blob: 7db6611a4c7168c61d7d8fe03d1a4b14856d92ac (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
|
#!/bin/bash
# Copyright 2023 Gentoo Authors; Distributed under the GPL v2
# might be earlier copyright, no history available
# NOTE 1: This script is SLOW. It should run at most once per day.
# NOTE 2: This script requires that the signing key has its ownertrust
# set to ultimate. Which makes sense anyway, since we have the
# secret key.
# NOTE 3: This script has to run as gmirror user.
# Keep this variable in sync
_ARCHES="alpha amd64 arm64 arm hppa ia64 loong m68k mips ppc riscv s390 sparc x86"
#alpha amd64 arm64 arm hppa ia64 loong m68k mips ppc riscv s390 sh sparc x86
ARCHES=${ARCHES:-${_ARCHES}}
VERBOSE='0'
INTREE=/release/weekly/binpackages
STAGINGTREE=/release/binpackages-staging
OUTTREE=/var/tmp/gmirror-releases/releases
IN_RSYNC_OPTS=(
--no-motd
--archive
--delete
--delete-after
--ignore-missing-args
--update
--mkpath
)
OUT_RSYNC_OPTS=(
--no-motd
--archive
--ignore-errors
--delete
--delete-after
--ignore-missing-args
--mkpath
)
export BINPKG_GPG_SIGNING_GPG_HOME=/home/gmirror/.gnupg-releng
export BINPKG_GPG_SIGNING_KEY=13EBBDBEDE7A12775DFDB1BABB572E0E2D182910
export BINPKG_GPG_VERIFY_GPG_HOME=${BINPKG_GPG_SIGNING_GPG_HOME}
# this script needs to be run as gmirror user
[[ $(whoami) == "gmirror" ]] || exit 111
# we make sure we're not running twice in parallel
if [[ -f ${STAGINGTREE}/.running ]] ; then
echo sign-sync-binpackages.sh lockfile ${STAGINGTREE}/.running exists, aborting
exit 112
fi
touch ${STAGINGTREE}/.running || exit 110
# make sure we have an updated gpg-agent
gpgconf --kill all
# prepare some handy variables
_verbose_v=''
[[ ${VERBOSE} == '1' ]] && _verbose_v='-v'
# step 1: rsync from the dirs where the arches copy in
# make sure to *not* overwrite existing newer files (obviously
# the signature changed them)...
for a in ${ARCHES} ; do
rsync ${_verbose_v} "${IN_RSYNC_OPTS[@]}" ${INTREE}/${a}/* ${STAGINGTREE}/${a}/
done
# now the set of files is frozen in the staging dir, and we dont care
# if any arches start uploading in the meantime
# step 2: iterate over all binary package trees, sign
# all unsigned files
# we assume the directory structure to be
# .../binpackages-staging/amd64/17.1/x86-64
# .../binpackages-staging/amd64/17.1/x86-64_musl
# .../binpackages-staging/mips/17.0/mipsel3_n32
# .../binpackages-staging/x86/17.0/x86_musl_hardened
for t in ${STAGINGTREE}/*/*/* ; do
# find all unsigned packages as fast as possible
find "${t}" -name '*.gpkg.tar' -print0 | \
parallel -0 -n1 --will-cite -- "tar tf {} |grep -E -e '/metadata\.tar\..*\.sig$' -L --label={}" > ${STAGINGTREE}/.unsigned
if [[ ${VERBOSE} == '1' ]] ; then
echo "List of unsigned pacakges:"
cat ${STAGINGTREE}/.unsigned
echo ; echo
fi
# sign the packages
[[ ${VERBOSE} == '1' ]] && xargs -n1 --no-run-if-empty -- gpkg-sign < ${STAGINGTREE}/.unsigned || exit 113
[[ ${VERBOSE} == '1' ]] || xargs -n1 --no-run-if-empty -- gpkg-sign < ${STAGINGTREE}/.unsigned > /dev/null || exit 113
# regenerate the indices
[[ ${VERBOSE} == '1' ]] && PKGDIR=${t} emaint -f binhost || exit 114
[[ ${VERBOSE} == '1' ]] || PKGDIR=${t} emaint -f binhost > /dev/null || exit 114
done
# unfortunately these commands make much noise... let's hope we notice errors
# step 3: sync the result into the mirror directories from where
# the files are distributed
for a in ${ARCHES}; do
[[ -d ${OUTTREE}/${a}/binpackages ]] || mkdir -p ${_verbose_v} ${OUTTREE}/${a}/binpackages
rsync ${_verbose_v} "${OUT_RSYNC_OPTS[@]}" ${STAGINGTREE}/${a}/* ${OUTTREE}/${a}/binpackages/
date -u > ${OUTTREE}/${a}/binpackages/.timestamp
done
# we're done so remove the "lockfile"
rm ${STAGINGTREE}/.running
|
GitWeb