abuild/abuild-sign.in

#!/bin/sh

# abuild-sign - sign indexes
# Copyright (c) 2009 Natanael Copa <ncopa@alpinelinux.org>
#
# Distributed under GPL-2
#

program_version=@VERSION@
datadir=@datadir@

if ! [ -f "$datadir/functions.sh" ]; then
	echo "$datadir/functions.sh: not found" >&2
	exit 1
fi
. "$datadir/functions.sh"

do_sign() {
	local f i keyname repo

	# we are actually only interested in the name, not the file itself
	keyname=${pubkey##*/}

	for f; do
		i=$(readlink -f $f)
		[ -d "$i" ] && i="$i/APKINDEX.tar.gz"
		repo="${i%/*}"
		(
		set -e
		cd "$repo"
		sig=".SIGN.RSA.$keyname"
		openssl dgst -sha1 -sign "$privkey" -out "$sig" "$i"
		tmptargz=$(mktemp)
		tar -c "$sig" | abuild-tar --cut | gzip -9 > "$tmptargz"
		tmpsigned=$(mktemp)
		cat "$tmptargz" "$i" > "$tmpsigned"
		rm -f "$tmptargz" "$sig"
		chmod 644 "$tmpsigned"
		mv "$tmpsigned" "$i"
		msg "Signed $i"
		) || die "failed to sign $i"
	done
}

usage() {
	cat >&2 <<__EOF__
$program $program_version - sign indexes
Usage: $program [-k PRIVKEY] [-p PUBKEY] INDEXFILE...
Options:
  -k, --private KEY  The private key to use for signing
  -p, --public KEY   The name of public key. apk add will look for
                     /etc/apk/keys/KEY
  -q, --quiet
  -h, --help         Show this help

__EOF__
}

privkey="$PACKAGER_PRIVKEY"
pubkey=
quiet=

args=`getopt -o k:p:qh --long private:,public:,quiet,help -n "$program" -- "$@"`
if [ $? -ne 0 ]; then
	usage
	exit 2
fi
eval set -- "$args"
while true; do
	case $1 in
		-k|--private) privkey=$2; shift;;
		-p|--public) pubkey=$2; shift;;
		-q|--quiet) quiet=1;; # suppresses msg
		-h|--help) usage; exit;;
		--) shift; break;;
		*) exit 1;; # getopt error
	esac
	shift
done
if [ $# -eq 0 ]; then
	usage
	exit 2
fi

if [ -z "$privkey" ]; then
	cat >&2 << __EOF__
No private key found. Use 'abuild-keygen' to generate the keys.
Then you can either:
  * set the PACKAGER_PRIVKEY in $ABUILD_USERCONF
    ('abuild-keygen -a' does this for you)
  * set the PACKAGER_PRIVKEY in $ABUILD_CONF
  * specify the key with the -k option to $program

__EOF__
	exit 1
fi

if [ -z "$pubkey" ]; then
	pubkey=${PACKAGER_PUBKEY:-"${privkey}.pub"}
fi

do_sign "$@"
exit 0
abuild-sign: initial commit we can only sign indexes so far 2009-07-22 15:02:38 +00:00			`#!/bin/sh`

various: tweak opening comments, whitespace Also remove incomplete efforts at listing "Depends on: ..." 2013-07-05 04:21:13 +00:00			`# abuild-sign - sign indexes`
abuild-sign: initial commit we can only sign indexes so far 2009-07-22 15:02:38 +00:00			`# Copyright (c) 2009 Natanael Copa <ncopa@alpinelinux.org>`
			`#`
			`# Distributed under GPL-2`
			`#`

functions: rename abuild_ver to program_version 2013-10-25 07:26:05 +00:00			`program_version=@VERSION@`
various: move conf-loading and i/o to functions 2013-07-05 04:21:16 +00:00			`datadir=@datadir@`
abuild-sign: initial commit we can only sign indexes so far 2009-07-22 15:02:38 +00:00
various: move conf-loading and i/o to functions 2013-07-05 04:21:16 +00:00			`if ! [ -f "$datadir/functions.sh" ]; then`
			`echo "$datadir/functions.sh: not found" >&2`
abuild-sign: initial commit we can only sign indexes so far 2009-07-22 15:02:38 +00:00			`exit 1`
various: move conf-loading and i/o to functions 2013-07-05 04:21:16 +00:00			`fi`
			`. "$datadir/functions.sh"`
abuild-sign: initial commit we can only sign indexes so far 2009-07-22 15:02:38 +00:00
abuild-sign: refactor 2013-07-05 04:21:15 +00:00			`do_sign() {`
abuild-sign: make vars local 2013-07-05 04:21:22 +00:00			`local f i keyname repo`

abuild-sign: refactor 2013-07-05 04:21:15 +00:00			`# we are actually only interested in the name, not the file itself`
			`keyname=${pubkey##*/}`

			`for f; do`
			`i=$(readlink -f $f)`
			`[ -d "$i" ] && i="$i/APKINDEX.tar.gz"`
			`repo="${i%/*}"`
abuild-sign: wrap cd in a subshell, use set -e 2013-07-05 04:21:23 +00:00			`(`
			`set -e`
			`cd "$repo"`
abuild-sign: refactor 2013-07-05 04:21:15 +00:00			`sig=".SIGN.RSA.$keyname"`
abuild-sign: wrap cd in a subshell, use set -e 2013-07-05 04:21:23 +00:00			`openssl dgst -sha1 -sign "$privkey" -out "$sig" "$i"`
abuild-sign: refactor 2013-07-05 04:21:15 +00:00			`tmptargz=$(mktemp)`
			`tar -c "$sig" \| abuild-tar --cut \| gzip -9 > "$tmptargz"`
			`tmpsigned=$(mktemp)`
			`cat "$tmptargz" "$i" > "$tmpsigned"`
			`rm -f "$tmptargz" "$sig"`
abuild-sign: fix a race condition 2013-07-05 04:21:24 +00:00			`chmod 644 "$tmpsigned"`
abuild-sign: refactor 2013-07-05 04:21:15 +00:00			`mv "$tmpsigned" "$i"`
various: s/echo/msg/, s/echo/error/, tweak error messages 2013-07-05 04:21:37 +00:00			`msg "Signed $i"`
			`) \|\| die "failed to sign $i"`
abuild-sign: refactor 2013-07-05 04:21:15 +00:00			`done`
			`}`

abuild-sign: initial commit we can only sign indexes so far 2009-07-22 15:02:38 +00:00			`usage() {`
various: use long options, rework usages 2013-07-05 04:21:19 +00:00			`cat >&2 <<__EOF__`
functions: rename abuild_ver to program_version 2013-10-25 07:26:05 +00:00			`$program $program_version - sign indexes`
functions: rename prog to program 2013-10-25 07:24:46 +00:00			`Usage: $program [-k PRIVKEY] [-p PUBKEY] INDEXFILE...`
various: use long options, rework usages 2013-07-05 04:21:19 +00:00			`Options:`
			`-k, --private KEY The private key to use for signing`
abuild-sign: cosmetic improvement of help text 2013-10-25 07:28:55 +00:00			`-p, --public KEY The name of public key. apk add will look for`
			`/etc/apk/keys/KEY`
various: use long options, rework usages 2013-07-05 04:21:19 +00:00			`-q, --quiet`
			`-h, --help Show this help`

			`__EOF__`
abuild-sign: initial commit we can only sign indexes so far 2009-07-22 15:02:38 +00:00			`}`

			`privkey="$PACKAGER_PRIVKEY"`
various: use long options, rework usages 2013-07-05 04:21:19 +00:00			`pubkey=`
			`quiet=`
abuild-sign: initial commit we can only sign indexes so far 2009-07-22 15:02:38 +00:00
functions: rename prog to program 2013-10-25 07:24:46 +00:00			args=`getopt -o k:p:qh --long private:,public:,quiet,help -n "$program" -- "$@"`
various: use long options, rework usages 2013-07-05 04:21:19 +00:00			`if [ $? -ne 0 ]; then`
			`usage`
			`exit 2`
			`fi`
			`eval set -- "$args"`
			`while true; do`
			`case $1 in`
			`-k\|--private) privkey=$2; shift;;`
			`-p\|--public) pubkey=$2; shift;;`
			`-q\|--quiet) quiet=1;; # suppresses msg`
			`-h\|--help) usage; exit;;`
			`--) shift; break;;`
			`*) exit 1;; # getopt error`
abuild-sign: initial commit we can only sign indexes so far 2009-07-22 15:02:38 +00:00			`esac`
various: use long options, rework usages 2013-07-05 04:21:19 +00:00			`shift`
abuild-sign: initial commit we can only sign indexes so far 2009-07-22 15:02:38 +00:00			`done`
various: use long options, rework usages 2013-07-05 04:21:19 +00:00			`if [ $# -eq 0 ]; then`
			`usage`
			`exit 2`
			`fi`
abuild-sign: initial commit we can only sign indexes so far 2009-07-22 15:02:38 +00:00
			`if [ -z "$privkey" ]; then`
abuild-sign: reformat error output 2013-07-05 04:21:21 +00:00			`cat >&2 << __EOF__`
			`No private key found. Use 'abuild-keygen' to generate the keys.`
			`Then you can either:`
various: fancier readconfig, permit env overrides 2013-07-05 04:21:39 +00:00			`* set the PACKAGER_PRIVKEY in $ABUILD_USERCONF`
abuild-sign: reformat error output 2013-07-05 04:21:21 +00:00			`('abuild-keygen -a' does this for you)`
various: fancier readconfig, permit env overrides 2013-07-05 04:21:39 +00:00			`* set the PACKAGER_PRIVKEY in $ABUILD_CONF`
functions: rename prog to program 2013-10-25 07:24:46 +00:00			`* specify the key with the -k option to $program`
abuild-sign: reformat error output 2013-07-05 04:21:21 +00:00
			`__EOF__`
abuild-sign: initial commit we can only sign indexes so far 2009-07-22 15:02:38 +00:00			`exit 1`
			`fi`

			`if [ -z "$pubkey" ]; then`
			`pubkey=${PACKAGER_PUBKEY:-"${privkey}.pub"}`
			`fi`

abuild-sign: refactor 2013-07-05 04:21:15 +00:00			`do_sign "$@"`
abuild-sign: use mktemp for temp files. add -q option for quiet 2009-07-23 08:42:34 +00:00			`exit 0`