projects / buildbot.git / blob
? search:


8f395006629504355d88922a8c35a5dc7c174d11
[buildbot.git] / scripts / signall.sh
1 #!/usr/bin/env bash
2
3 tarball="$1"
4
5 tmpdir="signall.$$"
6 tarball="$(readlink -f "$tarball")"
7
8 finish() { rm -rf "$tmpdir"; exit $1; }
9
10 iniget() {
11 local file="$1" section="$2" option="$3"
12
13 sed -rne '
14 /\['"$section"'\]/,$ {
15 /^[ \t]*'"$option"'[ \t]*=[ \t]*/ {
16 s/^[^=]+=[ \t]*//; h;
17 :c; n;
18 /^([ \t]|$)/ {
19 s/^[ \t]+//; H;
20 b c
21 };
22 x; p; q
23 }
24 }
25 ' "$file" | sed -e :a -e '/^\n*$/{$d;N;ba' -e '}'
26 }
27
28 trap "finish 255" HUP INT TERM
29
30 if [ ! -f "$tarball" ] || [ ! -f "${CONFIG_INI:-config.ini}" ]; then
31 echo "Usage: [CONFIG_INI=...] $0 <tarball>" >&2
32 finish 1
33 fi
34
35 [ ! -e "$tmpdir" ] || {
36 echo "Temporary directory $tmpdir already exists!" >&2
37 finish 2
38 }
39
40 umask 077
41 mkdir "$tmpdir" "$tmpdir/tar" "$tmpdir/gpg" "$tmpdir/gpg/private-keys-v1.d" || finish 2
42
43 umask 022
44 chmod 0755 "$tmpdir/tar"
45 tar -C "$tmpdir/tar/" -xzf "$tarball" || finish 3
46
47 loopback=""
48
49 case "$(gpg --version | head -n1)" in
50 *\ 2.*) loopback=1 ;;
51 esac
52
53 GPGKEY="$(iniget "${CONFIG_INI:-config.ini}" gpg key)"
54 GPGPASS="$(iniget "${CONFIG_INI:-config.ini}" gpg passphrase)"
55 GPGCOMMENT="$(iniget "${CONFIG_INI:-config.ini}" gpg comment)"
56
57 USIGNKEY="$(iniget "${CONFIG_INI:-config.ini}" usign key)"
58 USIGNCOMMENT="$(iniget "${CONFIG_INI:-config.ini}" usign comment)"
59
60 if echo "$GPGKEY" | grep -q "BEGIN PGP PRIVATE KEY BLOCK"; then
61 umask 077
62 echo "$GPGPASS" > "$tmpdir/gpg.pass"
63 echo "$GPGKEY" | gpg --batch --homedir "$tmpdir/gpg" \
64 ${loopback:+--pinentry-mode loopback --no-tty --passphrase-fd 0} \
65 ${GPGPASS:+--passphrase-file "$tmpdir/gpg.pass"} \
66 --import - || finish 4
67
68 umask 022
69 find "$tmpdir/tar/" -type f -not -name "*.asc" -and -not -name "*.sig" -exec \
70 gpg --no-version --batch --yes -a -b \
71 --homedir "$(readlink -f "$tmpdir/gpg")" \
72 ${loopback:+--pinentry-mode loopback --no-tty --passphrase-fd 0} \
73 ${GPGPASS:+--passphrase-file "$(readlink -f "$tmpdir/gpg.pass")"} \
74 ${GPGCOMMENT:+--comment="$GPGCOMMENT"} \
75 -o "{}.asc" "{}" \; || finish 4
76 fi
77
78 if [ -n "$USIGNKEY" ]; then
79 USIGNID="$(echo "$USIGNKEY" | base64 -d -i | dd bs=1 skip=32 count=8 2>/dev/null | od -v -t x1 | sed -rne 's/^0+ //p' | tr -d ' ')"
80
81 if ! echo "$USIGNID" | grep -qxE "[0-9a-f]{16}"; then
82 echo "Invalid usign key specified" >&2
83 finish 5
84 fi
85
86 umask 077
87 printf "untrusted comment: %s\n%s\n" "${USIGNCOMMENT:-key ID $USIGNID}" "$USIGNKEY" > "$tmpdir/usign.sec"
88
89 umask 022
90 find "$tmpdir/tar/" -type f -not -name "*.asc" -and -not -name "*.sig" -exec \
91 signify-openbsd -S -s "$(readlink -f "$tmpdir/usign.sec")" -m "{}" \; || finish 5
92 fi
93
94 tar -C "$tmpdir/tar/" -czf "$tarball" . || finish 6
95
96 finish 0
LEDE buildbot configuration