From e02f49b41031c9bc4cbc188b8e6e8439fe5c8556 Mon Sep 17 00:00:00 2001 From: Michael Marineau Date: Fri, 18 Apr 2014 16:23:21 -0700 Subject: [PATCH] feat(release_util): Add support for signing individual file uploads. The .DIGESTS format is clunky and annoying. It also requires uses to perform two steps to verify images using GPG. Instead support signing all files directly so there is no need for .DIGESTS. The old DIGESTS code will remain in place for now but after a few releases I plan on deleting it. --- build_library/release_util.sh | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/build_library/release_util.sh b/build_library/release_util.sh index 690ed3875f..f5dba907cb 100644 --- a/build_library/release_util.sh +++ b/build_library/release_util.sh @@ -21,6 +21,8 @@ DEFINE_string upload_root "${COREOS_UPLOAD_ROOT}" \ "Upload prefix, board/version/etc will be appended. Must be a gs:// URL." DEFINE_string upload_path "" \ "Full upload path, overrides --upload_root. Must be a full gs:// URL." +DEFINE_string sign "" \ + "Sign all files to be uploaded with the given GPG key." DEFINE_string sign_digests "" \ "Sign image DIGESTS files with the given GPG key." @@ -151,6 +153,23 @@ upload_image() { uploads+=( "${digests}.asc" ) fi + # Create simple GPG detached signature for all uploads. + local sigs=() + if [[ -n "${FLAGS_sign}" ]]; then + local file + for file in "${uploads[@]}"; do + if [[ "${file}" =~ \.(asc|gpg|sig)$ ]]; then + continue + fi + + rm -f "${file}.sig" + gpg --batch --local-user "${FLAGS_sign}" \ + --detach-sign "${file}" || die "gpg failed" + sigs+=( "${file}.sig" ) + done + fi + uploads+=( "${sigs[@]}" ) + local log_msg=$(basename "$digests" .DIGESTS) local def_upload_path="${UPLOAD_ROOT}/${BOARD}/${COREOS_VERSION_STRING}" upload_files "${log_msg}" "${def_upload_path}" "" "${uploads[@]}"