| 1 | #!/bin/sh -eu |
| 2 | |
| 3 | # gpg signs all *.tar.* files under the release directory. |
| 4 | # Invoke from that dir, or let the script try to figure it out for you. |
| 5 | |
| 6 | # Key used is from env var EXIM_KEY; if git config finds user.signingkey, then |
| 7 | # that is the default. You can set this per-repo with: |
| 8 | # git config --local user.signingkey SOME_IDENTIFIER |
| 9 | # |
| 10 | # If not set in git config then you _MUST_ set the env var. |
| 11 | |
| 12 | # woe betide the poor sod who does not use a gpg agent, so has |
| 13 | # to enter their password for every file... |
| 14 | |
| 15 | prog="$(basename "$0")" |
| 16 | warn() { printf >&2 "%s: %s\n" "$prog" "$*" ; } |
| 17 | |
| 18 | : "${GPG_COMMAND:=gpg}" |
| 19 | umask 022 |
| 20 | |
| 21 | # We've always expected an explicit key for signing, instead of just using the |
| 22 | # gnupg config. It make sense to honor the git config value. It makes sense |
| 23 | # to honor env. But git doesn't allow specifying multiple subkeys, it only |
| 24 | # passes one -u option. |
| 25 | # UID specs explicitly allow whitespace in several formats. |
| 26 | # We have one scalar value, we're sh, we're not going to try using an array. |
| 27 | # |
| 28 | # So if you want to sign with multiple subkeys, then set it up with multiple |
| 29 | # local-user directives in ~/.gnupg/gpg.conf & set EXIM_KEY=default in environ. |
| 30 | |
| 31 | if repo_signing_key="$(git config user.signingkey)"; then |
| 32 | : "${EXIM_KEY:=$repo_signing_key}" |
| 33 | else |
| 34 | if [ ".${EXIM_KEY:-}" = "." ]; then |
| 35 | warn "no EXIM_KEY found, trusting local gpg config" |
| 36 | fi |
| 37 | fi |
| 38 | |
| 39 | case "${EXIM_KEY:-default}" in |
| 40 | default|DEFAULT) |
| 41 | gpg_sign() { ${GPG_COMMAND} --detach-sig --armor "${1:?}" ; } |
| 42 | ;; |
| 43 | *) |
| 44 | gpg_sign() { ${GPG_COMMAND} --local-user "${EXIM_KEY}" --detach-sig --armor "${1:?}" ; } |
| 45 | ;; |
| 46 | esac |
| 47 | |
| 48 | cd_to() { echo "Working in: $1"; cd "$1"; } |
| 49 | |
| 50 | #okay=false |
| 51 | #if [ -d ../../release-process ] && [ "${PWD##*/}" = "pkgs" ]; then |
| 52 | # okay=true # we are in right dir |
| 53 | #elif [ -d release-process ]; then |
| 54 | # b="$(find . -maxdepth 1 -name 'exim-packaging-*' | sort | tail -n 1)" |
| 55 | # if [ ".$b" != "." ]; then |
| 56 | # cd_to "$b/pkgs" |
| 57 | # okay=true |
| 58 | # fi |
| 59 | #fi |
| 60 | #if ! $okay; then |
| 61 | if [ -d "${1:?need a directory to look in}" ]; then |
| 62 | cd_to "$1" |
| 63 | shift |
| 64 | else |
| 65 | printf "%s: %s\n" >&2 "$(basename "$0")" "where should I be looking" |
| 66 | exit 1 |
| 67 | fi |
| 68 | #fi |
| 69 | |
| 70 | # Assumes no whitespace (strictly, $IFS) in filenames, which we're okay with |
| 71 | set $(find . -name '*.asc' -prune -o -type f -print | cut -c 3- | sort) |
| 72 | for FILE |
| 73 | do |
| 74 | echo "Signing: $FILE" |
| 75 | gpg_sign "$FILE" |
| 76 | done |