feat(release_util): Add support for signing individual file uploads.

The .DIGESTS format is clunky and annoying. It also requires uses to perform two steps to verify images using GPG. Instead support signing all files directly so there is no need for .DIGESTS. The old DIGESTS code will remain in place for now but after a few releases I plan on deleting it.
2025-09-23 14:41:31 +02:00 · 2014-04-18 16:23:21 -07:00 · 2014-04-18 16:23:21 -07:00 · e02f49b410
commit e02f49b410
parent e9896acc29
1 changed files with 19 additions and 0 deletions
--- a/build_library/release_util.sh
+++ b/build_library/release_util.sh
@ -21,6 +21,8 @@ DEFINE_string upload_root "${COREOS_UPLOAD_ROOT}" \
  "Upload prefix, board/version/etc will be appended. Must be a gs:// URL."
 DEFINE_string upload_path "" \
  "Full upload path, overrides --upload_root. Must be a full gs:// URL."
+DEFINE_string sign "" \
+  "Sign all files to be uploaded with the given GPG key."
 DEFINE_string sign_digests "" \
  "Sign image DIGESTS files with the given GPG key."

@ -151,6 +153,23 @@ upload_image() {
      uploads+=( "${digests}.asc" )
    fi

+    # Create simple GPG detached signature for all uploads.
+    local sigs=()
+    if [[ -n "${FLAGS_sign}" ]]; then
+        local file
+        for file in "${uploads[@]}"; do
+            if [[ "${file}" =~ \.(asc|gpg|sig)$ ]]; then
+                continue
+            fi
+
+            rm -f "${file}.sig"
+            gpg --batch --local-user "${FLAGS_sign}" \
+                --detach-sign "${file}" || die "gpg failed"
+            sigs+=( "${file}.sig" )
+        done
+    fi
+    uploads+=( "${sigs[@]}" )
+
    local log_msg=$(basename "$digests" .DIGESTS)
    local def_upload_path="${UPLOAD_ROOT}/${BOARD}/${COREOS_VERSION_STRING}"
    upload_files "${log_msg}" "${def_upload_path}" "" "${uploads[@]}"