abuild-sign.in 2.4 KB
Newer Older
Natanael Copa's avatar
Natanael Copa committed
1 2
#!/bin/sh

3
# abuild-sign - sign indexes
Natanael Copa's avatar
Natanael Copa committed
4 5 6 7 8
# Copyright (c) 2009 Natanael Copa <ncopa@alpinelinux.org>
#
# Distributed under GPL-2
#

9
program_version=@VERSION@
10
datadir=@datadir@
Natanael Copa's avatar
Natanael Copa committed
11

12 13
if ! [ -f "$datadir/functions.sh" ]; then
	echo "$datadir/functions.sh: not found" >&2
Natanael Copa's avatar
Natanael Copa committed
14
	exit 1
15 16
fi
. "$datadir/functions.sh"
Natanael Copa's avatar
Natanael Copa committed
17

Dubiousjim's avatar
Dubiousjim committed
18
do_sign() {
Dubiousjim's avatar
Dubiousjim committed
19
	local f i keyname repo
20
	local openssl=$(command -v openssl || echo libressl)
Dubiousjim's avatar
Dubiousjim committed
21

Dubiousjim's avatar
Dubiousjim committed
22 23 24 25 26 27 28
	# we are actually only interested in the name, not the file itself
	keyname=${pubkey##*/}

	for f; do
		i=$(readlink -f $f)
		[ -d "$i" ] && i="$i/APKINDEX.tar.gz"
		repo="${i%/*}"
29 30 31
		(
		set -e
		cd "$repo"
Dubiousjim's avatar
Dubiousjim committed
32
		sig=".SIGN.RSA.$keyname"
33
		$openssl dgst -sha1 -sign "$privkey" -out "$sig" "$i"
Dubiousjim's avatar
Dubiousjim committed
34
		tmptargz=$(mktemp)
A. Wilcox's avatar
A. Wilcox committed
35
		tar -f - -c "$sig" | abuild-tar --cut | gzip -9 > "$tmptargz"
Dubiousjim's avatar
Dubiousjim committed
36 37 38
		tmpsigned=$(mktemp)
		cat "$tmptargz" "$i" > "$tmpsigned"
		rm -f "$tmptargz" "$sig"
Dubiousjim's avatar
Dubiousjim committed
39
		chmod 644 "$tmpsigned"
Dubiousjim's avatar
Dubiousjim committed
40
		mv "$tmpsigned" "$i"
41 42
		msg "Signed $i"
		) || die "failed to sign $i"
Dubiousjim's avatar
Dubiousjim committed
43 44 45
	done
}

Natanael Copa's avatar
Natanael Copa committed
46
usage() {
Jakub Jirutka's avatar
Jakub Jirutka committed
47 48 49 50 51 52 53 54 55 56 57 58 59
	cat >&2 <<-__EOF__
		$program $program_version - sign indexes
		Usage: $program [-k PRIVKEY] [-p PUBKEY] INDEXFILE...
		       $program -e
		Options:
		  -e, --installed    Check only of there exist a private key for signing
		  -k, --private KEY  The private key to use for signing
		  -p, --public KEY   The name of public key. apk add will look for
		                     /etc/apk/keys/KEY
		  -q, --quiet
		  -h, --help         Show this help

	__EOF__
Natanael Copa's avatar
Natanael Copa committed
60 61
}

62
check_installed=false
Natanael Copa's avatar
Natanael Copa committed
63
privkey="$PACKAGER_PRIVKEY"
64 65
pubkey=
quiet=
Natanael Copa's avatar
Natanael Copa committed
66

67
args=$(getopt -o ek:p:qh --long installed,private:,public:,quiet,help -n "$program" -- "$@")
68 69 70 71 72 73 74
if [ $? -ne 0 ]; then
	usage
	exit 2
fi
eval set -- "$args"
while true; do
	case $1 in
75
		-e|--installed) check_installed=true;;
76 77 78 79 80 81
		-k|--private) privkey=$2; shift;;
		-p|--public) pubkey=$2; shift;;
		-q|--quiet) quiet=1;; # suppresses msg
		-h|--help) usage; exit;;
		--) shift; break;;
		*) exit 1;; # getopt error
Natanael Copa's avatar
Natanael Copa committed
82
	esac
83
	shift
Natanael Copa's avatar
Natanael Copa committed
84
done
85
if [ $# -eq 0 ] && ! $check_installed; then
86 87 88
	usage
	exit 2
fi
Natanael Copa's avatar
Natanael Copa committed
89 90

if [ -z "$privkey" ]; then
Jakub Jirutka's avatar
Jakub Jirutka committed
91 92 93 94 95 96 97
	cat >&2 <<-__EOF__
		No private key found. Use 'abuild-keygen' to generate the keys.
		Then you can either:
		  * set the PACKAGER_PRIVKEY in $ABUILD_USERCONF
		    ('abuild-keygen -a' does this for you)
		  * set the PACKAGER_PRIVKEY in $ABUILD_CONF
		  * specify the key with the -k option to $program
98

Jakub Jirutka's avatar
Jakub Jirutka committed
99
	__EOF__
Natanael Copa's avatar
Natanael Copa committed
100 101 102 103 104 105 106
	exit 1
fi

if [ -z "$pubkey" ]; then
	pubkey=${PACKAGER_PUBKEY:-"${privkey}.pub"}
fi

107 108 109
if ! $check_installed; then
	do_sign "$@"
fi