From a004a2918fb00d4376548f6e87d827684b7de6de Mon Sep 17 00:00:00 2001
From: "Robin H. Johnson" <robbat2@gentoo.org>
Date: Fri, 24 Nov 2017 18:46:02 -0800
Subject: rsync-gen.sh: engage GPG signing of MetaManifest.

Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
---
 rsync-gen.sh | 32 +++++++++++++++++++++++++++++---
 1 file changed, 29 insertions(+), 3 deletions(-)

diff --git a/rsync-gen.sh b/rsync-gen.sh
index ffdce6a..94b1311 100755
--- a/rsync-gen.sh
+++ b/rsync-gen.sh
@@ -26,6 +26,7 @@
 umask 022
 source /usr/local/bin/mastermirror/rsync-gen.vars
 BINDIR=${BINDIR:=$(dirname $0)}
+SIGNKEYID=${SIGNKEYID_rsync}
 
 # block_start and block___end are named to keep
 function _log() {
@@ -75,6 +76,12 @@ TIME_ENTIRE_START=$(date -u +%s)
 timelog_MARKER | timelogger
 timelog_start "ENTIRE SCRIPT" | timelogger
 
+# Verify signing key is available
+if [[ ! $(gpg --list-keys ${SIGNKEYID} | grep ${SIGNKEYID}) ]]; then
+	echo "${SIGNKEYID} not imported! exiting"
+	exit 1
+fi
+
 # 0) Make a backup incase there is something wrong with server side
 #echo "START	BACKUP		$(date -u)" | timelogger
 #cp -al ${FINALDIR_repo_gentoo}/ ${FINALDIR_repo_gentoo}.bak/
@@ -169,7 +176,6 @@ find ${REGEN_LOG_DIR} -type f -mtime +30 -print0 | xargs -0r rm
 
 # Force Manifests to thick, unsigned
 # also disable commit signing for now.
-# TODO: add infra signing of Manifests
 sed -i \
 	-e '/^thin-manifests/s,true,false,g' \
 	-e '/^sign-manifests/s,true,false,g' \
@@ -219,9 +225,29 @@ timelog_start "THICKEN-META" | timelogger
 /usr/local/bin/gemato/utils/gen_fast_metamanifest.py \
 	"${STAGEDIR_repo_gentoo}"
 timelog___end "THICKEN-META" | timelogger
+# end 6a)
 
-# TODO: sign the MetaManifests
+# 6b) Sign top-level MetaManifest
+for m in Manifest metadata/glsa/Manifest Manifest/news/Manifest ; do
+	tmp="$(mktemp)"
+	gpg --batch -u "${SIGNKEYID}" \
+		--armor --clearsign \
+		--output "${m}.$$" "$m"
+	rc=$?
+	if [[ $rc -ne 0 ]]; then
+		echo "$0: Failed to GPG-clearsign $m, tempfile at $tmp"
+		exit 5
+	fi
+	mv -f "${tmp}" "$m"
+	rc=$?
+	if [[ $rc -ne 0 ]]; then
+		echo "$0: Move to signed $m, tempfile at $tmp"
+		exit 5
+	fi
+done
+# end 6b)
 
+# start 6c) Validate manifests
 timelog_start "MANIFEST-VALIDATE" | timelogger
 if ! /usr/local/bin/gemato/bin/gemato verify "${STAGEDIR_repo_gentoo}" >${REGEN_LOG_DIR}/${REGEN_LOG_FILE}.validate 2>&1; then
 	echo "$0: A Manifest has a failure!"
@@ -230,7 +256,7 @@ if ! /usr/local/bin/gemato/bin/gemato verify "${STAGEDIR_repo_gentoo}" >${REGEN_
 	exit 5
 fi
 timelog___end "MANIFEST-VALIDATE" | timelogger
-# end 6a)
+# end 6c)
 
 # 7) rsync from STAGEDIR_repo_gentoo to FINALDIR_repo_gentoo
 # note, call exit above if it is not desired to update the FINALDIR_repo_gentoo. This is
-- 
cgit v1.2.3