blob: 3835c09bb66a3da7bd3ddcf9a156ece9a7d87d2a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
|
#!/bin/sh
branch=$1
arch=$2
version=$3
mirror=http://dl-cdn.alpinelinux.org/alpine
sigs=/var/www/localhost/htdocs/sigs/$branch/$arch/$version
tarball=alpine-netboot-$version-$arch.tar.gz
# CA Settings
CA_CRT="/etc/ssl/alpine-netboot-ca/ca.crt"
SIGN_CRT="/etc/ssl/alpine-netboot-ca/codesign.crt"
SIGN_KEY="/etc/ssl/alpine-netboot-ca/codesign.key"
PASS_FILE="/etc/ssl/alpine-netboot-ca/passwd"
sign_image() {
local in=$1 out=$2
echo "Signing image: $in"
openssl cms -sign -binary -noattr -in "$in" \
-signer "$SIGN_CRT" -inkey "$SIGN_KEY" \
-certfile "$CA_CRT" \
-outform DER -out "$out" \
-passin file:"$PASS_FILE"
}
fetch_and_verify() {
for file in "$tarball" "$tarball".asc; do
wget -q -P "$tmpdir" "$mirror"/$branch/releases/$arch/$file
done
gpg --verify "$tmpdir/$tarball".asc "$tmpdir/$tarball" &> /dev/null
}
tmpdir=$(mktemp -d)
mkdir -p "$sigs" && rm -f "$sigs"/*
if fetch_and_verify; then
tar -C "$tmpdir" -zxvf "$tmpdir"/"$tarball" | while read file; do
case $file in
*modloop*|*vmlinuz*|*initramfs*)
sign_image "$tmpdir/$file" "$sigs/${file##*/}.sig" ;;
esac
done
else
echo "Failed to verify: $branch/$tarball"
fi
rm -rf "$tmpdir"
|