aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRobin H. Johnson <robbat2@gentoo.org>2017-11-24 18:46:02 -0800
committerRobin H. Johnson <robbat2@gentoo.org>2017-11-24 18:46:02 -0800
commita004a2918fb00d4376548f6e87d827684b7de6de (patch)
treefd302f82ce2f40b58e71774b8e3a4e9421a5a562
parentsnapshots-create.sh: improve gpg key check. (diff)
downloadmastermirror-scripts-a004a2918fb00d4376548f6e87d827684b7de6de.tar.gz
mastermirror-scripts-a004a2918fb00d4376548f6e87d827684b7de6de.tar.bz2
mastermirror-scripts-a004a2918fb00d4376548f6e87d827684b7de6de.zip
rsync-gen.sh: engage GPG signing of MetaManifest.
Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
-rwxr-xr-xrsync-gen.sh32
1 files changed, 29 insertions, 3 deletions
diff --git a/rsync-gen.sh b/rsync-gen.sh
index ffdce6a..94b1311 100755
--- a/rsync-gen.sh
+++ b/rsync-gen.sh
@@ -26,6 +26,7 @@
umask 022
source /usr/local/bin/mastermirror/rsync-gen.vars
BINDIR=${BINDIR:=$(dirname $0)}
+SIGNKEYID=${SIGNKEYID_rsync}
# block_start and block___end are named to keep
function _log() {
@@ -75,6 +76,12 @@ TIME_ENTIRE_START=$(date -u +%s)
timelog_MARKER | timelogger
timelog_start "ENTIRE SCRIPT" | timelogger
+# Verify signing key is available
+if [[ ! $(gpg --list-keys ${SIGNKEYID} | grep ${SIGNKEYID}) ]]; then
+ echo "${SIGNKEYID} not imported! exiting"
+ exit 1
+fi
+
# 0) Make a backup incase there is something wrong with server side
#echo "START BACKUP $(date -u)" | timelogger
#cp -al ${FINALDIR_repo_gentoo}/ ${FINALDIR_repo_gentoo}.bak/
@@ -169,7 +176,6 @@ find ${REGEN_LOG_DIR} -type f -mtime +30 -print0 | xargs -0r rm
# Force Manifests to thick, unsigned
# also disable commit signing for now.
-# TODO: add infra signing of Manifests
sed -i \
-e '/^thin-manifests/s,true,false,g' \
-e '/^sign-manifests/s,true,false,g' \
@@ -219,9 +225,29 @@ timelog_start "THICKEN-META" | timelogger
/usr/local/bin/gemato/utils/gen_fast_metamanifest.py \
"${STAGEDIR_repo_gentoo}"
timelog___end "THICKEN-META" | timelogger
+# end 6a)
-# TODO: sign the MetaManifests
+# 6b) Sign top-level MetaManifest
+for m in Manifest metadata/glsa/Manifest Manifest/news/Manifest ; do
+ tmp="$(mktemp)"
+ gpg --batch -u "${SIGNKEYID}" \
+ --armor --clearsign \
+ --output "${m}.$$" "$m"
+ rc=$?
+ if [[ $rc -ne 0 ]]; then
+ echo "$0: Failed to GPG-clearsign $m, tempfile at $tmp"
+ exit 5
+ fi
+ mv -f "${tmp}" "$m"
+ rc=$?
+ if [[ $rc -ne 0 ]]; then
+ echo "$0: Move to signed $m, tempfile at $tmp"
+ exit 5
+ fi
+done
+# end 6b)
+# start 6c) Validate manifests
timelog_start "MANIFEST-VALIDATE" | timelogger
if ! /usr/local/bin/gemato/bin/gemato verify "${STAGEDIR_repo_gentoo}" >${REGEN_LOG_DIR}/${REGEN_LOG_FILE}.validate 2>&1; then
echo "$0: A Manifest has a failure!"
@@ -230,7 +256,7 @@ if ! /usr/local/bin/gemato/bin/gemato verify "${STAGEDIR_repo_gentoo}" >${REGEN_
exit 5
fi
timelog___end "MANIFEST-VALIDATE" | timelogger
-# end 6a)
+# end 6c)
# 7) rsync from STAGEDIR_repo_gentoo to FINALDIR_repo_gentoo
# note, call exit above if it is not desired to update the FINALDIR_repo_gentoo. This is