github.com/olljanat/moby@v1.13.1/hack/make/sign-repos (about) 1 #!/bin/bash 2 3 # This script signs the deliverables from release-deb and release-rpm 4 # with a designated GPG key. 5 6 : ${DOCKER_RELEASE_DIR:=$DEST} 7 : ${GPG_KEYID:=releasedocker} 8 APTDIR=$DOCKER_RELEASE_DIR/apt/repo 9 YUMDIR=$DOCKER_RELEASE_DIR/yum/repo 10 11 if [ -z "$GPG_PASSPHRASE" ]; then 12 echo >&2 'you need to set GPG_PASSPHRASE in order to sign artifacts' 13 exit 1 14 fi 15 16 if [ ! -d $APTDIR ] && [ ! -d $YUMDIR ]; then 17 echo >&2 'release-rpm or release-deb must be run before sign-repos' 18 exit 1 19 fi 20 21 sign_packages(){ 22 # sign apt repo metadata 23 if [ -d $APTDIR ]; then 24 # create file with public key 25 gpg --armor --export "$GPG_KEYID" > "$DOCKER_RELEASE_DIR/apt/gpg" 26 27 # sign the repo metadata 28 for F in $(find $APTDIR -name Release); do 29 if test "$F" -nt "$F.gpg" ; then 30 gpg -u "$GPG_KEYID" --passphrase "$GPG_PASSPHRASE" \ 31 --digest-algo "sha512" \ 32 --armor --sign --detach-sign \ 33 --batch --yes \ 34 --output "$F.gpg" "$F" 35 fi 36 inRelease="$(dirname "$F")/InRelease" 37 if test "$F" -nt "$inRelease" ; then 38 gpg -u "$GPG_KEYID" --passphrase "$GPG_PASSPHRASE" \ 39 --digest-algo "sha512" \ 40 --clearsign \ 41 --batch --yes \ 42 --output "$inRelease" "$F" 43 fi 44 done 45 fi 46 47 # sign yum repo metadata 48 if [ -d $YUMDIR ]; then 49 # create file with public key 50 gpg --armor --export "$GPG_KEYID" > "$DOCKER_RELEASE_DIR/yum/gpg" 51 52 # sign the repo metadata 53 for F in $(find $YUMDIR -name repomd.xml); do 54 if test "$F" -nt "$F.asc" ; then 55 gpg -u "$GPG_KEYID" --passphrase "$GPG_PASSPHRASE" \ 56 --digest-algo "sha512" \ 57 --armor --sign --detach-sign \ 58 --batch --yes \ 59 --output "$F.asc" "$F" 60 fi 61 done 62 fi 63 } 64 65 sign_packages