diff --git a/hack/make/release-deb b/hack/make/release-deb
index 83bcfdbc46..be47aa8a8b 100755
--- a/hack/make/release-deb
+++ b/hack/make/release-deb
@@ -15,6 +15,7 @@ set -e
# ... and so on and so forth for the builds created by hack/make/build-deb
: ${DOCKER_RELEASE_DIR:=$DEST}
+: ${GPG_KEYID:=releasedocker}
APTDIR=$DOCKER_RELEASE_DIR/apt/repo
# setup the apt repo (if it does not exist)
@@ -63,7 +64,7 @@ for dir in contrib/builder/deb/*/; do
# dpkg-sign before reprepro
if [ ! -z "$GPG_PASSPHRASE" ]; then
dpkg-sig -g "--passphrase $GPG_PASSPHRASE" \
- -k releasedocker --sign builder "${DEBFILE[@]}"
+ -k "$GPG_KEYID" --sign builder "${DEBFILE[@]}"
fi
reprepro -v $options \
diff --git a/hack/make/release-rpm b/hack/make/release-rpm
index 6025e7b39e..8fac8097d5 100755
--- a/hack/make/release-rpm
+++ b/hack/make/release-rpm
@@ -16,6 +16,7 @@ set -e
: ${DOCKER_RELEASE_DIR:=$DEST}
YUMDIR=$DOCKER_RELEASE_DIR/yum/repo
+: ${GPG_KEYID:=releasedocker}
# manage the repos for each distribution separately
distros=( fedora centos oraclelinux )
@@ -53,15 +54,15 @@ for distro in "${distros[@]}"; do
# sign the rpms before adding to repo
if [ ! -z $GPG_PASSPHRASE ]; then
# export our key to rpm import
- gpg --armor --export releasedocker > /tmp/gpg
+ gpg --armor --export "$GPG_KEYID" > /tmp/gpg
rpm --import /tmp/gpg
# sign the rpms
echo "yes" | setsid rpm \
- --define '_gpg_name releasedocker' \
- --define '_signature gpg' \
- --define '__gpg_check_password_cmd /bin/true' \
- --define '__gpg_sign_cmd %{__gpg} gpg --batch --no-armor --passphrase '$GPG_PASSPHRASE' --no-secmem-warning -u "%{_gpg_name}" --sign --detach-sign --output %{__signature_filename} %{__plaintext_filename}' \
+ --define "_gpg_name $GPG_KEYID" \
+ --define "_signature gpg" \
+ --define "__gpg_check_password_cmd /bin/true" \
+ --define "__gpg_sign_cmd %{__gpg} gpg --batch --no-armor --passphrase '$GPG_PASSPHRASE' --no-secmem-warning -u '%{_gpg_name}' --sign --detach-sign --output %{__signature_filename} %{__plaintext_filename}" \
--resign "${RPMFILE[@]}"
fi
diff --git a/hack/make/sign-repos b/hack/make/sign-repos
index 5d847a4798..93b640d7b5 100755
--- a/hack/make/sign-repos
+++ b/hack/make/sign-repos
@@ -4,6 +4,7 @@
# with a designated GPG key.
: ${DOCKER_RELEASE_DIR:=$DEST}
+: ${GPG_KEYID:=releasedocker}
APTDIR=$DOCKER_RELEASE_DIR/apt/repo
YUMDIR=$DOCKER_RELEASE_DIR/yum/repo
@@ -21,12 +22,12 @@ sign_packages(){
# sign apt repo metadata
if [ -d $APTDIR ]; then
# create file with public key
- gpg --armor --export releasedocker > "$DOCKER_RELEASE_DIR/apt/gpg"
+ gpg --armor --export "$GPG_KEYID" > "$DOCKER_RELEASE_DIR/apt/gpg"
# sign the repo metadata
for F in $(find $APTDIR -name Release); do
if test "$F" -nt "$F.gpg" ; then
- gpg -u releasedocker --passphrase "$GPG_PASSPHRASE" \
+ gpg -u "$GPG_KEYID" --passphrase "$GPG_PASSPHRASE" \
--armor --sign --detach-sign \
--batch --yes \
--output "$F.gpg" "$F"
@@ -37,12 +38,12 @@ sign_packages(){
# sign yum repo metadata
if [ -d $YUMDIR ]; then
# create file with public key
- gpg --armor --export releasedocker > "$DOCKER_RELEASE_DIR/yum/gpg"
+ gpg --armor --export "$GPG_KEYID" > "$DOCKER_RELEASE_DIR/yum/gpg"
# sign the repo metadata
for F in $(find $YUMDIR -name repomd.xml); do
if test "$F" -nt "$F.asc" ; then
- gpg -u releasedocker --passphrase "$GPG_PASSPHRASE" \
+ gpg -u "$GPG_KEYID" --passphrase "$GPG_PASSPHRASE" \
--armor --sign --detach-sign \
--batch --yes \
--output "$F.asc" "$F"
diff --git a/hack/release.sh b/hack/release.sh
index 959b64831a..3af6ff092a 100755
--- a/hack/release.sh
+++ b/hack/release.sh
@@ -22,8 +22,9 @@ To run, I need:
environment variables AWS_S3_BUCKET and AWS_S3_BUCKET_PATH (default: '');
- to be provided with AWS credentials for this S3 bucket, in environment
variables AWS_ACCESS_KEY and AWS_SECRET_KEY;
-- the passphrase to unlock the GPG key which will sign the deb packages
- (passed as environment variable GPG_PASSPHRASE);
+- the passphrase to unlock the GPG key specified by the optional environment
+ variable GPG_KEYID (default: releasedocker) which will sign the deb
+ packages (passed as environment variable GPG_PASSPHRASE);
- a generous amount of good will and nice manners.
The canonical way to run me is to run the image produced by the Dockerfile: e.g.:"
@@ -265,7 +266,7 @@ release_ubuntu() {
local debfiles=( "bundles/$VERSION/ubuntu/"*.deb )
# Sign our packages
- dpkg-sig -g "--passphrase $GPG_PASSPHRASE" -k releasedocker --sign builder "${debfiles[@]}"
+ dpkg-sig -g "--passphrase $GPG_PASSPHRASE" -k "$GPG_KEYID" --sign builder "${debfiles[@]}"
# Setup the APT repo
APTDIR=bundles/$VERSION/ubuntu/apt
@@ -282,14 +283,14 @@ EOF
# Sign
for F in $(find $APTDIR -name Release); do
- gpg -u releasedocker --passphrase "$GPG_PASSPHRASE" \
+ gpg -u "$GPG_KEYID" --passphrase "$GPG_PASSPHRASE" \
--armor --sign --detach-sign \
--output "$F.gpg" "$F"
done
# Upload keys
s3cmd sync "$HOME/.gnupg/" "s3://$BUCKET/ubuntu/.gnupg/"
- gpg --armor --export releasedocker > "bundles/$VERSION/ubuntu/gpg"
+ gpg --armor --export "$GPG_KEYID" > "bundles/$VERSION/ubuntu/gpg"
s3cmd --acl-public put "bundles/$VERSION/ubuntu/gpg" "s3://$BUCKET/gpg"
local gpgFingerprint=36A1D7869245C8950F966E92D8576A8BA88D21E9
@@ -365,14 +366,14 @@ setup_gpg() {
# Make sure that we have our keys
mkdir -p "$HOME/.gnupg/"
s3cmd sync "s3://$BUCKET/ubuntu/.gnupg/" "$HOME/.gnupg/" || true
- gpg --list-keys releasedocker >/dev/null || {
+ gpg --list-keys "$GPG_KEYID" >/dev/null || {
gpg --gen-key --batch <<EOF
Key-Type: RSA
Key-Length: 4096
Passphrase: $GPG_PASSPHRASE
Name-Real: Docker Release Tool
Name-Email: docker@docker.com
-Name-Comment: releasedocker
+Name-Comment: $GPG_KEYID
Expire-Date: 0
%commit
EOF