abuild/abuild-sign.in
2024-04-29 12:22:23 +01:00

141 lines
3.1 KiB
Bash

#!/bin/sh
# abuild-sign - sign indexes
# Copyright (c) 2009 Natanael Copa <ncopa@alpinelinux.org>
#
# Distributed under GPL-2.0-only
#
program_version=@VERSION@
sharedir=${ABUILD_SHAREDIR:-@sharedir@}
if ! [ -f "$sharedir/functions.sh" ]; then
echo "$sharedir/functions.sh: not found" >&2
exit 1
fi
. "$sharedir/functions.sh"
gzip=$(command -v pigz || echo gzip)
do_sign() {
local f i keyname repo
local openssl=$(command -v openssl || echo libressl)
# we are actually only interested in the name, not the file itself
keyname=${pubkey##*/}
for f; do
i=$(readlink -f $f)
[ -d "$i" ] && i="$i/APKINDEX.tar.gz"
repo="${i%/*}"
trap 'die "failed to sign $i"' EXIT
set -e
cd "$repo"
sig=".SIGN.$sigtype.$keyname"
$openssl dgst $dgstargs -sign "$privkey" -out "$sig" "$i"
if [ -n "$SOURCE_DATE_EPOCH" ]; then
touch -h -d "@$SOURCE_DATE_EPOCH" "$sig"
fi
tmptargz=$(mktemp)
tar --owner=0 --group=0 --numeric-owner -f - -c "$sig" | abuild-tar --cut | $gzip -n -9 > "$tmptargz"
tmpsigned=$(mktemp)
cat "$tmptargz" "$i" > "$tmpsigned"
rm -f "$tmptargz" "$sig"
chmod 644 "$tmpsigned"
mv "$tmpsigned" "$i"
msg "Signed $i"
set +e
trap - EXIT
done
}
usage() {
cat <<-__EOF__
$program $program_version - sign indexes
Usage: $program [-k PRIVKEY] [-p PUBKEY] INDEXFILE...
$program -e
Options:
-e, --installed Check only of there exist a private key for signing
-k, --private KEY The private key to use for signing
-p, --public KEY The name of public key. apk add will look for
/etc/apk/keys/KEY
-t, --type TYPE The signature type RSA or RSA256
-q, --quiet
-h, --help Show this help
__EOF__
}
check_installed=false
privkey="$PACKAGER_PRIVKEY"
pubkey=
quiet=
args=$(getopt -o ek:p:t:qh --long installed,private:,public:,type:,quiet,help -n "$program" -- "$@")
if [ $? -ne 0 ]; then
usage >&2
exit 2
fi
eval set -- "$args"
while true; do
case $1 in
-e|--installed) check_installed=true;;
-k|--private) privkey=$2; shift;;
-p|--public) pubkey=$2; shift;;
-t|--type) sigtype=$2; shift;;
-q|--quiet) quiet=1;; # suppresses msg
-h|--help) usage; exit;;
--) shift; break;;
*) exit 1;; # getopt error
esac
shift
done
if [ $# -eq 0 ] && ! $check_installed; then
usage >&2
exit 2
fi
if [ -z "$privkey" ]; then
cat >&2 <<-__EOF__
No private key found. Use 'abuild-keygen' to generate the keys.
Then you can either:
* set the PACKAGER_PRIVKEY in $ABUILD_USERCONF
('abuild-keygen -a' does this for you)
* set the PACKAGER_PRIVKEY in $ABUILD_CONF
* specify the key with the -k option to $program
__EOF__
exit 1
fi
if [ -z "$pubkey" ]; then
pubkey=${PACKAGER_PUBKEY:-"${privkey}.pub"}
fi
if [ -z "$sigtype" ]; then
sigtype=RSA
fi
case $sigtype in
RSA) dgstargs="-sha1";;
RSA256) dgstargs="-sha256";;
*)
echo "$program: supported types are RSA and RSA256" >&2
exit 1
;;
esac
if $check_installed; then
if ! [ -e "$privkey" ]; then
echo "$program: $privkey: File not found" >&2
exit 1
fi
if ! [ -e "$pubkey" ]; then
echo "$program: $pubkey: File not found" >&2
exit 1
fi
else
do_sign "$@"
fi