#!/bin/sh # sign indexes # Copyright (c) 2009 Natanael Copa <ncopa@alpinelinux.org> # # Distributed under GPL-2 # # Depends on: busybox utilities, fakeroot, # abuild_ver=@VERSION@ sysconfdir=@sysconfdir@ abuild_conf=${ABUILD_CONF:-"$sysconfdir/abuild.conf"} abuild_home=${ABUILD_USERDIR:-"$HOME/.abuild"} abuild_userconf=${ABUILD_USERCONF:-"$abuild_home/abuild.conf"} die() { echo "$@" >&2 exit 1 } usage() { echo "abuild-sign $abuild_ver" echo "usage: abuild-sign [-hq] [-k PRIVKEY] [-p PUBKEY] INDEXFILE..." echo "options:" echo " -h Show this help" echo " -k The private key to use for signing" echo " -p The name of public key. apk add will look for /etc/apk/keys/PUBKEY" exit 1 } # read config [ -f "$abuild_conf" ] && . "$abuild_conf" # read user config if exists [ -f "$abuild_userconf" ] && . "$abuild_userconf" privkey="$PACKAGER_PRIVKEY" while getopts "hk:p:q" opt; do case $opt in h) usage;; k) privkey=$OPTARG;; p) pubkey=$OPTARG;; q) quiet=yes;; esac done shift $(( $OPTIND - 1)) if [ -z "$privkey" ]; then echo "No private key found. Use 'abuild-keygen' to generate the keys" echo "Then you can either:" echo " 1. set the PACKAGER_PRIVKEY in $abuild_userconf" echo " (Note that 'abuild-keygen -a' does this for you)" echo " 2. set the PACKAGER_PRIVKEY in $abuild_conf" echo " 3. specify the key with the -k option" echo "" exit 1 fi if [ -z "$pubkey" ]; then pubkey=${PACKAGER_PUBKEY:-"${privkey}.pub"} fi # we are actually only interested in the name, not the file itself keyname=${pubkey##*/} for f in "$@"; do i=$(readlink -f $f) [ -d "$i" ] && i="$i/APKINDEX.tar.gz" repo="${i%/*}" cd "$repo" || die "Failed to sign $i" sig=".SIGN.RSA.$keyname" openssl dgst -sha1 -sign "$privkey" -out "$sig" "$i" || die "Failed to sign $i" tmptargz=$(mktemp) tar -c "$sig" | abuild-tar --cut | gzip -9 > "$tmptargz" tmpsigned=$(mktemp) cat "$tmptargz" "$i" > "$tmpsigned" rm -f "$tmptargz" "$sig" mv "$tmpsigned" "$i" chmod 644 "$i" if [ -z "$quiet" ]; then echo "Signed $i" fi done exit 0