#!/bin/sh # abuild-sign - sign indexes # Copyright (c) 2009 Natanael Copa # # Distributed under GPL-2 # abuild_ver=@VERSION@ datadir=@datadir@ if ! [ -f "$datadir/functions.sh" ]; then echo "$datadir/functions.sh: not found" >&2 exit 1 fi . "$datadir/functions.sh" do_sign() { local f i keyname repo # we are actually only interested in the name, not the file itself keyname=${pubkey##*/} for f; do i=$(readlink -f $f) [ -d "$i" ] && i="$i/APKINDEX.tar.gz" repo="${i%/*}" ( set -e cd "$repo" sig=".SIGN.RSA.$keyname" openssl dgst -sha1 -sign "$privkey" -out "$sig" "$i" tmptargz=$(mktemp) tar -c "$sig" | abuild-tar --cut | gzip -9 > "$tmptargz" tmpsigned=$(mktemp) cat "$tmptargz" "$i" > "$tmpsigned" rm -f "$tmptargz" "$sig" chmod 644 "$tmpsigned" mv "$tmpsigned" "$i" if [ -z "$quiet" ]; then echo "Signed $i" fi ) || die "Failed to sign $i" done } usage() { cat >&2 <<__EOF__ $prog $abuild_ver - sign indexes Usage: $prog [-k PRIVKEY] [-p PUBKEY] INDEXFILE... Options: -k, --private KEY The private key to use for signing -p, --public KEY The name of public key. apk add will look for /etc/apk/keys/KEY -q, --quiet -h, --help Show this help __EOF__ } privkey="$PACKAGER_PRIVKEY" pubkey= quiet= args=`getopt -o k:p:qh --long private:,public:,quiet,help -n "$prog" -- "$@"` if [ $? -ne 0 ]; then usage exit 2 fi eval set -- "$args" while true; do case $1 in -k|--private) privkey=$2; shift;; -p|--public) pubkey=$2; shift;; -q|--quiet) quiet=1;; # suppresses msg -h|--help) usage; exit;; --) shift; break;; *) exit 1;; # getopt error esac shift done if [ $# -eq 0 ]; then usage exit 2 fi if [ -z "$privkey" ]; then cat >&2 << __EOF__ No private key found. Use 'abuild-keygen' to generate the keys. Then you can either: * set the PACKAGER_PRIVKEY in $abuild_userconf ('abuild-keygen -a' does this for you) * set the PACKAGER_PRIVKEY in $abuild_conf * specify the key with the -k option to $prog __EOF__ exit 1 fi if [ -z "$pubkey" ]; then pubkey=${PACKAGER_PUBKEY:-"${privkey}.pub"} fi do_sign "$@" exit 0