github.com/vieux/docker@v0.6.3-0.20161004191708-e097c2a938c7/hack/make/sign-repos (about) 1 #!/bin/bash 2 3 # This script signs the deliverables from release-deb and release-rpm 4 # with a designated GPG key. 5 6 : ${DOCKER_RELEASE_DIR:=$DEST} 7 : ${GPG_KEYID:=releasedocker} 8 APTDIR=$DOCKER_RELEASE_DIR/apt/repo 9 YUMDIR=$DOCKER_RELEASE_DIR/yum/repo 10 11 if [ -z "$GPG_PASSPHRASE" ]; then 12 echo >&2 'you need to set GPG_PASSPHRASE in order to sign artifacts' 13 exit 1 14 fi 15 16 if [ ! -d $APTDIR ] && [ ! -d $YUMDIR ]; then 17 echo >&2 'release-rpm or release-deb must be run before sign-repos' 18 exit 1 19 fi 20 21 sign_packages(){ 22 # sign apt repo metadata 23 if [ -d $APTDIR ]; then 24 # create file with public key 25 gpg --armor --export "$GPG_KEYID" > "$DOCKER_RELEASE_DIR/apt/gpg" 26 27 # sign the repo metadata 28 for F in $(find $APTDIR -name Release); do 29 if test "$F" -nt "$F.gpg" ; then 30 gpg -u "$GPG_KEYID" --passphrase "$GPG_PASSPHRASE" \ 31 --armor --sign --detach-sign \ 32 --batch --yes \ 33 --output "$F.gpg" "$F" 34 fi 35 inRelease="$(dirname "$F")/InRelease" 36 if test "$F" -nt "$inRelease" ; then 37 gpg -u "$GPG_KEYID" --passphrase "$GPG_PASSPHRASE" \ 38 --clearsign \ 39 --batch --yes \ 40 --output "$inRelease" "$F" 41 fi 42 done 43 fi 44 45 # sign yum repo metadata 46 if [ -d $YUMDIR ]; then 47 # create file with public key 48 gpg --armor --export "$GPG_KEYID" > "$DOCKER_RELEASE_DIR/yum/gpg" 49 50 # sign the repo metadata 51 for F in $(find $YUMDIR -name repomd.xml); do 52 if test "$F" -nt "$F.asc" ; then 53 gpg -u "$GPG_KEYID" --passphrase "$GPG_PASSPHRASE" \ 54 --armor --sign --detach-sign \ 55 --batch --yes \ 56 --output "$F.asc" "$F" 57 fi 58 done 59 fi 60 } 61 62 sign_packages