1 |
commit: 17ac45552c0f6c49f28e11fad23ab2cddfdd5393 |
2 |
Author: Fabian Groffen <grobian <AT> gentoo <DOT> org> |
3 |
AuthorDate: Wed Nov 29 19:26:38 2017 +0000 |
4 |
Commit: Fabian Groffen <grobian <AT> gentoo <DOT> org> |
5 |
CommitDate: Wed Nov 29 19:26:38 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/proj/prefix.git/commit/?id=17ac4555 |
7 |
|
8 |
update-rsync-master: only sign the top level Manifest |
9 |
|
10 |
scripts/rsync-generation/update-rsync-master.sh | 69 +++++++------------------ |
11 |
1 file changed, 20 insertions(+), 49 deletions(-) |
12 |
|
13 |
diff --git a/scripts/rsync-generation/update-rsync-master.sh b/scripts/rsync-generation/update-rsync-master.sh |
14 |
index 5f73206eae..459edebce0 100755 |
15 |
--- a/scripts/rsync-generation/update-rsync-master.sh |
16 |
+++ b/scripts/rsync-generation/update-rsync-master.sh |
17 |
@@ -187,57 +187,28 @@ TIME_SVNPREFIX=$((STOP - START)) |
18 |
|
19 |
START=$(date +%s) |
20 |
|
21 |
-echo "($(date +"%F %R")) signing unsigned Manifests" |
22 |
+echo "($(date +"%F %R")) signing Manifest" |
23 |
|
24 |
# generate Thick Manifests |
25 |
-${BASE_PATH}/hashgen ${RSYNCDIR} |
26 |
- |
27 |
-# We store signed Manifests in a "cache", so we don't have to |
28 |
-# generate them all-over all the time. Generation needs to take place |
29 |
-# if: |
30 |
-# 1. the original Manifest isn't signed |
31 |
-# 2. we don't have one generated file |
32 |
-# 3. the Manifest modification time is newer than our generated file |
33 |
-# Signing is done with our snapshot signing key |
34 |
-sign_manifest() { |
35 |
- local pkg=$1 |
36 |
- local mc=${pkg//\//_}.manifest |
37 |
- [[ -z ${pkg} ]] && return 1 |
38 |
- |
39 |
- if [[ ! -f ${MANIFEST_CACHE}/${mc} || ${RSYNCDIR}/${pkg}/Manifest -nt ${MANIFEST_CACHE}/${mc} ]] ; then |
40 |
- mkdir -p "${MANIFEST_CACHE}" |
41 |
- |
42 |
- echo "Signing Manifest for ${pkg}" |
43 |
- cat "${RSYNCDIR}/${pkg}"/Manifest > "${MANIFEST_CACHE}"/${mc} |
44 |
- # remember, HOME is set to misc/ so .gnupg keychain lives there |
45 |
- gpg --batch --no-tty --passphrase-fd 0 --default-key C6317B3C \ |
46 |
- --pinentry-mode loopback \ |
47 |
- --sign --clearsign --digest-algo SHA512 \ |
48 |
- --yes "${MANIFEST_CACHE}"/${mc} \ |
49 |
- < "${BASE_PATH}"/autosigner.pwd >& /dev/null |
50 |
- if [[ -f ${MANIFEST_CACHE}/${mc}.asc ]] ; then |
51 |
- touch -r "${RSYNCDIR}/${pkg}"/Manifest \ |
52 |
- "${MANIFEST_CACHE}"/${mc}.asc |
53 |
- mv "${MANIFEST_CACHE}"/${mc}{.asc,} |
54 |
- else |
55 |
- rm "${MANIFEST_CACHE}"/${mc} |
56 |
- echo "signing failed!" >> /dev/stderr |
57 |
- return 0 |
58 |
- fi |
59 |
- fi |
60 |
- |
61 |
- cp -a "${MANIFEST_CACHE}"/${mc} "${RSYNCDIR}/${pkg}"/Manifest |
62 |
- |
63 |
- return 0 |
64 |
-} |
65 |
- |
66 |
-for entry in "${RSYNCDIR}"/*/* ; do |
67 |
- [[ ! -f "${entry}"/Manifest ]] && continue |
68 |
- entry=${entry#${RSYNCDIR}/} |
69 |
- sign_manifest "${entry}" |
70 |
-done |
71 |
- |
72 |
-echo "($(date +"%F %R")) unsigned Manifests signed" |
73 |
+${BASE_PATH}/hashgen "${RSYNCDIR}" |
74 |
+ |
75 |
+# Signing is done with our snapshot signing key, and only on the top |
76 |
+# level Manifest, for it covers indirectly the entire tree |
77 |
+ |
78 |
+# remember, HOME is set to misc/ so .gnupg keychain lives there |
79 |
+gpg --batch --no-tty --passphrase-fd 0 --default-key C6317B3C \ |
80 |
+ --pinentry-mode loopback \ |
81 |
+ --sign --clearsign --digest-algo SHA512 \ |
82 |
+ --yes "${RSYNCDIR}"/Manifest \ |
83 |
+ < "${BASE_PATH}"/autosigner.pwd >& /dev/null |
84 |
+if [[ -f ${RSYNCDIR}/Manifest.asc ]] ; then |
85 |
+ touch -r "${RSYNCDIR}"/Manifest "${RSYNCDIR}"/Manifest.asc |
86 |
+ mv "${RSYNCDIR}"/Manifest{.asc,} |
87 |
+else |
88 |
+ echo "signing failed!" >> /dev/stderr |
89 |
+fi |
90 |
+ |
91 |
+echo "($(date +"%F %R")) Manifest signed" |
92 |
|
93 |
STOP=$(date +%s) |
94 |
TIME_MANISIGN=$((STOP - START)) |