summaryrefslogtreecommitdiff
blob: cc1a957aaa59001bcc120616706563b0ef9edfab (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
#!/bin/bash
# Copyright 2023 Gentoo Authors; Distributed under the GPL v2
# might be earlier copyright, no history available

# NOTE 1: This script is SLOW. It should run at most once per day.
# NOTE 2: This script requires that the signing key has its ownertrust
#         set to ultimate. Which makes sense anyway, since we have the
#         secret key.
# NOTE 3: This script has to run as gmirror user.

# Keep this variable in sync
_ARCHES="alpha amd64 arm64 arm hppa ia64 loong m68k mips ppc riscv s390    sparc x86"
        #alpha amd64 arm64 arm hppa ia64 loong m68k mips ppc riscv s390 sh sparc x86
ARCHES=${ARCHES:-${_ARCHES}}

VERBOSE='0'

INTREE=/release/weekly/binpackages
STAGINGTREE=/release/binpackages-staging
OUTTREE=/var/tmp/gmirror-releases/releases

IN_RSYNC_OPTS=(
	--no-motd
	--archive
	--delete
	--delete-after
	--ignore-missing-args
	--update
	--mkpath
)

OUT_RSYNC_OPTS=(
	--no-motd
	--archive
	--ignore-errors
	--delete
	--delete-after
	--ignore-missing-args
	--mkpath
)

export BINPKG_GPG_SIGNING_GPG_HOME=/home/gmirror/.gnupg-releng
export BINPKG_GPG_SIGNING_KEY=13EBBDBEDE7A12775DFDB1BABB572E0E2D182910
export BINPKG_GPG_VERIFY_GPG_HOME=${BINPKG_GPG_SIGNING_GPG_HOME}

export LOCKFILE=${STAGINGTREE}/.running

# this script needs to be run as gmirror user
[[ $(whoami) == "gmirror" ]] || exit 111

# we make sure we're not running twice in parallel
if [[ -f ${LOCKFILE} ]] ; then
  echo sign-sync-binpackages.sh lockfile ${LOCKFILE} exists, aborting
  exit 112
fi
touch ${LOCKFILE} || exit 110

# make sure we have an updated gpg-agent
gpgconf --kill all

# prepare some handy variables
_verbose_v=''
[[ ${VERBOSE} == '1' ]] && _verbose_v='-v'


# step 1: rsync from the dirs where the arches copy in
# make sure to *not* overwrite existing newer files (obviously
# the signature changed them)...

for a in ${ARCHES} ; do
  rsync ${_verbose_v} "${IN_RSYNC_OPTS[@]}" ${INTREE}/${a}/* ${STAGINGTREE}/${a}/
done

# now the set of files is frozen in the staging dir, and we dont care
# if any arches start uploading in the meantime


# step 2: iterate over all binary package trees, sign
# all unsigned files
# we assume the directory structure to be
#   .../binpackages-staging/amd64/17.1/x86-64
#   .../binpackages-staging/amd64/17.1/x86-64_musl
#   .../binpackages-staging/mips/17.0/mipsel3_n32
#   .../binpackages-staging/x86/17.0/x86_musl_hardened

for t in ${STAGINGTREE}/*/*/* ; do
  # find all unsigned packages as fast as possible
  find "${t}" -name '*.gpkg.tar' -print0 | \
    parallel -0 -n1 --will-cite -- "tar tf {} |grep -E -e '/metadata\.tar\..*\.sig$' -L --label={}" \
    > ${STAGINGTREE}/.unsigned

  if [[ ${VERBOSE} == '1' ]] ; then
    echo "List of unsigned pacakges:"
    cat ${STAGINGTREE}/.unsigned
    echo ; echo
  fi

  # sign the packages
  if [[ ${VERBOSE} == '1' ]]; then
    xargs -n1 --no-run-if-empty -- gpkg-sign < ${STAGINGTREE}/.unsigned || exit 113
  else
    xargs -n1 --no-run-if-empty -- gpkg-sign < ${STAGINGTREE}/.unsigned > /dev/null || exit 113
  fi

  # regenerate the indices
  if [[ ${VERBOSE} == '1' ]]; then
    PKGDIR=${t} emaint -f binhost || exit 114
  else
    PKGDIR=${t} emaint -f binhost > /dev/null || exit 114
  fi
done
# unfortunately these commands make much noise... let's hope we notice errors


# step 3: sync the result into the mirror directories from where
# the files are distributed

for a in ${ARCHES}; do
  arch_binpackages=${OUTTREE}/${a}/binpackages
	[[ -d ${arch_binpackages} ]] || mkdir -p ${_verbose_v} ${arch_binpackages}
	rsync ${_verbose_v} "${OUT_RSYNC_OPTS[@]}" ${STAGINGTREE}/${a}/* ${arch_binpackages}/
	date -u > ${arch_binpackages}/.timestamp
done


# we're done so remove the "lockfile"
rm ${LOCKFILE}

# vim: et ts=2 sts=2 sw=2