github.com/duglin/docker@v1.13.1/hack/make/sign-repos (about)

     1  #!/bin/bash
     2  
     3  # This script signs the deliverables from release-deb and release-rpm
     4  # with a designated GPG key.
     5  
     6  : ${DOCKER_RELEASE_DIR:=$DEST}
     7  : ${GPG_KEYID:=releasedocker}
     8  APTDIR=$DOCKER_RELEASE_DIR/apt/repo
     9  YUMDIR=$DOCKER_RELEASE_DIR/yum/repo
    10  
    11  if [ -z "$GPG_PASSPHRASE" ]; then
    12  	echo >&2 'you need to set GPG_PASSPHRASE in order to sign artifacts'
    13  	exit 1
    14  fi
    15  
    16  if [ ! -d $APTDIR ] && [ ! -d $YUMDIR ]; then
    17  	echo >&2 'release-rpm or release-deb must be run before sign-repos'
    18  	exit 1
    19  fi
    20  
    21  sign_packages(){
    22  	# sign apt repo metadata
    23  	if [ -d $APTDIR ]; then
    24  		# create file with public key
    25  		gpg --armor --export "$GPG_KEYID" > "$DOCKER_RELEASE_DIR/apt/gpg"
    26  
    27  		# sign the repo metadata
    28  		for F in $(find $APTDIR -name Release); do
    29  			if test "$F" -nt "$F.gpg" ; then
    30  				gpg -u "$GPG_KEYID" --passphrase "$GPG_PASSPHRASE" \
    31  					--digest-algo "sha512" \
    32  					--armor --sign --detach-sign \
    33  					--batch --yes \
    34  					--output "$F.gpg" "$F"
    35  			fi
    36  			inRelease="$(dirname "$F")/InRelease"
    37  			if test "$F" -nt "$inRelease" ; then
    38  				gpg -u "$GPG_KEYID" --passphrase "$GPG_PASSPHRASE" \
    39  					--digest-algo "sha512" \
    40  					--clearsign \
    41  					--batch --yes \
    42  					--output "$inRelease" "$F"
    43  			fi
    44  		done
    45  	fi
    46  
    47  	# sign yum repo metadata
    48  	if [ -d $YUMDIR ]; then
    49  		# create file with public key
    50  		gpg --armor --export "$GPG_KEYID" > "$DOCKER_RELEASE_DIR/yum/gpg"
    51  
    52  		# sign the repo metadata
    53  		for F in $(find $YUMDIR -name repomd.xml); do
    54  			if test "$F" -nt "$F.asc" ; then
    55  				gpg -u "$GPG_KEYID" --passphrase "$GPG_PASSPHRASE" \
    56  					--digest-algo "sha512" \
    57  					--armor --sign --detach-sign \
    58  					--batch --yes \
    59  					--output "$F.asc" "$F"
    60  			fi
    61  		done
    62  	fi
    63  }
    64  
    65  sign_packages