aboutsummaryrefslogtreecommitdiff
blob: 5d40fd0e66137351fa7271e1903d59f4d811c80f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
#!/bin/bash
# Copyright 2010-2015 Gentoo Authors; Distributed under the GPL v2
# might be earlier copyright, no history available

# Keep this variable in sync in both sign-autobuilds.sh & sync-autobuilds.sh
_ARCHES="alpha amd64 arm64 arm hppa ia64 loong m68k mips ppc riscv s390 sh sparc x86"
        #alpha amd64 arm64 arm hppa ia64 loong m68k mips ppc riscv s390 sh sparc x86
ARCHES=${ARCHES:-${_ARCHES}}

RELEASES=/var/tmp/gmirror-releases/releases/
[[ $HOSTNAME == TODO ]] && RELEASES=/var/tmp/gmirror/releases/

: "${DEBUG:=''}"
: "${VERBOSE=''}"
GPG=(gpg --homedir /home/gmirror/.gnupg-releng/ --batch --no-tty)

# Do not change
DEBUGP=
VERBOSEP=false
[ -n "$DEBUG" ] && DEBUGP='echo'
[ -n "$VERBOSE" ] && VERBOSEP=''
[ -n "$DEBUG" ] && RSYNC_OPTS="${RSYNC_OPTS} -n"
[ -n "$VERBOSE" ] && RSYNC_OPTS="${RSYNC_OPTS} -v"

# needs more debugging
# set -e

signone() {
	f="$1"
	$DEBUGP "${GPG[@]}" --armor --detach-sign "${f}"
}

signone_clearsign() {
	# only for text files!
	f="$1"
	d=".${1}.asc.tmp"
	rm -f "$d"
	# Clearsign aborts if the destfile exists
	$DEBUGP "${GPG[@]}" --armor --clearsign --output "$d" "${f}"
	$DEBUGP mv "${d}" "${f}"
}

cleanup() {
	# A sync mismatch means these seem like bad signatures due to different CDN
	# cache times.
	# [TXT]	latest-install-alpha-minimal.txt	2023-10-09 03:00	116
    # [TXT]	latest-install-alpha-minimal.txt.asc	2023-10-09 00:21	488
	#
	# Using a clearsign in a seperate file doesn't help here either, because it
	# can still be out of date compared to the underlying file.
	# It must be exactly 1 file, clearsigned.
	find autobuilds \
		-type f \
		-name 'latest*txt.asc' \
		-exec grep -L -e '^-----BEGIN PGP SIGNED MESSAGE-----$' \{\} \+ \
	| tr '\n' '\0' \
	| xargs -0 --no-run-if-empty rm -f

}

gpgconf --kill all

for a in $ARCHES ; do
cd "$RELEASES/$a" >/dev/null || continue

[[ -d autobuilds ]] || continue

#echo "Release files:"

# 2023/10/08: Unknown if the latest files are consumed by any machine-readable
# process that would break if the changed into being clearsigned, so use a
# detached signature for now.
find_files_cmd=(
	find autobuilds
	-type f
	'('
		-false
		-or -name '*.tar.xz'
		-or -name '*.tar.bz2' # old builds
		-or -name '*.tar.gz' # old builds
		-or -name '*.tar.zst' # future builds?
		-or -name '*.tar.zstd' # future builds?
		-or -name '*.iso'
		-or -name '*.tar.bz2'
		# hppa netboot
		-or -name '*.lif'
		# s390 netboot
		-or -name 'netboot*T[0-9][0-9][0-9][0-9][0-9][0-9]Z'
	')'
)

find_sigs_cmd=(
	find autobuilds
	-type f
	'('
		-false
		-or -name '*.asc'
	')'
)

find_unsigned_helper_cmd=(
	find autobuilds
	-type f
	\(
		-false
		# Gentoo format digest files.
		-or -name '*.DIGESTS'
		# .sha256 files exist to support the OpenStack builder process
		-or -name '*.sha256'
		# marker files to declare latest builds.
		-or -name 'latest*txt'
	\)
	-exec grep -L -e '^-----BEGIN PGP SIGNED MESSAGE-----$' \{\} \+
)

files="$( "${find_files_cmd[@]}" )"
sigs="$( "${find_sigs_cmd[@]}" )"
unsigned="$(comm -23 <(echo "$files" |sort) <(echo "$sigs" | sed -e 's,.asc$,,g' |sort))"

#$VERBOSEP echo "=== ARCH: $a"

for dgst in $unsigned ; do
	if [ ! -f ${dgst}.asc ]; then
		$VERBOSEP echo "Signing $dgst"
		signone $dgst
	fi
done

for dgst in ${sigs}; do
	dgst=${dgst%.asc}
	if [ -f ${dgst}.asc -a ${dgst} -nt ${dgst}.asc ]; then
		$VERBOSEP echo "Resigning $dgst"
		rm -f ${dgst}.asc
		signone $dgst
	fi
done

#echo "Text helper files:"

unsigned="$( "${find_unsigned_helper_cmd[@]}" )"
for dgst in $unsigned ; do
	$VERBOSEP echo "Signing (inline/cleartext) $dgst"
	signone_clearsign $dgst
done

cleanup

done