X-Git-Url: https://vcs.fsf.org/?p=exim.git;a=blobdiff_plain;f=release-process%2Fscripts%2Fsign_exim_packages;h=e768409968faa4e113c7db2462a56b9ddd8a7294;hp=bd02d1183d9a15c465b6e8218730204070dbcf32;hb=00b35aee4cdc8a002b537d51585f925aba19db09;hpb=00f7a87b04290db615ec29584e0554928fca81c7;ds=sidebyside diff --git a/release-process/scripts/sign_exim_packages b/release-process/scripts/sign_exim_packages index bd02d1183..e76840996 100755 --- a/release-process/scripts/sign_exim_packages +++ b/release-process/scripts/sign_exim_packages @@ -12,28 +12,52 @@ # woe betide the poor sod who does not use a gpg agent, so has # to enter their password for every file... +prog="$(basename "$0")" +warn() { printf >&2 "%s: %s\n" "$prog" "$*" ; } + +: "${GPG_COMMAND:=gpg}" +umask 022 + +# We've always expected an explicit key for signing, instead of just using the +# gnupg config. It make sense to honor the git config value. It makes sense +# to honor env. But git doesn't allow specifying multiple subkeys, it only +# passes one -u option. +# UID specs explicitly allow whitespace in several formats. +# We have one scalar value, we're sh, we're not going to try using an array. +# +# So if you want to sign with multiple subkeys, then set it up with multiple +# local-user directives in ~/.gnupg/gpg.conf & set EXIM_KEY=default in environ. + if repo_signing_key="$(git config user.signingkey)"; then : "${EXIM_KEY:=$repo_signing_key}" else - : "${EXIM_KEY:?Need a PGP key uid to sign with}" + if [ ".${EXIM_KEY:-}" = "." ]; then + warn "no EXIM_KEY found, trusting local gpg config" + fi fi -: "${GPG_COMMAND:=gpg}" -umask 022 +case "${EXIM_KEY:-default}" in +default|DEFAULT) + gpg_sign() { ${GPG_COMMAND} --detach-sig --armor "${1:?}" ; } + ;; +*) + gpg_sign() { ${GPG_COMMAND} --local-user "${EXIM_KEY}" --detach-sig --armor "${1:?}" ; } + ;; +esac cd_to() { echo "Working in: $1"; cd "$1"; } -okay=false -if [ -d ../../release-process ] && [ "${PWD##*/}" = "pkgs" ]; then - okay=true # we are in right dir -elif [ -d release-process ]; then - b="$(find . -maxdepth 1 -name 'exim-packaging-*' | sort | tail -n 1)" - if [ ".$b" != "." ]; then - cd_to "$b/pkgs" - okay=true - fi -fi -if ! $okay; then +#okay=false +#if [ -d ../../release-process ] && [ "${PWD##*/}" = "pkgs" ]; then +# okay=true # we are in right dir +#elif [ -d release-process ]; then +# b="$(find . -maxdepth 1 -name 'exim-packaging-*' | sort | tail -n 1)" +# if [ ".$b" != "." ]; then +# cd_to "$b/pkgs" +# okay=true +# fi +#fi +#if ! $okay; then if [ -d "${1:?need a directory to look in}" ]; then cd_to "$1" shift @@ -41,13 +65,12 @@ if ! $okay; then printf "%s: %s\n" >&2 "$(basename "$0")" "where should I be looking" exit 1 fi -fi +#fi # Assumes no whitespace (strictly, $IFS) in filenames, which we're okay with set $(find . -name '*.asc' -prune -o -type f -print | cut -c 3- | sort) - for FILE do echo "Signing: $FILE" - ${GPG_COMMAND} --local-user "${EXIM_KEY}" --detach-sig --armor "$FILE" + gpg_sign "$FILE" done