diff options
author | Robin H. Johnson <robbat2@gentoo.org> | 2023-10-08 21:08:36 -0700 |
---|---|---|
committer | Robin H. Johnson <robbat2@gentoo.org> | 2023-10-08 21:08:36 -0700 |
commit | 9de2b29b511463a6ec4e17152d8c02686f7071c8 (patch) | |
tree | 818eaa2292cc7e0f98bfdf1f7f0776f06bf1f75b | |
parent | sign-autobuilds: also ensure only using the file ascs, not symlinks (diff) | |
download | mastermirror-scripts-9de2b29b511463a6ec4e17152d8c02686f7071c8.tar.gz mastermirror-scripts-9de2b29b511463a6ec4e17152d8c02686f7071c8.tar.bz2 mastermirror-scripts-9de2b29b511463a6ec4e17152d8c02686f7071c8.zip |
sign-autobuilds: tweak signing of latest*txt files, must be clearsigned-only20231009T040855Z
Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
-rwxr-xr-x | sign-autobuilds.sh | 47 |
1 files changed, 44 insertions, 3 deletions
diff --git a/sign-autobuilds.sh b/sign-autobuilds.sh index 4832c0c..233a1e4 100755 --- a/sign-autobuilds.sh +++ b/sign-autobuilds.sh @@ -40,6 +40,23 @@ signone_clearsign() { $DEBUGP mv "${d}" "${f}" } +cleanup() { + # A sync mismatch means these seem like bad signatures due to different CDN + # cache times. + # [TXT] latest-install-alpha-minimal.txt 2023-10-09 03:00 116 + # [TXT] latest-install-alpha-minimal.txt.asc 2023-10-09 00:21 488 + # + # Using a clearsign in a seperate file doesn't help here either, because it + # can still be out of date compared to the underlying file. + # It must be exactly 1 file, clearsigned. + find autobuilds \ + -type f \ + -name 'latest*txt.asc' \ + -exec grep -L -e '^-----BEGIN PGP SIGNED MESSAGE-----$' \{} \+ \ + | xargs --no-run-if-empty rm -f + +} + gpgconf --kill all for a in $ARCHES ; do @@ -68,13 +85,35 @@ find_files_cmd=( -or -name '*.lif' # s390 netboot -or -name 'netboot*T[0-9][0-9][0-9][0-9][0-9][0-9]Z' + ')' +) + +find_sigs_cmd=( + find autobuilds + -type f + '(' + -false + -or -name '*.asc' + ')' +) + +find_unsigned_helper_cmd=( + find autobuilds + -type f + \( + -false + # Gentoo format digest files. + -or -name '*.DIGESTS' + # .sha256 files exist to support the OpenStack builder process + -or -name '*.sha256' # marker files to declare latest builds. -or -name 'latest*txt' - ')' + \) + -exec grep -L -e '^-----BEGIN PGP SIGNED MESSAGE-----$' \{} \+ ) files="$( "${find_files_cmd[@]}" )" -sigs="$(find autobuilds -type f -name '*.asc' )" +sigs="$( "${find_sigs_cmd[@]}" )" unsigned="$(comm -23 <(echo "$files" |sort) <(echo "$sigs" | sed -e 's,.asc$,,g' |sort))" #$VERBOSEP echo "=== ARCH: $a" @@ -96,12 +135,14 @@ done #echo "Text helper files:" -unsigned="$(find autobuilds \( -name '*.sha256' -or -name '*.DIGESTS' \) -exec grep -L -e '^-----BEGIN PGP SIGNED MESSAGE-----$' \{} \+ )" +unsigned="$( "${find_unsigned_helper_cmd[@]}" )" for dgst in $unsigned ; do $VERBOSEP echo "Signing (inline/cleartext) $dgst" signone_clearsign $dgst done +cleanup + popd >/dev/null done |