abuild-sign.in 2.01 KB
Newer Older
Natanael Copa's avatar
Natanael Copa committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
#!/bin/sh

# sign indexes
# Copyright (c) 2009 Natanael Copa <ncopa@alpinelinux.org>
#
# Distributed under GPL-2
#
# Depends on: busybox utilities, fakeroot, 
#

abuild_ver=@VERSION@
sysconfdir=@sysconfdir@

abuild_conf=${ABUILD_CONF:-"$sysconfdir/abuild.conf"}
abuild_home=${ABUILD_USERDIR:-"$HOME/.abuild"}
abuild_userconf=${ABUILD_USERCONF:-"$abuild_home/abuild.conf"}

die() {
	echo "$@" >&2
	exit 1
}

usage() {
	echo "abuild-sign $abuild_ver"
25
	echo "usage: abuild-sign [-hq] [-k PRIVKEY] [-p PUBKEY] INDEXFILE..."
Natanael Copa's avatar
Natanael Copa committed
26
	echo "options:"
27 28 29
	echo " -h  Show this help"
	echo " -k  The private key to use for signing"
	echo " -p  The name of public key. apk add will look for /etc/apk/keys/PUBKEY"
Natanael Copa's avatar
Natanael Copa committed
30 31 32 33 34 35 36 37 38 39 40
	exit 1
}

# read config
[ -f "$abuild_conf" ] && . "$abuild_conf"

# read user config if exists
[ -f "$abuild_userconf" ] && . "$abuild_userconf"

privkey="$PACKAGER_PRIVKEY"

41
while getopts "hk:p:q" opt; do
Natanael Copa's avatar
Natanael Copa committed
42 43 44 45
	case $opt in
	h) usage;;
	k) privkey=$OPTARG;;
	p) pubkey=$OPTARG;;
46
	q) quiet=yes;;
Natanael Copa's avatar
Natanael Copa committed
47 48 49 50 51 52 53 54
	esac
done
shift $(( $OPTIND - 1))

if [ -z "$privkey" ]; then
	echo "No private key found. Use 'abuild-keygen' to generate the keys"
	echo "Then you can either:"
	echo " 1. set the PACKAGER_PRIVKEY in $abuild_userconf"
55
	echo "    (Note that 'abuild-keygen -a' does this for you)"
Natanael Copa's avatar
Natanael Copa committed
56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75
	echo " 2. set the PACKAGER_PRIVKEY in $abuild_conf"
	echo " 3. specify the key with the -k option"
	echo ""
	exit 1
fi

if [ -z "$pubkey" ]; then
	pubkey=${PACKAGER_PUBKEY:-"${privkey}.pub"}
fi

# we are actually only interested in the name, not the file itself
keyname=${pubkey##*/}

for f in "$@"; do
	i=$(readlink -f $f)
	[ -d "$i" ] && i="$i/APKINDEX.tar.gz"
	repo="${i%/*}"
	cd "$repo" || die "Failed to sign $i"
	sig=".SIGN.RSA.$keyname"
	openssl dgst -sha1 -sign "$privkey" -out "$sig" "$i" || die "Failed to sign $i"
76 77 78 79
	tmptargz=$(mktemp)
	tar -c "$sig" | abuild-tar --cut | gzip -9 > "$tmptargz"
	tmpsigned=$(mktemp)
	cat "$tmptargz" "$i" > "$tmpsigned"
80
	rm -f "$tmptargz" "$sig"
81
	mv "$tmpsigned" "$i"
82
	chmod 644 "$i"
83 84 85
	if [ -z "$quiet" ]; then
		echo "Signed $i"
	fi
Natanael Copa's avatar
Natanael Copa committed
86 87
done

88
exit 0