diff options
| author | Phil Pennock <pdp@exim.org> | 2017-02-19 17:27:11 -0500 |
|---|---|---|
| committer | Phil Pennock <pdp@exim.org> | 2017-02-19 17:27:11 -0500 |
| commit | b7e8c96e9bfd6fe9505230359138f59b731054e5 (patch) | |
| tree | 7bf015c78257fad3b54c0dc39cef491773c589c1 /release-process | |
| parent | 1a13c13c325cdb119fdf68a6d9ecffcaa2c3756d (diff) | |
| download | exim4-b7e8c96e9bfd6fe9505230359138f59b731054e5.tar.gz | |
releng: able to use gnupg default keys for signing
Git and our previous "must specify one keyid" approach is more
constraining than GnuPG allows; cleanest and simplest way, without
breaking support for people with multiple keys and such like, is to just
provide a way to break out of our logic and say "use the configured
default GnuPG keys".
My PGP key has multiple signing subkeys, one RSA and one Ed25519; I
think I might try a dual-signature in an upcoming RC to see how many
people scream with broken OpenPGP clients.
Diffstat (limited to 'release-process')
| -rwxr-xr-x | release-process/scripts/sign_exim_packages | 32 |
1 files changed, 28 insertions, 4 deletions
diff --git a/release-process/scripts/sign_exim_packages b/release-process/scripts/sign_exim_packages index bd02d1183..a504ea826 100755 --- a/release-process/scripts/sign_exim_packages +++ b/release-process/scripts/sign_exim_packages @@ -12,14 +12,38 @@ # woe betide the poor sod who does not use a gpg agent, so has # to enter their password for every file... +prog="$(basename "$0")" +warn() { printf >&2 "%s: %s\n" "$prog" "$*" ; } + +: "${GPG_COMMAND:=gpg}" +umask 022 + +# We've always expected an explicit key for signing, instead of just using the +# gnupg config. It make sense to honor the git config value. It makes sense +# to honor env. But git doesn't allow specifying multiple subkeys, it only +# passes one -u option. +# UID specs explicitly allow whitespace in several formats. +# We have one scalar value, we're sh, we're not going to try using an array. +# +# So if you want to sign with multiple subkeys, then set it up with multiple +# local-user directives in ~/.gnupg/gpg.conf & set EXIM_KEY=default in environ. + if repo_signing_key="$(git config user.signingkey)"; then : "${EXIM_KEY:=$repo_signing_key}" else - : "${EXIM_KEY:?Need a PGP key uid to sign with}" + if [ ".${EXIM_KEY:-}" = "." ]; then + warn "no EXIM_KEY found, trusting local gpg config" + fi fi -: "${GPG_COMMAND:=gpg}" -umask 022 +case "${EXIM_KEY:-default}" in +default|DEFAULT) + gpg_sign() { ${GPG_COMMAND} --detach-sig --armor "${1:?}" ; } + ;; +*) + gpg_sign() { ${GPG_COMMAND} --local-user "${EXIM_KEY}" --detach-sig --armor "${1:?}" ; } + ;; +esac cd_to() { echo "Working in: $1"; cd "$1"; } @@ -49,5 +73,5 @@ set $(find . -name '*.asc' -prune -o -type f -print | cut -c 3- | sort) for FILE do echo "Signing: $FILE" - ${GPG_COMMAND} --local-user "${EXIM_KEY}" --detach-sig --armor "$FILE" + gpg_sign "$FILE" done |