summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRobin H. Johnson <robbat2@gentoo.org>2023-10-08 21:08:36 -0700
committerRobin H. Johnson <robbat2@gentoo.org>2023-10-08 21:08:36 -0700
commit9de2b29b511463a6ec4e17152d8c02686f7071c8 (patch)
tree818eaa2292cc7e0f98bfdf1f7f0776f06bf1f75b
parentsign-autobuilds: also ensure only using the file ascs, not symlinks (diff)
downloadmastermirror-scripts-9de2b29b511463a6ec4e17152d8c02686f7071c8.tar.gz
mastermirror-scripts-9de2b29b511463a6ec4e17152d8c02686f7071c8.tar.bz2
mastermirror-scripts-9de2b29b511463a6ec4e17152d8c02686f7071c8.zip
sign-autobuilds: tweak signing of latest*txt files, must be clearsigned-only20231009T040855Z
Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
-rwxr-xr-xsign-autobuilds.sh47
1 files changed, 44 insertions, 3 deletions
diff --git a/sign-autobuilds.sh b/sign-autobuilds.sh
index 4832c0c..233a1e4 100755
--- a/sign-autobuilds.sh
+++ b/sign-autobuilds.sh
@@ -40,6 +40,23 @@ signone_clearsign() {
$DEBUGP mv "${d}" "${f}"
}
+cleanup() {
+ # A sync mismatch means these seem like bad signatures due to different CDN
+ # cache times.
+ # [TXT] latest-install-alpha-minimal.txt 2023-10-09 03:00 116
+ # [TXT] latest-install-alpha-minimal.txt.asc 2023-10-09 00:21 488
+ #
+ # Using a clearsign in a seperate file doesn't help here either, because it
+ # can still be out of date compared to the underlying file.
+ # It must be exactly 1 file, clearsigned.
+ find autobuilds \
+ -type f \
+ -name 'latest*txt.asc' \
+ -exec grep -L -e '^-----BEGIN PGP SIGNED MESSAGE-----$' \{} \+ \
+ | xargs --no-run-if-empty rm -f
+
+}
+
gpgconf --kill all
for a in $ARCHES ; do
@@ -68,13 +85,35 @@ find_files_cmd=(
-or -name '*.lif'
# s390 netboot
-or -name 'netboot*T[0-9][0-9][0-9][0-9][0-9][0-9]Z'
+ ')'
+)
+
+find_sigs_cmd=(
+ find autobuilds
+ -type f
+ '('
+ -false
+ -or -name '*.asc'
+ ')'
+)
+
+find_unsigned_helper_cmd=(
+ find autobuilds
+ -type f
+ \(
+ -false
+ # Gentoo format digest files.
+ -or -name '*.DIGESTS'
+ # .sha256 files exist to support the OpenStack builder process
+ -or -name '*.sha256'
# marker files to declare latest builds.
-or -name 'latest*txt'
- ')'
+ \)
+ -exec grep -L -e '^-----BEGIN PGP SIGNED MESSAGE-----$' \{} \+
)
files="$( "${find_files_cmd[@]}" )"
-sigs="$(find autobuilds -type f -name '*.asc' )"
+sigs="$( "${find_sigs_cmd[@]}" )"
unsigned="$(comm -23 <(echo "$files" |sort) <(echo "$sigs" | sed -e 's,.asc$,,g' |sort))"
#$VERBOSEP echo "=== ARCH: $a"
@@ -96,12 +135,14 @@ done
#echo "Text helper files:"
-unsigned="$(find autobuilds \( -name '*.sha256' -or -name '*.DIGESTS' \) -exec grep -L -e '^-----BEGIN PGP SIGNED MESSAGE-----$' \{} \+ )"
+unsigned="$( "${find_unsigned_helper_cmd[@]}" )"
for dgst in $unsigned ; do
$VERBOSEP echo "Signing (inline/cleartext) $dgst"
signone_clearsign $dgst
done
+cleanup
+
popd >/dev/null
done