| 1 |
commit: 17ac45552c0f6c49f28e11fad23ab2cddfdd5393 |
| 2 |
Author: Fabian Groffen <grobian <AT> gentoo <DOT> org> |
| 3 |
AuthorDate: Wed Nov 29 19:26:38 2017 +0000 |
| 4 |
Commit: Fabian Groffen <grobian <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Wed Nov 29 19:26:38 2017 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/repo/proj/prefix.git/commit/?id=17ac4555 |
| 7 |
|
| 8 |
update-rsync-master: only sign the top level Manifest |
| 9 |
|
| 10 |
scripts/rsync-generation/update-rsync-master.sh | 69 +++++++------------------ |
| 11 |
1 file changed, 20 insertions(+), 49 deletions(-) |
| 12 |
|
| 13 |
diff --git a/scripts/rsync-generation/update-rsync-master.sh b/scripts/rsync-generation/update-rsync-master.sh |
| 14 |
index 5f73206eae..459edebce0 100755 |
| 15 |
--- a/scripts/rsync-generation/update-rsync-master.sh |
| 16 |
+++ b/scripts/rsync-generation/update-rsync-master.sh |
| 17 |
@@ -187,57 +187,28 @@ TIME_SVNPREFIX=$((STOP - START)) |
| 18 |
|
| 19 |
START=$(date +%s) |
| 20 |
|
| 21 |
-echo "($(date +"%F %R")) signing unsigned Manifests" |
| 22 |
+echo "($(date +"%F %R")) signing Manifest" |
| 23 |
|
| 24 |
# generate Thick Manifests |
| 25 |
-${BASE_PATH}/hashgen ${RSYNCDIR} |
| 26 |
- |
| 27 |
-# We store signed Manifests in a "cache", so we don't have to |
| 28 |
-# generate them all-over all the time. Generation needs to take place |
| 29 |
-# if: |
| 30 |
-# 1. the original Manifest isn't signed |
| 31 |
-# 2. we don't have one generated file |
| 32 |
-# 3. the Manifest modification time is newer than our generated file |
| 33 |
-# Signing is done with our snapshot signing key |
| 34 |
-sign_manifest() { |
| 35 |
- local pkg=$1 |
| 36 |
- local mc=${pkg//\//_}.manifest |
| 37 |
- [[ -z ${pkg} ]] && return 1 |
| 38 |
- |
| 39 |
- if [[ ! -f ${MANIFEST_CACHE}/${mc} || ${RSYNCDIR}/${pkg}/Manifest -nt ${MANIFEST_CACHE}/${mc} ]] ; then |
| 40 |
- mkdir -p "${MANIFEST_CACHE}" |
| 41 |
- |
| 42 |
- echo "Signing Manifest for ${pkg}" |
| 43 |
- cat "${RSYNCDIR}/${pkg}"/Manifest > "${MANIFEST_CACHE}"/${mc} |
| 44 |
- # remember, HOME is set to misc/ so .gnupg keychain lives there |
| 45 |
- gpg --batch --no-tty --passphrase-fd 0 --default-key C6317B3C \ |
| 46 |
- --pinentry-mode loopback \ |
| 47 |
- --sign --clearsign --digest-algo SHA512 \ |
| 48 |
- --yes "${MANIFEST_CACHE}"/${mc} \ |
| 49 |
- < "${BASE_PATH}"/autosigner.pwd >& /dev/null |
| 50 |
- if [[ -f ${MANIFEST_CACHE}/${mc}.asc ]] ; then |
| 51 |
- touch -r "${RSYNCDIR}/${pkg}"/Manifest \ |
| 52 |
- "${MANIFEST_CACHE}"/${mc}.asc |
| 53 |
- mv "${MANIFEST_CACHE}"/${mc}{.asc,} |
| 54 |
- else |
| 55 |
- rm "${MANIFEST_CACHE}"/${mc} |
| 56 |
- echo "signing failed!" >> /dev/stderr |
| 57 |
- return 0 |
| 58 |
- fi |
| 59 |
- fi |
| 60 |
- |
| 61 |
- cp -a "${MANIFEST_CACHE}"/${mc} "${RSYNCDIR}/${pkg}"/Manifest |
| 62 |
- |
| 63 |
- return 0 |
| 64 |
-} |
| 65 |
- |
| 66 |
-for entry in "${RSYNCDIR}"/*/* ; do |
| 67 |
- [[ ! -f "${entry}"/Manifest ]] && continue |
| 68 |
- entry=${entry#${RSYNCDIR}/} |
| 69 |
- sign_manifest "${entry}" |
| 70 |
-done |
| 71 |
- |
| 72 |
-echo "($(date +"%F %R")) unsigned Manifests signed" |
| 73 |
+${BASE_PATH}/hashgen "${RSYNCDIR}" |
| 74 |
+ |
| 75 |
+# Signing is done with our snapshot signing key, and only on the top |
| 76 |
+# level Manifest, for it covers indirectly the entire tree |
| 77 |
+ |
| 78 |
+# remember, HOME is set to misc/ so .gnupg keychain lives there |
| 79 |
+gpg --batch --no-tty --passphrase-fd 0 --default-key C6317B3C \ |
| 80 |
+ --pinentry-mode loopback \ |
| 81 |
+ --sign --clearsign --digest-algo SHA512 \ |
| 82 |
+ --yes "${RSYNCDIR}"/Manifest \ |
| 83 |
+ < "${BASE_PATH}"/autosigner.pwd >& /dev/null |
| 84 |
+if [[ -f ${RSYNCDIR}/Manifest.asc ]] ; then |
| 85 |
+ touch -r "${RSYNCDIR}"/Manifest "${RSYNCDIR}"/Manifest.asc |
| 86 |
+ mv "${RSYNCDIR}"/Manifest{.asc,} |
| 87 |
+else |
| 88 |
+ echo "signing failed!" >> /dev/stderr |
| 89 |
+fi |
| 90 |
+ |
| 91 |
+echo "($(date +"%F %R")) Manifest signed" |
| 92 |
|
| 93 |
STOP=$(date +%s) |
| 94 |
TIME_MANISIGN=$((STOP - START)) |
Archives