From 6b86520bf45f202df0a77265ac6e0b0ffc412bb7 Mon Sep 17 00:00:00 2001 From: David Michael Date: Thu, 30 Mar 2017 14:02:28 -0700 Subject: [PATCH 1/3] release_util: store file signatures in their own directory This allows signing files under paths owned by other users. --- build_library/release_util.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/build_library/release_util.sh b/build_library/release_util.sh index fce5072f3f..263667a655 100644 --- a/build_library/release_util.sh +++ b/build_library/release_util.sh @@ -110,15 +110,17 @@ sign_and_upload_files() { local sigs=() if [[ -n "${FLAGS_sign}" ]]; then local file + local sigdir=$(mktemp --directory) + trap "rm -rf ${sigdir}" RETURN for file in "$@"; do if [[ "${file}" =~ \.(asc|gpg|sig)$ ]]; then continue fi - rm -f "${file}.sig" gpg --batch --local-user "${FLAGS_sign}" \ + --output "${sigdir}/${file##*/}.sig" \ --detach-sign "${file}" || die "gpg failed" - sigs+=( "${file}.sig" ) + sigs+=( "${sigdir}/${file##*/}.sig" ) done fi From e80eddd0c8ef580a62429a1984b4815c86486259 Mon Sep 17 00:00:00 2001 From: David Michael Date: Thu, 30 Mar 2017 14:33:25 -0700 Subject: [PATCH 2/3] release_util: support signing directories --- build_library/release_util.sh | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/build_library/release_util.sh b/build_library/release_util.sh index 263667a655..cbd7f0a191 100644 --- a/build_library/release_util.sh +++ b/build_library/release_util.sh @@ -110,6 +110,7 @@ sign_and_upload_files() { local sigs=() if [[ -n "${FLAGS_sign}" ]]; then local file + local sigfile local sigdir=$(mktemp --directory) trap "rm -rf ${sigdir}" RETURN for file in "$@"; do @@ -117,10 +118,16 @@ sign_and_upload_files() { continue fi - gpg --batch --local-user "${FLAGS_sign}" \ - --output "${sigdir}/${file##*/}.sig" \ - --detach-sign "${file}" || die "gpg failed" - sigs+=( "${sigdir}/${file##*/}.sig" ) + for sigfile in $(find "${file}" ! -type d); do + mkdir -p "${sigdir}/${sigfile%/*}" + gpg --batch --local-user "${FLAGS_sign}" \ + --output "${sigdir}/${sigfile}.sig" \ + --detach-sign "${sigfile}" || die "gpg failed" + done + + [ -d "${file}" ] && + sigs+=( "${sigdir}/${file}" ) || + sigs+=( "${sigdir}/${file}.sig" ) done fi From 17e4ee2dcdf63dc4828bd9a9ae0862c474c9f9b0 Mon Sep 17 00:00:00 2001 From: David Michael Date: Thu, 30 Mar 2017 14:03:41 -0700 Subject: [PATCH 3/3] release_util: allow signing uploaded packages --- build_library/release_util.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/build_library/release_util.sh b/build_library/release_util.sh index cbd7f0a191..b2dde823c5 100644 --- a/build_library/release_util.sh +++ b/build_library/release_util.sh @@ -140,7 +140,8 @@ upload_packages() { local board_packages="${1:-"${BOARD_ROOT}/packages"}" local def_upload_path="${UPLOAD_ROOT}/boards/${BOARD}/${COREOS_VERSION}" - upload_files packages ${def_upload_path} "pkgs/" "${board_packages}"/* + sign_and_upload_files packages ${def_upload_path} "pkgs/" \ + "${board_packages}"/* } # Upload a set of files (usually images) and digest, optionally w/ gpg sig