blob: aea651f5d81a084443c2c813500d8f2740adfa6e (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
|
#!/bin/sh
# sign indexes
# Copyright (c) 2009 Natanael Copa <ncopa@alpinelinux.org>
#
# Distributed under GPL-2
#
# Depends on: busybox utilities, fakeroot,
#
abuild_ver=@VERSION@
sysconfdir=@sysconfdir@
abuild_conf=${ABUILD_CONF:-"$sysconfdir/abuild.conf"}
abuild_home=${ABUILD_USERDIR:-"$HOME/.abuild"}
abuild_userconf=${ABUILD_USERCONF:-"$abuild_home/abuild.conf"}
die() {
echo "$@" >&2
exit 1
}
usage() {
echo "abuild-sign $abuild_ver"
echo "usage: abuild-sign [-hq] [-k PRIVKEY] [-p PUBKEY] INDEXFILE..."
echo "options:"
echo " -h Show this help"
echo " -k The private key to use for signing"
echo " -p The name of public key. apk add will look for /etc/apk/keys/PUBKEY"
exit 1
}
# read config
[ -f "$abuild_conf" ] && . "$abuild_conf"
# read user config if exists
[ -f "$abuild_userconf" ] && . "$abuild_userconf"
privkey="$PACKAGER_PRIVKEY"
while getopts "hk:p:q" opt; do
case $opt in
h) usage;;
k) privkey=$OPTARG;;
p) pubkey=$OPTARG;;
q) quiet=yes;;
esac
done
shift $(( $OPTIND - 1))
if [ -z "$privkey" ]; then
echo "No private key found. Use 'abuild-keygen' to generate the keys"
echo "Then you can either:"
echo " 1. set the PACKAGER_PRIVKEY in $abuild_userconf"
echo " (Note that 'abuild-keygen -a' does this for you)"
echo " 2. set the PACKAGER_PRIVKEY in $abuild_conf"
echo " 3. specify the key with the -k option"
echo ""
exit 1
fi
if [ -z "$pubkey" ]; then
pubkey=${PACKAGER_PUBKEY:-"${privkey}.pub"}
fi
# we are actually only interested in the name, not the file itself
keyname=${pubkey##*/}
for f in "$@"; do
i=$(readlink -f $f)
[ -d "$i" ] && i="$i/APKINDEX.tar.gz"
repo="${i%/*}"
cd "$repo" || die "Failed to sign $i"
sig=".SIGN.RSA.$keyname"
openssl dgst -sha1 -sign "$privkey" -out "$sig" "$i" || die "Failed to sign $i"
tmptargz=$(mktemp)
tar -c "$sig" | abuild-tar --cut | gzip -9 > "$tmptargz"
tmpsigned=$(mktemp)
cat "$tmptargz" "$i" > "$tmpsigned"
rm -f "$tmptargz" "$sig"
mv "$tmpsigned" "$i"
chmod 644 "$i"
if [ -z "$quiet" ]; then
echo "Signed $i"
fi
done
exit 0
|