create the sign-rpms script, no gpg-agent needed

Signed-off-by: Alfredo Deza <adeza@redhat.com>

diff --git a/scripts/sign-rpms b/scripts/sign-rpms
new file mode 100644 (file)
index 0000000..91b212c
--- /dev/null
+++ b/scripts/sign-rpms
@@ -0,0 +1,94 @@
+#!/bin/bash
+# This script is meant to be used when signing RPMs on a "signer" box. Such
+# a box needs to have the actual signing keys and follow the structure for
+# a repository layout. The layout follows this convention:
+#
+#     /opt/repos/$project/$release/$distro/$distro_version
+#
+# If no arguments are passed in, all defined releases are used. It can
+# optionally be just one or any combination of them, like:
+#
+#     sign-rpms giant hammer
+#
+# Would sign both Giant and Hammer releases. But the tool can consume a single
+# release as well (which will probably be the most used case):
+#
+#     sign-rpms infernalis
+
+keyid=460F3994
+
+# default releases
+releases=${*:-"giant hammer infernalis testing"}
+
+# distros are not configurable. "rhel" might not exist in every release (for
+# example it doesn't exist for infernalis releases.
+distros=( centos rhel )
+
+# Although upstream these might be "el6" or "el7", we just use these since they
+# are the same values used by the build system.
+distro_versions=( 6 7 )
+
+# To unlock the gpg keys for the current run, it is requested over STDIN as
+# a password and later passed into GPG directly as a variable.
+read -s -p "Key Passphrase: " GPG_PASSPHRASE
+echo
+
+for release in "${releases[@]}"
+  do
+  for distro in  "${distros[@]}"
+    do
+    for distro_version in  "${distro_versions[@]}"
+      do
+      path="/opt/repos/ceph/$release/$distro/$distro_version"
+      printf '=%.0s' {1..100}
+      echo "Release:        " $release
+      echo "Distro:         " $distro
+      echo "Distro Version: " $distro_version
+      echo "Path:           " $path
+      printf '=%.0s' {1..100}
+      update_repo=0
+      cd $path
+      for rpm in `find -name "*.rpm"`
+        do
+        # this call to `rpm -qi -p` will spit out metatada information
+        # from an rpm file which will tell us about the signature. This
+        # is significantly faster than letting gpg see if this needs to
+        # be signed or not.
+        signature=$(rpm -qi  -p $rpm 2>/dev/null | grep ^Signature)
+        if ! grep -iq $keyid <<< "$signature" ; then
+          rpm_path=`readlink -f $rpm`
+          echo "signing:  $rpm_path"
+          update_repo=1
+
+          echo "yes" | setsid rpm \
+            --define "_gpg_name '$keyid'" \
+            --define '_signature gpg' \
+            --define '__gpg_check_password_cmd /bin/true' \
+            --define "__gpg_sign_cmd %{__gpg} gpg --no-tty --yes --batch --no-armor --passphrase '$GPG_PASSPHRASE' --no-secmem-warning -u "%{_gpg_name}" --sign --detach-sign --output %{__signature_filename} %{__plaintext_filename}" \
+            --resign "$rpm_path"
+
+        fi
+         done
+
+         # now sign the repomd.xml files
+      if [[ $update_repo -eq 1 ]]; then
+           for repomd in `find -name repomd.xml`
+             do
+             echo "signing repomd: $repomd"
+             gpg --batch --yes --passphrase "$GPG_PASSPHRASE" --detach-sign --armor -u $keyid $repomd
+           done
+      fi
+
+      # finally, update the repo metadata because when signing the RPM files
+      # the metadata gets all messed up.
+      if [[ $update_repo -eq 1 ]]; then
+        for directory in `ls $path`
+        do
+          cd $directory
+          createrepo .
+          cd -
+        done
+      fi
+    done
+  done
+done