X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/bdef84c20b7b9e01bba27a36eb4c1a3090abdf9b..590faf89a2dd33a5f97f8e685efd019ac9c96e1e:/release-process/scripts/sign_exim_packages diff --git a/release-process/scripts/sign_exim_packages b/release-process/scripts/sign_exim_packages index a1d6282bb..a504ea826 100755 --- a/release-process/scripts/sign_exim_packages +++ b/release-process/scripts/sign_exim_packages @@ -1,15 +1,77 @@ -#!/bin/sh +#!/bin/sh -eu + +# gpg signs all *.tar.* files under the release directory. +# Invoke from that dir, or let the script try to figure it out for you. + +# Key used is from env var EXIM_KEY; if git config finds user.signingkey, then +# that is the default. You can set this per-repo with: +# git config --local user.signingkey SOME_IDENTIFIER # -# gpg signs all *.tar.* files under a given directory -# key used set from env var EXIM_KEY, script defaults that to Nigel's. +# If not set in git config then you _MUST_ set the env var. + # woe betide the poor sod who does not use a gpg agent, so has # to enter their password for every file... + +prog="$(basename "$0")" +warn() { printf >&2 "%s: %s\n" "$prog" "$*" ; } + +: "${GPG_COMMAND:=gpg}" +umask 022 + +# We've always expected an explicit key for signing, instead of just using the +# gnupg config. It make sense to honor the git config value. It makes sense +# to honor env. But git doesn't allow specifying multiple subkeys, it only +# passes one -u option. +# UID specs explicitly allow whitespace in several formats. +# We have one scalar value, we're sh, we're not going to try using an array. # +# So if you want to sign with multiple subkeys, then set it up with multiple +# local-user directives in ~/.gnupg/gpg.conf & set EXIM_KEY=default in environ. + +if repo_signing_key="$(git config user.signingkey)"; then + : "${EXIM_KEY:=$repo_signing_key}" +else + if [ ".${EXIM_KEY:-}" = "." ]; then + warn "no EXIM_KEY found, trusting local gpg config" + fi +fi + +case "${EXIM_KEY:-default}" in +default|DEFAULT) + gpg_sign() { ${GPG_COMMAND} --detach-sig --armor "${1:?}" ; } + ;; +*) + gpg_sign() { ${GPG_COMMAND} --local-user "${EXIM_KEY}" --detach-sig --armor "${1:?}" ; } + ;; +esac + +cd_to() { echo "Working in: $1"; cd "$1"; } -dir=${1:?start directory} +okay=false +if [ -d ../../release-process ] && [ "${PWD##*/}" = "pkgs" ]; then + okay=true # we are in right dir +elif [ -d release-process ]; then + b="$(find . -maxdepth 1 -name 'exim-packaging-*' | sort | tail -n 1)" + if [ ".$b" != "." ]; then + cd_to "$b/pkgs" + okay=true + fi +fi +if ! $okay; then + if [ -d "${1:?need a directory to look in}" ]; then + cd_to "$1" + shift + else + printf "%s: %s\n" >&2 "$(basename "$0")" "where should I be looking" + exit 1 + fi +fi -: ${EXIM_KEY:=nigel@exim.org} +# Assumes no whitespace (strictly, $IFS) in filenames, which we're okay with +set $(find . -name '*.asc' -prune -o -type f -print | cut -c 3- | sort) -find "$dir" \ - -type f -name '*.tar.*' \ - -exec gpg --local-user ${EXIM_KEY} --detach-sig --armor {} \; +for FILE +do + echo "Signing: $FILE" + gpg_sign "$FILE" +done