARG;;
44
	q) quiet=yes;;
Natanael Copa's avatar
Natanael Copa committed
45 46 47 48 49 50 51 52
	esac
done
shift $(( $OPTIND - 1))

if [ -z "$privkey" ]; then
	echo "No private key found. Use 'abuild-keygen' to generate the keys"
	echo "Then you can either:"
	echo " 1. set the PACKAGER_PRIVKEY in $abuild_userconf"
53
	echo "    (Note that 'abuild-keygen -a' does this for you)"
Natanael Copa's avatar
Natanael Copa committed
54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73
	echo " 2. set the PACKAGER_PRIVKEY in $abuild_conf"
	echo " 3. specify the key with the -k option"
	echo ""
	exit 1
fi

if [ -z "$pubkey" ]; then
	pubkey=${PACKAGER_PUBKEY:-"${privkey}.pub"}
fi

# we are actually only interested in the name, not the file itself
keyname=${pubkey##*/}

for f in "$@"; do
	i=$(readlink -f $f)
	[ -d "$i" ] && i="$i/APKINDEX.tar.gz"
	repo="${i%/*}"
	cd "$repo" || die "Failed to sign $i"
	sig=".SIGN.RSA.$keyname"
	openssl dgst -sha1 -sign "$privkey" -out "$sig" "$i" || die "Failed to sign $i"
74 75 76 77
	tmptargz=$(mktemp)
	tar -c "$sig" | abuild-tar --cut | gzip -9 > "$tmptargz"
	tmpsigned=$(mktemp)
	cat "$tmptargz" "$i" > "$tmpsigned"
78
	rm -f "$tmptargz" "$sig"
79
	mv "$tmpsigned" "$i"
80
	chmod 644 "$i"
81 82 83
	if [ -z "$quiet" ]; then
		echo "Signed $i"
	fi
Natanael Copa's avatar
Natanael Copa committed
84 85
done

86
exit 0