diff options
| author |   Robin H. Johnson <robbat2@gentoo.org> | 2024-09-21 17:52:41 -0700 |
|---|---|---|
| committer | Robin H. Johnson <robbat2@gentoo.org> | 2024-09-21 17:52:41 -0700 |
| commit | 89fcf163be01d3d6c418248ea6ed7965d468837c (patch) | |
| tree | 8d40101a7ec47bfd0bca7fa56c3bf8c31c74aff9 | |
| parent | create-squashfs-snapshot: work on daily snapshots (diff) | |
| download | mastermirror-scripts-20240922T005249Z.tar.gz mastermirror-scripts-20240922T005249Z.tar.bz2 mastermirror-scripts-20240922T005249Z.zip | |
create-squashfs-snapshot: finish up new signing code; but final output not yet rotated into place20240922T005249Z
Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
| -rwxr-xr-x | create-squashfs-snapshot | 82 |
1 files changed, 68 insertions, 14 deletions
diff --git a/create-squashfs-snapshot b/create-squashfs-snapshot index 1fafe9d..82500ae 100755 --- a/create-squashfs-snapshot +++ b/create-squashfs-snapshot @@ -161,14 +161,26 @@ for algo in "${algo_LIST[@]}" ; do ln -s -f "${reponame}-${today}${ext}" "${reponame}-current${ext}" done -# Find the files that do NOT have dated SHA512 checksums with them already. -find . -name 'gentoo-*sqfs' -type f -printf '%f\n' \ -| cut -d. -f1 \ -| uniq \ -| perl -lne 'print $_ unless -f $_.".sha512sum.txt"' \ -| while read _prefix ; do +# create checksums for snapshot and deltas +# OLD LOGIC, that scans entire 18GB +sha512sum -- *.sqfs *.sqdelta | \ + gpg \ + --batch \ + --yes \ + -u "${signkeyid}" \ + --clearsign \ + --comment "Current: gentoo-${today}" \ + --output sha512sum.txt.tmp \ + /dev/stdin +mv sha512sum.txt.tmp sha512sum.txt + +# NEW LOGIC, that tries to re-use signed checksums +# Helper func for signing. +sign_prefix() { + prefix=$1 d=${_prefix}.sha512sum.txt + # Might be symlink OR real file. find . \ -name "${prefix}*" \ -a \( -name "*.sqfs" -o -name '*.sqdelta' \) \ @@ -180,13 +192,55 @@ find . -name 'gentoo-*sqfs' -type f -printf '%f\n' \ /dev/stdin mv ${d}.tmp ${d} +} + +# 1. Create per-day checksums, with dates in the filenames; only if they do NOT +# exist. +find . -name 'gentoo-*sqfs' -type f -printf '%f\n' \ +| cut -d. -f1 \ +| uniq \ +| perl -lne 'print $_ unless -e $_.".sha512sum.txt"' \ +| while read _prefix ; do + sign_prefix "$_prefix" +done +# 2. Always re-sign the -current symlink. +sign_prefix "gentoo-current" + +# 3. Re-verify each existing file +for sigfile in $(find . -name 'gentoo-*sha512sum.txt' -type f) ; do + rm -f "${tempdir}"/${sigfile}.combine* + # FUTURE: it would be wonderful to have a better interface to GPG here that + # only sent the output if the signature was valid and matched the specified + # key. + # gpgv doesn't have assert-signer + if gpg --verify \ + --batch \ + --assert-signer "${signkeyid}" \ + --trusted-key "${signkeyid}" \ + --output "${tempdir}/${sigfile}".combine-tmp \ + --status-fd 3 \ + 2>"${tempdir}/${sigfile}".stderr \ + 3>"${tempdir}/${sigfile}".status-fd \ + ; then + mv "${tempdir}/${sigfile}".combine-tmp "${tempdir}/${sigfile}".combine-verified + else + echo "FATAL: $sigfile verification failed" 1>&2 + cat "${tempdir}/${sigfile}".stderr + cat "${tempdir}/${sigfile}".status-fd + fi done -# TODO: combine the above checksums (after verification) INSTEAD of -# re-computing checksums on 18GB of data each day. -# -# create checksums for snapshot and deltas -sha512sum -- *.sqfs *.sqdelta | \ - gpg --yes -u "${signkeyid}" --clearsign \ - --comment "Current: gentoo-${today}" --output sha512sum.txt.tmp - -mv sha512sum.txt.tmp sha512sum.txt +# 4. Combine the verified files and sign the combined output. +find "$tempdir" -name 'gentoo-*combine-verified' \ + | sort \ + | xargs --no-run-if-empty cat \ + | gpg \ + --batch \ + --yes \ + -u "${signkeyid}" \ + --clearsign \ + --comment "Current: gentoo-${today}" \ + --output "${tempdir}"/sha512sum.txt.tmp \ + /dev/stdin +mv "${tempdir}"/{sha512sum.txt.tmp,sha512sum.txt} +diff -Nuar sha512sum.txt "${tempdir}"/sha512sum.txt |