2009-07-22 15:02:38 +00:00
|
|
|
#!/bin/sh
|
|
|
|
|
2013-07-05 04:21:13 +00:00
|
|
|
# abuild-sign - sign indexes
|
2009-07-22 15:02:38 +00:00
|
|
|
# Copyright (c) 2009 Natanael Copa <ncopa@alpinelinux.org>
|
|
|
|
#
|
2020-10-23 14:39:18 +00:00
|
|
|
# Distributed under GPL-2.0-only
|
2009-07-22 15:02:38 +00:00
|
|
|
#
|
|
|
|
|
2013-10-25 07:26:05 +00:00
|
|
|
program_version=@VERSION@
|
2019-11-07 11:28:37 +00:00
|
|
|
sharedir=${ABUILD_SHAREDIR:-@sharedir@}
|
2009-07-22 15:02:38 +00:00
|
|
|
|
2019-11-07 11:21:32 +00:00
|
|
|
if ! [ -f "$sharedir/functions.sh" ]; then
|
|
|
|
echo "$sharedir/functions.sh: not found" >&2
|
2009-07-22 15:02:38 +00:00
|
|
|
exit 1
|
2013-07-05 04:21:16 +00:00
|
|
|
fi
|
2019-11-07 11:21:32 +00:00
|
|
|
. "$sharedir/functions.sh"
|
2009-07-22 15:02:38 +00:00
|
|
|
|
2019-11-07 13:21:45 +00:00
|
|
|
gzip=$(command -v pigz || echo gzip)
|
|
|
|
|
2013-07-05 04:21:15 +00:00
|
|
|
do_sign() {
|
2024-04-22 10:40:28 +00:00
|
|
|
local f i keyname repo openssl
|
|
|
|
openssl=$(command -v openssl || echo libressl)
|
2013-07-05 04:21:22 +00:00
|
|
|
|
2013-07-05 04:21:15 +00:00
|
|
|
# we are actually only interested in the name, not the file itself
|
|
|
|
keyname=${pubkey##*/}
|
|
|
|
|
|
|
|
for f; do
|
|
|
|
i=$(readlink -f $f)
|
|
|
|
[ -d "$i" ] && i="$i/APKINDEX.tar.gz"
|
|
|
|
repo="${i%/*}"
|
2019-01-17 10:04:26 +00:00
|
|
|
trap 'die "failed to sign $i"' EXIT
|
2013-07-05 04:21:23 +00:00
|
|
|
set -e
|
|
|
|
cd "$repo"
|
2024-04-29 11:22:23 +00:00
|
|
|
sig=".SIGN.$sigtype.$keyname"
|
2024-04-29 11:03:04 +00:00
|
|
|
$openssl dgst $dgstargs -sign "$privkey" -out "$sig" "$i"
|
2019-06-08 19:42:21 +00:00
|
|
|
|
|
|
|
if [ -n "$SOURCE_DATE_EPOCH" ]; then
|
|
|
|
touch -h -d "@$SOURCE_DATE_EPOCH" "$sig"
|
|
|
|
fi
|
|
|
|
|
2013-07-05 04:21:15 +00:00
|
|
|
tmptargz=$(mktemp)
|
2021-07-01 16:31:55 +00:00
|
|
|
tar --owner=0 --group=0 --numeric-owner -f - -c "$sig" | abuild-tar --cut | $gzip -n -9 > "$tmptargz"
|
2013-07-05 04:21:15 +00:00
|
|
|
tmpsigned=$(mktemp)
|
|
|
|
cat "$tmptargz" "$i" > "$tmpsigned"
|
|
|
|
rm -f "$tmptargz" "$sig"
|
2013-07-05 04:21:24 +00:00
|
|
|
chmod 644 "$tmpsigned"
|
2013-07-05 04:21:15 +00:00
|
|
|
mv "$tmpsigned" "$i"
|
2013-07-05 04:21:37 +00:00
|
|
|
msg "Signed $i"
|
2019-01-17 10:04:26 +00:00
|
|
|
set +e
|
|
|
|
trap - EXIT
|
2013-07-05 04:21:15 +00:00
|
|
|
done
|
|
|
|
}
|
|
|
|
|
2009-07-22 15:02:38 +00:00
|
|
|
usage() {
|
2022-06-15 10:17:46 +00:00
|
|
|
cat <<-__EOF__
|
2016-08-20 13:16:48 +00:00
|
|
|
$program $program_version - sign indexes
|
|
|
|
Usage: $program [-k PRIVKEY] [-p PUBKEY] INDEXFILE...
|
|
|
|
$program -e
|
|
|
|
Options:
|
|
|
|
-e, --installed Check only of there exist a private key for signing
|
|
|
|
-k, --private KEY The private key to use for signing
|
|
|
|
-p, --public KEY The name of public key. apk add will look for
|
|
|
|
/etc/apk/keys/KEY
|
2024-04-29 11:03:04 +00:00
|
|
|
-t, --type TYPE The signature type RSA or RSA256
|
2016-08-20 13:16:48 +00:00
|
|
|
-q, --quiet
|
|
|
|
-h, --help Show this help
|
|
|
|
|
|
|
|
__EOF__
|
2009-07-22 15:02:38 +00:00
|
|
|
}
|
|
|
|
|
2013-10-25 07:57:35 +00:00
|
|
|
check_installed=false
|
2009-07-22 15:02:38 +00:00
|
|
|
privkey="$PACKAGER_PRIVKEY"
|
2013-07-05 04:21:19 +00:00
|
|
|
pubkey=
|
|
|
|
quiet=
|
2009-07-22 15:02:38 +00:00
|
|
|
|
2024-04-29 11:03:04 +00:00
|
|
|
args=$(getopt -o ek:p:t:qh --long installed,private:,public:,type:,quiet,help -n "$program" -- "$@")
|
2013-07-05 04:21:19 +00:00
|
|
|
if [ $? -ne 0 ]; then
|
2022-06-15 10:17:46 +00:00
|
|
|
usage >&2
|
2013-07-05 04:21:19 +00:00
|
|
|
exit 2
|
|
|
|
fi
|
|
|
|
eval set -- "$args"
|
|
|
|
while true; do
|
|
|
|
case $1 in
|
2013-10-25 07:57:35 +00:00
|
|
|
-e|--installed) check_installed=true;;
|
2013-07-05 04:21:19 +00:00
|
|
|
-k|--private) privkey=$2; shift;;
|
|
|
|
-p|--public) pubkey=$2; shift;;
|
2024-04-29 11:22:23 +00:00
|
|
|
-t|--type) sigtype=$2; shift;;
|
2013-07-05 04:21:19 +00:00
|
|
|
-q|--quiet) quiet=1;; # suppresses msg
|
|
|
|
-h|--help) usage; exit;;
|
|
|
|
--) shift; break;;
|
|
|
|
*) exit 1;; # getopt error
|
2009-07-22 15:02:38 +00:00
|
|
|
esac
|
2013-07-05 04:21:19 +00:00
|
|
|
shift
|
2009-07-22 15:02:38 +00:00
|
|
|
done
|
2013-10-25 07:57:35 +00:00
|
|
|
if [ $# -eq 0 ] && ! $check_installed; then
|
2022-06-15 10:17:46 +00:00
|
|
|
usage >&2
|
2013-07-05 04:21:19 +00:00
|
|
|
exit 2
|
|
|
|
fi
|
2009-07-22 15:02:38 +00:00
|
|
|
|
|
|
|
if [ -z "$privkey" ]; then
|
2016-11-23 20:59:12 +00:00
|
|
|
cat >&2 <<-__EOF__
|
|
|
|
No private key found. Use 'abuild-keygen' to generate the keys.
|
|
|
|
Then you can either:
|
|
|
|
* set the PACKAGER_PRIVKEY in $ABUILD_USERCONF
|
|
|
|
('abuild-keygen -a' does this for you)
|
|
|
|
* set the PACKAGER_PRIVKEY in $ABUILD_CONF
|
|
|
|
* specify the key with the -k option to $program
|
2013-07-05 04:21:21 +00:00
|
|
|
|
2016-11-23 20:59:12 +00:00
|
|
|
__EOF__
|
2009-07-22 15:02:38 +00:00
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
|
|
|
|
if [ -z "$pubkey" ]; then
|
|
|
|
pubkey=${PACKAGER_PUBKEY:-"${privkey}.pub"}
|
|
|
|
fi
|
|
|
|
|
2024-04-29 11:22:23 +00:00
|
|
|
if [ -z "$sigtype" ]; then
|
|
|
|
sigtype=RSA
|
2024-04-29 11:03:04 +00:00
|
|
|
fi
|
|
|
|
|
2024-04-29 11:22:23 +00:00
|
|
|
case $sigtype in
|
2024-04-29 11:03:04 +00:00
|
|
|
RSA) dgstargs="-sha1";;
|
|
|
|
RSA256) dgstargs="-sha256";;
|
|
|
|
*)
|
|
|
|
echo "$program: supported types are RSA and RSA256" >&2
|
|
|
|
exit 1
|
|
|
|
;;
|
|
|
|
esac
|
2022-06-15 10:18:32 +00:00
|
|
|
if $check_installed; then
|
|
|
|
if ! [ -e "$privkey" ]; then
|
|
|
|
echo "$program: $privkey: File not found" >&2
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
if ! [ -e "$pubkey" ]; then
|
|
|
|
echo "$program: $pubkey: File not found" >&2
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
else
|
2013-10-25 07:57:35 +00:00
|
|
|
do_sign "$@"
|
|
|
|
fi
|