From 42410bf11caa208b720725e80e6269cb153b7be6 Mon Sep 17 00:00:00 2001 From: "Robin H. Johnson" Date: Thu, 12 Oct 2023 16:49:04 -0700 Subject: sign-autobuilds: link signatures Signed-off-by: Robin H. Johnson --- sign-autobuilds.sh | 77 +++++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 62 insertions(+), 15 deletions(-) diff --git a/sign-autobuilds.sh b/sign-autobuilds.sh index 595bf26..29dc29b 100755 --- a/sign-autobuilds.sh +++ b/sign-autobuilds.sh @@ -25,6 +25,10 @@ VERBOSEP=false # needs more debugging # set -e +warn() { + echo "WARN: $*" 1>&2 +} + signone() { f="$1" $DEBUGP "${GPG[@]}" --armor --detach-sign "${f}" @@ -32,9 +36,9 @@ signone() { signone_clearsign() { # only for text files! - f="$1" - d=".${1}.asc.tmp" - rm -f "$d" + f="${1}" + d="$(dirname "${f}")/.$(basename "${f}").asc.tmp" + rm -f "${d}" # Clearsign aborts if the destfile exists $DEBUGP "${GPG[@]}" --armor --clearsign --output "$d" "${f}" $DEBUGP mv "${d}" "${f}" @@ -70,9 +74,7 @@ cd "$RELEASES/$a" >/dev/null || continue # 2023/10/08: Unknown if the latest files are consumed by any machine-readable # process that would break if the changed into being clearsigned, so use a # detached signature for now. -find_files_cmd=( - find autobuilds - -type f +find_src_names=( '(' -false -or -name '*.tar.xz' @@ -89,14 +91,34 @@ find_files_cmd=( ')' ) -find_sigs_cmd=( +find_src_files_cmd=( find autobuilds -type f + "${find_src_names[@]}" +) + +find_src_links_cmd=( + find autobuilds + -type l + "${find_src_names[@]}" +) + +find_sig_names=( '(' -false -or -name '*.asc' ')' ) +find_sig_files_cmd=( + find autobuilds + -type f + "${find_sig_names[@]}" +) +find_sig_links_cmd=( + find autobuilds + -type l + "${find_sig_names[@]}" +) find_unsigned_helper_cmd=( find autobuilds @@ -113,21 +135,46 @@ find_unsigned_helper_cmd=( -exec grep -L -e '^-----BEGIN PGP SIGNED MESSAGE-----$' \{\} \+ ) -files="$( "${find_files_cmd[@]}" )" -sigs="$( "${find_sigs_cmd[@]}" )" -unsigned="$(comm -23 <(echo "$files" |sort) <(echo "$sigs" | sed -e 's,.asc$,,g' |sort))" +src_files="$( "${find_src_files_cmd[@]}" )" +src_links="$( "${find_src_links_cmd[@]}" )" +sig_files="$( "${find_sig_files_cmd[@]}" )" +sig_links="$( "${find_sig_links_cmd[@]}" )" + +unsigned_files="$(comm -23 <(echo "$src_files" |sort) <(echo "$sig_files" | sed -e 's,.asc$,,g' |sort))" +unsigned_links="$(comm -23 <(echo "$src_links" |sort) <(echo "$sig_links" | sed -e 's,.asc$,,g' |sort))" #$VERBOSEP echo "=== ARCH: $a" -for src in ${unsigned} ; do +for src in ${unsigned_files} ; do dgst=${src}.asc - if [[ -f "$src" ]] && [[ ! -f "${dgst}" ]]; then - $VERBOSEP echo "Signing $src" - signone "$src" + if [[ -f "${src}" ]]; then + if [[ ! -e "${dgst}" ]]; then + $VERBOSEP echo "Signing $src" + signone "$src" + fi + # what if it existed but was NOT a file, this is an error + if [[ -e "${dgst}" ]] && [[ ! -f "${dgst}" ]]; then + warn "Unexpected link: $dgst" + fi + fi +done + +for src in ${unsigned_links}; do + dgst=${src}.asc + if [[ -L "${src}" ]] && [[ ! -e "${dgst}" ]]; then + link_rel=$(readlink "${src}") + link_rel_sig=${link_rel}.asc + link_abs=$(readlink -f "${src}") + link_abs_sig=${link_abs}.asc + if [[ -e "${link_rel_sig}" ]] || [[ -e "${link_abs_sig}" ]]; then + ln -sf "${link_rel_sig}" "${dgst}" + else + warn "Link with no obvious signature: ${src} ; checked $link_rel_sig and $link_abs_sig" + fi fi done -for dgst in ${sigs}; do +for dgst in ${sig_files}; do src=${dgst%.asc} # If both the source & signature are files, not symlinks, and the source is # newer, then resign. Need to check both for being files, in case we are in -- cgit v1.2.3-65-gdbad