github.com/shiroyuki/docker@v1.9.0/hack/make/sign-repos (about)

     1  #!/bin/bash
     2  
     3  # This script signs the deliverables from release-deb and release-rpm
     4  # with a designated GPG key.
     5  
     6  : ${DOCKER_RELEASE_DIR:=$DEST}
     7  : ${GPG_KEYID:=releasedocker}
     8  APTDIR=$DOCKER_RELEASE_DIR/apt/repo
     9  YUMDIR=$DOCKER_RELEASE_DIR/yum/repo
    10  
    11  if [ -z "$GPG_PASSPHRASE" ]; then
    12  	echo >&2 'you need to set GPG_PASSPHRASE in order to sign artifacts'
    13  	exit 1
    14  fi
    15  
    16  if [ ! -d $APTDIR ] && [ ! -d $YUMDIR ]; then
    17  	echo >&2 'release-rpm or release-deb must be run before sign-repos'
    18  	exit 1
    19  fi
    20  
    21  sign_packages(){
    22  	# sign apt repo metadata
    23  	if [ -d $APTDIR ]; then
    24  		# create file with public key
    25  		gpg --armor --export "$GPG_KEYID" > "$DOCKER_RELEASE_DIR/apt/gpg"
    26  
    27  		# sign the repo metadata
    28  		for F in $(find $APTDIR -name Release); do
    29  			if test "$F" -nt "$F.gpg" ; then
    30  				gpg -u "$GPG_KEYID" --passphrase "$GPG_PASSPHRASE" \
    31  					--armor --sign --detach-sign \
    32  					--batch --yes \
    33  					--output "$F.gpg" "$F"
    34  			fi
    35  		done
    36  	fi
    37  
    38  	# sign yum repo metadata
    39  	if [ -d $YUMDIR ]; then
    40  		# create file with public key
    41  		gpg --armor --export "$GPG_KEYID" > "$DOCKER_RELEASE_DIR/yum/gpg"
    42  
    43  		# sign the repo metadata
    44  		for F in $(find $YUMDIR -name repomd.xml); do
    45  			if test "$F" -nt "$F.asc" ; then
    46  				gpg -u "$GPG_KEYID" --passphrase "$GPG_PASSPHRASE" \
    47  					--armor --sign --detach-sign \
    48  					--batch --yes \
    49  					--output "$F.asc" "$F"
    50  			fi
    51  		done
    52  	fi
    53  }
    54  
    55  sign_packages