From cfcadc710bc31d2cea8cf8c594aaef4873664692 Mon Sep 17 00:00:00 2001 From: Alfredo Deza Date: Thu, 7 Jan 2016 16:31:08 -0500 Subject: [PATCH] create the sign-rpms script, no gpg-agent needed Signed-off-by: Alfredo Deza --- scripts/sign-rpms | 94 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 94 insertions(+) create mode 100644 scripts/sign-rpms diff --git a/scripts/sign-rpms b/scripts/sign-rpms new file mode 100644 index 00000000..91b212c7 --- /dev/null +++ b/scripts/sign-rpms @@ -0,0 +1,94 @@ +#!/bin/bash +# This script is meant to be used when signing RPMs on a "signer" box. Such +# a box needs to have the actual signing keys and follow the structure for +# a repository layout. The layout follows this convention: +# +# /opt/repos/$project/$release/$distro/$distro_version +# +# If no arguments are passed in, all defined releases are used. It can +# optionally be just one or any combination of them, like: +# +# sign-rpms giant hammer +# +# Would sign both Giant and Hammer releases. But the tool can consume a single +# release as well (which will probably be the most used case): +# +# sign-rpms infernalis + +keyid=460F3994 + +# default releases +releases=${*:-"giant hammer infernalis testing"} + +# distros are not configurable. "rhel" might not exist in every release (for +# example it doesn't exist for infernalis releases. +distros=( centos rhel ) + +# Although upstream these might be "el6" or "el7", we just use these since they +# are the same values used by the build system. +distro_versions=( 6 7 ) + +# To unlock the gpg keys for the current run, it is requested over STDIN as +# a password and later passed into GPG directly as a variable. +read -s -p "Key Passphrase: " GPG_PASSPHRASE +echo + +for release in "${releases[@]}" + do + for distro in "${distros[@]}" + do + for distro_version in "${distro_versions[@]}" + do + path="/opt/repos/ceph/$release/$distro/$distro_version" + printf '=%.0s' {1..100} + echo "Release: " $release + echo "Distro: " $distro + echo "Distro Version: " $distro_version + echo "Path: " $path + printf '=%.0s' {1..100} + update_repo=0 + cd $path + for rpm in `find -name "*.rpm"` + do + # this call to `rpm -qi -p` will spit out metatada information + # from an rpm file which will tell us about the signature. This + # is significantly faster than letting gpg see if this needs to + # be signed or not. + signature=$(rpm -qi -p $rpm 2>/dev/null | grep ^Signature) + if ! grep -iq $keyid <<< "$signature" ; then + rpm_path=`readlink -f $rpm` + echo "signing: $rpm_path" + update_repo=1 + + echo "yes" | setsid rpm \ + --define "_gpg_name '$keyid'" \ + --define '_signature gpg' \ + --define '__gpg_check_password_cmd /bin/true' \ + --define "__gpg_sign_cmd %{__gpg} gpg --no-tty --yes --batch --no-armor --passphrase '$GPG_PASSPHRASE' --no-secmem-warning -u "%{_gpg_name}" --sign --detach-sign --output %{__signature_filename} %{__plaintext_filename}" \ + --resign "$rpm_path" + + fi + done + + # now sign the repomd.xml files + if [[ $update_repo -eq 1 ]]; then + for repomd in `find -name repomd.xml` + do + echo "signing repomd: $repomd" + gpg --batch --yes --passphrase "$GPG_PASSPHRASE" --detach-sign --armor -u $keyid $repomd + done + fi + + # finally, update the repo metadata because when signing the RPM files + # the metadata gets all messed up. + if [[ $update_repo -eq 1 ]]; then + for directory in `ls $path` + do + cd $directory + createrepo . + cd - + done + fi + done + done +done -- 2.39.5