diff options
-rw-r--r-- | abuild-sign.in | 80 |
1 files changed, 80 insertions, 0 deletions
diff --git a/abuild-sign.in b/abuild-sign.in new file mode 100644 index 0000000..5067a74 --- /dev/null +++ b/abuild-sign.in @@ -0,0 +1,80 @@ +#!/bin/sh + +# sign indexes +# Copyright (c) 2009 Natanael Copa <ncopa@alpinelinux.org> +# +# Distributed under GPL-2 +# +# Depends on: busybox utilities, fakeroot, +# + +abuild_ver=@VERSION@ +sysconfdir=@sysconfdir@ + +abuild_conf=${ABUILD_CONF:-"$sysconfdir/abuild.conf"} +abuild_home=${ABUILD_USERDIR:-"$HOME/.abuild"} +abuild_userconf=${ABUILD_USERCONF:-"$abuild_home/abuild.conf"} + +die() { + echo "$@" >&2 + exit 1 +} + +usage() { + echo "abuild-sign $abuild_ver" + echo "usage: abuild-sign [-h] [-k PRIVKEY] [-p PUBKEY] INDEXFILE..." + echo "options:" + echo " -h Show this help" + echo " -k The private key to use for signing" + echo " -p The name of public key. apk add will look for /etc/apk/keys/PUBKEY" + exit 1 +} + +# read config +[ -f "$abuild_conf" ] && . "$abuild_conf" + +# read user config if exists +[ -f "$abuild_userconf" ] && . "$abuild_userconf" + +privkey="$PACKAGER_PRIVKEY" + +while getopts "hk:p:" opt; do + case $opt in + h) usage;; + k) privkey=$OPTARG;; + p) pubkey=$OPTARG;; + esac +done +shift $(( $OPTIND - 1)) + +if [ -z "$privkey" ]; then + echo "No private key found. Use 'abuild-keygen' to generate the keys" + echo "Then you can either:" + echo " 1. set the PACKAGER_PRIVKEY in $abuild_userconf" + echo " 2. set the PACKAGER_PRIVKEY in $abuild_conf" + echo " 3. specify the key with the -k option" + echo "" + exit 1 +fi + +if [ -z "$pubkey" ]; then + pubkey=${PACKAGER_PUBKEY:-"${privkey}.pub"} +fi + +# we are actually only interested in the name, not the file itself +keyname=${pubkey##*/} + +for f in "$@"; do + i=$(readlink -f $f) + [ -d "$i" ] && i="$i/APKINDEX.tar.gz" + repo="${i%/*}" + cd "$repo" || die "Failed to sign $i" + sig=".SIGN.RSA.$keyname" + openssl dgst -sha1 -sign "$privkey" -out "$sig" "$i" || die "Failed to sign $i" + cd "$repo" + tar -c "$sig" | abuild-tar --cut | gzip -9 > signature.tar.gz + cat signature.tar.gz "$i" > "$i.new" + mv "$i.new" "$i" + echo "Signed $i" +done + |