blob: a504ea82637cb652013a05b3015ae55e7ab1c6cb (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
|
#!/bin/sh -eu
# gpg signs all *.tar.* files under the release directory.
# Invoke from that dir, or let the script try to figure it out for you.
# Key used is from env var EXIM_KEY; if git config finds user.signingkey, then
# that is the default. You can set this per-repo with:
# git config --local user.signingkey SOME_IDENTIFIER
#
# If not set in git config then you _MUST_ set the env var.
# woe betide the poor sod who does not use a gpg agent, so has
# to enter their password for every file...
prog="$(basename "$0")"
warn() { printf >&2 "%s: %s\n" "$prog" "$*" ; }
: "${GPG_COMMAND:=gpg}"
umask 022
# We've always expected an explicit key for signing, instead of just using the
# gnupg config. It make sense to honor the git config value. It makes sense
# to honor env. But git doesn't allow specifying multiple subkeys, it only
# passes one -u option.
# UID specs explicitly allow whitespace in several formats.
# We have one scalar value, we're sh, we're not going to try using an array.
#
# So if you want to sign with multiple subkeys, then set it up with multiple
# local-user directives in ~/.gnupg/gpg.conf & set EXIM_KEY=default in environ.
if repo_signing_key="$(git config user.signingkey)"; then
: "${EXIM_KEY:=$repo_signing_key}"
else
if [ ".${EXIM_KEY:-}" = "." ]; then
warn "no EXIM_KEY found, trusting local gpg config"
fi
fi
case "${EXIM_KEY:-default}" in
default|DEFAULT)
gpg_sign() { ${GPG_COMMAND} --detach-sig --armor "${1:?}" ; }
;;
*)
gpg_sign() { ${GPG_COMMAND} --local-user "${EXIM_KEY}" --detach-sig --armor "${1:?}" ; }
;;
esac
cd_to() { echo "Working in: $1"; cd "$1"; }
okay=false
if [ -d ../../release-process ] && [ "${PWD##*/}" = "pkgs" ]; then
okay=true # we are in right dir
elif [ -d release-process ]; then
b="$(find . -maxdepth 1 -name 'exim-packaging-*' | sort | tail -n 1)"
if [ ".$b" != "." ]; then
cd_to "$b/pkgs"
okay=true
fi
fi
if ! $okay; then
if [ -d "${1:?need a directory to look in}" ]; then
cd_to "$1"
shift
else
printf "%s: %s\n" >&2 "$(basename "$0")" "where should I be looking"
exit 1
fi
fi
# Assumes no whitespace (strictly, $IFS) in filenames, which we're okay with
set $(find . -name '*.asc' -prune -o -type f -print | cut -c 3- | sort)
for FILE
do
echo "Signing: $FILE"
gpg_sign "$FILE"
done
|
