diff options
Diffstat (limited to 'sign_images.sh')
-rwxr-xr-x | sign_images.sh | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/sign_images.sh b/sign_images.sh new file mode 100755 index 0000000..3835c09 --- /dev/null +++ b/sign_images.sh @@ -0,0 +1,48 @@ +#!/bin/sh + +branch=$1 +arch=$2 +version=$3 +mirror=http://dl-cdn.alpinelinux.org/alpine +sigs=/var/www/localhost/htdocs/sigs/$branch/$arch/$version +tarball=alpine-netboot-$version-$arch.tar.gz + +# CA Settings +CA_CRT="/etc/ssl/alpine-netboot-ca/ca.crt" +SIGN_CRT="/etc/ssl/alpine-netboot-ca/codesign.crt" +SIGN_KEY="/etc/ssl/alpine-netboot-ca/codesign.key" +PASS_FILE="/etc/ssl/alpine-netboot-ca/passwd" + +sign_image() { + local in=$1 out=$2 + echo "Signing image: $in" + openssl cms -sign -binary -noattr -in "$in" \ + -signer "$SIGN_CRT" -inkey "$SIGN_KEY" \ + -certfile "$CA_CRT" \ + -outform DER -out "$out" \ + -passin file:"$PASS_FILE" +} + +fetch_and_verify() { + for file in "$tarball" "$tarball".asc; do + wget -q -P "$tmpdir" "$mirror"/$branch/releases/$arch/$file + done + gpg --verify "$tmpdir/$tarball".asc "$tmpdir/$tarball" &> /dev/null +} + +tmpdir=$(mktemp -d) +mkdir -p "$sigs" && rm -f "$sigs"/* + +if fetch_and_verify; then + tar -C "$tmpdir" -zxvf "$tmpdir"/"$tarball" | while read file; do + case $file in + *modloop*|*vmlinuz*|*initramfs*) + sign_image "$tmpdir/$file" "$sigs/${file##*/}.sig" ;; + esac + done +else + echo "Failed to verify: $branch/$tarball" +fi + +rm -rf "$tmpdir" + |