moby--moby/hack/make/sign-repos

#!/usr/bin/env bash

# This script signs the deliverables from release-deb and release-rpm
# with a designated GPG key.

: ${DOCKER_RELEASE_DIR:=$DEST}
: ${GPG_KEYID:=releasedocker}
APTDIR=$DOCKER_RELEASE_DIR/apt/repo
YUMDIR=$DOCKER_RELEASE_DIR/yum/repo

if [ -z "$GPG_PASSPHRASE" ]; then
	echo >&2 'you need to set GPG_PASSPHRASE in order to sign artifacts'
	exit 1
fi

if [ ! -d $APTDIR ] && [ ! -d $YUMDIR ]; then
	echo >&2 'release-rpm or release-deb must be run before sign-repos'
	exit 1
fi

sign_packages(){
	# sign apt repo metadata
	if [ -d $APTDIR ]; then
		# create file with public key
		gpg --armor --export "$GPG_KEYID" > "$DOCKER_RELEASE_DIR/apt/gpg"

		# sign the repo metadata
		for F in $(find $APTDIR -name Release); do
			if test "$F" -nt "$F.gpg" ; then
				gpg -u "$GPG_KEYID" --passphrase "$GPG_PASSPHRASE" \
					--digest-algo "sha512" \
					--armor --sign --detach-sign \
					--batch --yes \
					--output "$F.gpg" "$F"
			fi
			inRelease="$(dirname "$F")/InRelease"
			if test "$F" -nt "$inRelease" ; then
				gpg -u "$GPG_KEYID" --passphrase "$GPG_PASSPHRASE" \
					--digest-algo "sha512" \
					--clearsign \
					--batch --yes \
					--output "$inRelease" "$F"
			fi
		done
	fi

	# sign yum repo metadata
	if [ -d $YUMDIR ]; then
		# create file with public key
		gpg --armor --export "$GPG_KEYID" > "$DOCKER_RELEASE_DIR/yum/gpg"

		# sign the repo metadata
		for F in $(find $YUMDIR -name repomd.xml); do
			if test "$F" -nt "$F.asc" ; then
				gpg -u "$GPG_KEYID" --passphrase "$GPG_PASSPHRASE" \
					--digest-algo "sha512" \
					--armor --sign --detach-sign \
					--batch --yes \
					--output "$F.asc" "$F"
			fi
		done
	fi
}

sign_packages