[exim.git] / release-process / scripts / sign_exim_packages

#!/bin/sh -eu

# gpg signs all *.tar.* files under the release directory.
# Invoke from that dir, or let the script try to figure it out for you.

# Key used is from env var EXIM_KEY; if git config finds user.signingkey, then
# that is the default.  You can set this per-repo with:
#    git config --local user.signingkey SOME_IDENTIFIER
#
# If not set in git config then you _MUST_ set the env var.

# woe betide the poor sod who does not use a gpg agent, so has
# to enter their password for every file...

prog="$(basename "$0")"
warn() { printf >&2 "%s: %s\n" "$prog" "$*" ; }

: "${GPG_COMMAND:=gpg}"
umask 022

# We've always expected an explicit key for signing, instead of just using the
# gnupg config.  It make sense to honor the git config value.  It makes sense
# to honor env.  But git doesn't allow specifying multiple subkeys, it only
# passes one -u option.
# UID specs explicitly allow whitespace in several formats.
# We have one scalar value, we're sh, we're not going to try using an array.
#
# So if you want to sign with multiple subkeys, then set it up with multiple
# local-user directives in ~/.gnupg/gpg.conf & set EXIM_KEY=default in environ.

if repo_signing_key="$(git config user.signingkey)"; then
	: "${EXIM_KEY:=$repo_signing_key}"
else
	if [ ".${EXIM_KEY:-}" = "." ]; then
		warn "no EXIM_KEY found, trusting local gpg config"
	fi
fi

case "${EXIM_KEY:-default}" in
default|DEFAULT)
	gpg_sign() { ${GPG_COMMAND} --detach-sig --armor "${1:?}" ; }
	;;
*)
	gpg_sign() { ${GPG_COMMAND} --local-user "${EXIM_KEY}" --detach-sig --armor "${1:?}" ; }
	;;
esac

cd_to() { echo "Working in: $1"; cd "$1"; }

#okay=false
#if [ -d ../../release-process ] && [ "${PWD##*/}" = "pkgs" ]; then
#	okay=true # we are in right dir
#elif [ -d release-process ]; then
#	b="$(find . -maxdepth 1 -name 'exim-packaging-*' | sort | tail -n 1)"
#	if [ ".$b" != "." ]; then
#		cd_to "$b/pkgs"
#		okay=true
#	fi
#fi
#if ! $okay; then
	if [ -d "${1:?need a directory to look in}" ]; then
		cd_to "$1"
		shift
	else
		printf "%s: %s\n" >&2 "$(basename "$0")" "where should I be looking"
		exit 1
	fi
#fi

# Assumes no whitespace (strictly, $IFS) in filenames, which we're okay with
set $(find . -name '*.asc' -prune -o -type f -print | cut -c 3- | sort)
for FILE
do
	echo "Signing: $FILE"
	gpg_sign "$FILE"
done
Commit	Line	Data
00f7a87b PP	1	#!/bin/sh -eu
	2
	3	# gpg signs all .tar. files under the release directory.
	4	# Invoke from that dir, or let the script try to figure it out for you.
	5
	6	# Key used is from env var EXIM_KEY; if git config finds user.signingkey, then
	7	# that is the default. You can set this per-repo with:
	8	# git config --local user.signingkey SOME_IDENTIFIER
8a483da6	9	#
00f7a87b PP	10	# If not set in git config then you _MUST_ set the env var.
00f7a87b PP	11
8a483da6 NM	12	# woe betide the poor sod who does not use a gpg agent, so has
8a483da6 NM	13	# to enter their password for every file...
0b4f0dad	14
b7e8c96e PP	15	prog="$(basename "$0")"
	16	warn() { printf >&2 "%s: %s\n" "$prog" "$*" ; }
	17
	18	: "${GPG_COMMAND:=gpg}"
	19	umask 022
	20
	21	# We've always expected an explicit key for signing, instead of just using the
	22	# gnupg config. It make sense to honor the git config value. It makes sense
	23	# to honor env. But git doesn't allow specifying multiple subkeys, it only
	24	# passes one -u option.
	25	# UID specs explicitly allow whitespace in several formats.
	26	# We have one scalar value, we're sh, we're not going to try using an array.
	27	#
	28	# So if you want to sign with multiple subkeys, then set it up with multiple
	29	# local-user directives in ~/.gnupg/gpg.conf & set EXIM_KEY=default in environ.
	30
00f7a87b PP	31	if repo_signing_key="$(git config user.signingkey)"; then
	32	: "${EXIM_KEY:=$repo_signing_key}"
	33	else
b7e8c96e PP	34	if [ ".${EXIM_KEY:-}" = "." ]; then
	35	warn "no EXIM_KEY found, trusting local gpg config"
	36	fi
00f7a87b	37	fi
8a483da6	38
b7e8c96e PP	39	case "${EXIM_KEY:-default}" in
	40	default\|DEFAULT)
	41	gpg_sign() { ${GPG_COMMAND} --detach-sig --armor "${1:?}" ; }
	42	;;
b2758501	43	*)
b7e8c96e PP	44	gpg_sign() { ${GPG_COMMAND} --local-user "${EXIM_KEY}" --detach-sig --armor "${1:?}" ; }
	45	;;
	46	esac
25af913a	47
00f7a87b PP	48	cd_to() { echo "Working in: $1"; cd "$1"; }
00f7a87b PP	49
b2758501 HSHR	50	#okay=false
	51	#if [ -d ../../release-process ] && [ "${PWD##*/}" = "pkgs" ]; then
	52	# okay=true # we are in right dir
	53	#elif [ -d release-process ]; then
	54	# b="$(find . -maxdepth 1 -name 'exim-packaging-*' \| sort \| tail -n 1)"
	55	# if [ ".$b" != "." ]; then
	56	# cd_to "$b/pkgs"
	57	# okay=true
	58	# fi
	59	#fi
	60	#if ! $okay; then
00f7a87b PP	61	if [ -d "${1:?need a directory to look in}" ]; then
	62	cd_to "$1"
	63	shift
	64	else
	65	printf "%s: %s\n" >&2 "$(basename "$0")" "where should I be looking"
	66	exit 1
	67	fi
b2758501	68	#fi
00f7a87b PP	69
	70	# Assumes no whitespace (strictly, $IFS) in filenames, which we're okay with
	71	set $(find . -name '*.asc' -prune -o -type f -print \| cut -c 3- \| sort)
00f7a87b PP	72	for FILE
	73	do
	74	echo "Signing: $FILE"
b7e8c96e	75	gpg_sign "$FILE"
00f7a87b	76	done