Commit | Line | Data |
---|---|---|
00f7a87b PP |
1 | #!/bin/sh -eu |
2 | ||
3 | # gpg signs all *.tar.* files under the release directory. | |
4 | # Invoke from that dir, or let the script try to figure it out for you. | |
5 | ||
6 | # Key used is from env var EXIM_KEY; if git config finds user.signingkey, then | |
7 | # that is the default. You can set this per-repo with: | |
8 | # git config --local user.signingkey SOME_IDENTIFIER | |
8a483da6 | 9 | # |
00f7a87b PP |
10 | # If not set in git config then you _MUST_ set the env var. |
11 | ||
8a483da6 NM |
12 | # woe betide the poor sod who does not use a gpg agent, so has |
13 | # to enter their password for every file... | |
0b4f0dad | 14 | |
b7e8c96e PP |
15 | prog="$(basename "$0")" |
16 | warn() { printf >&2 "%s: %s\n" "$prog" "$*" ; } | |
17 | ||
18 | : "${GPG_COMMAND:=gpg}" | |
19 | umask 022 | |
20 | ||
21 | # We've always expected an explicit key for signing, instead of just using the | |
22 | # gnupg config. It make sense to honor the git config value. It makes sense | |
23 | # to honor env. But git doesn't allow specifying multiple subkeys, it only | |
24 | # passes one -u option. | |
25 | # UID specs explicitly allow whitespace in several formats. | |
26 | # We have one scalar value, we're sh, we're not going to try using an array. | |
27 | # | |
28 | # So if you want to sign with multiple subkeys, then set it up with multiple | |
29 | # local-user directives in ~/.gnupg/gpg.conf & set EXIM_KEY=default in environ. | |
30 | ||
00f7a87b PP |
31 | if repo_signing_key="$(git config user.signingkey)"; then |
32 | : "${EXIM_KEY:=$repo_signing_key}" | |
33 | else | |
b7e8c96e PP |
34 | if [ ".${EXIM_KEY:-}" = "." ]; then |
35 | warn "no EXIM_KEY found, trusting local gpg config" | |
36 | fi | |
00f7a87b | 37 | fi |
8a483da6 | 38 | |
b7e8c96e PP |
39 | case "${EXIM_KEY:-default}" in |
40 | default|DEFAULT) | |
41 | gpg_sign() { ${GPG_COMMAND} --detach-sig --armor "${1:?}" ; } | |
42 | ;; | |
b2758501 | 43 | *) |
b7e8c96e PP |
44 | gpg_sign() { ${GPG_COMMAND} --local-user "${EXIM_KEY}" --detach-sig --armor "${1:?}" ; } |
45 | ;; | |
46 | esac | |
25af913a | 47 | |
00f7a87b PP |
48 | cd_to() { echo "Working in: $1"; cd "$1"; } |
49 | ||
b2758501 HSHR |
50 | #okay=false |
51 | #if [ -d ../../release-process ] && [ "${PWD##*/}" = "pkgs" ]; then | |
52 | # okay=true # we are in right dir | |
53 | #elif [ -d release-process ]; then | |
54 | # b="$(find . -maxdepth 1 -name 'exim-packaging-*' | sort | tail -n 1)" | |
55 | # if [ ".$b" != "." ]; then | |
56 | # cd_to "$b/pkgs" | |
57 | # okay=true | |
58 | # fi | |
59 | #fi | |
60 | #if ! $okay; then | |
00f7a87b PP |
61 | if [ -d "${1:?need a directory to look in}" ]; then |
62 | cd_to "$1" | |
63 | shift | |
64 | else | |
65 | printf "%s: %s\n" >&2 "$(basename "$0")" "where should I be looking" | |
66 | exit 1 | |
67 | fi | |
b2758501 | 68 | #fi |
00f7a87b PP |
69 | |
70 | # Assumes no whitespace (strictly, $IFS) in filenames, which we're okay with | |
71 | set $(find . -name '*.asc' -prune -o -type f -print | cut -c 3- | sort) | |
00f7a87b PP |
72 | for FILE |
73 | do | |
74 | echo "Signing: $FILE" | |
b7e8c96e | 75 | gpg_sign "$FILE" |
00f7a87b | 76 | done |