From 439c7ff2058c85475db2566a55f45f1531d67a20 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Mon, 3 May 2021 12:18:39 +0200 Subject: sign repo metadata gh#175 --- mkmodular | 27 +++++++++++++++++++++++++++ mkrepo | 59 +++++++++++++++++++++++++++++++---------------------------- 2 files changed, 58 insertions(+), 28 deletions(-) diff --git a/mkmodular b/mkmodular index 9ad0754..51fd59a 100755 --- a/mkmodular +++ b/mkmodular @@ -327,7 +327,31 @@ function createRepo($dest, $mod) { $old = getcwd(); chdir($dest); +// Key +[$dis,$ver]=explode("/", $dest); +$GPG_NAME="Remi's RPM repository"; +if ($dis == "fedora") { + if ($ver >= 34) { + $GPG_PATH="/home/remi/.gnupg2021"; + } else if ($ver >= 32) { + $GPG_PATH="/home/remi/.gnupg2020"; + } else { + $GPG_PATH="/home/remi/.gnupg2019"; + } +} else { + if ($ver >= 8) { + $GPG_PATH="/home/remi/.gnupg2018"; + } else { + $GPG_PATH="/home/remi/.gnupgrpm"; + $GPG_NAME="Remi Collet"; + } +} +echo "Metadata, signing with $GPG_PATH, "; + +// Repository content exec("mkrepo nocheck noclean"); + +// Modular data $data = '/tmp/modules.yaml'; file_put_contents($data, $mod); $hash = hash('sha256', $mod); @@ -335,6 +359,9 @@ exec("modifyrepo_c --mdtype=modules $data repodata >/dev/null"); $arch = basename($dest); rename($data, "$data.$arch"); +// Sign +@unlink("repodata/repomd.xml.asc"); +exec("gpg --armor --detach-sign --default-key \"$GPG_NAME\" --homedir \"$GPG_PATH\" repodata/repomd.xml"); chdir($old); } /* diff --git a/mkrepo b/mkrepo index 5f25de6..93e946e 100755 --- a/mkrepo +++ b/mkrepo @@ -23,39 +23,40 @@ else dst=/data/rpms/old fi +GPG_NAME="Remi's RPM repository" +if [ "$dis" == "fedora" ]; then + # Fedora + if [ "$ver" -ge 34 ] + then echo "key 2021" + GPG_PATH=/home/remi/.gnupg2021 + elif [ "$ver" -ge 32 ] + then echo "key 2020" + GPG_PATH=/home/remi/.gnupg2020 + elif [ "$ver" -ge 30 ] + then echo "key 2019" + GPG_PATH=/home/remi/.gnupg2019 + else echo "older key" + exit 1 + fi +else + # Enterprise + if [ "$dis" == "enterprise" -a "$ver" -ge 8 ] + then echo "key 2018" + GPG_PATH=/home/remi/.gnupg2018 + else echo "old key" + GPG_PATH=/home/remi/.gnupgrpm + GPG_NAME="Remi Collet" + fi +fi + if [ ${1:-check} != nocheck ]; then echo "+ Controle des signatures" rpm -K *.rpm | grep -v 'signatures.*OK' | cut -d: -f1 | tee $TMP if [ -s $TMP ] then - if [ "$dis" == "fedora" -a "$ver" -ge 34 ] - then echo "key 2021" - rpmsign --define '_gpg_path /home/remi/.gnupg2021' --define "_gpg_name Remi's RPM repository" --addsign $(cat $TMP) - - elif [ "$dis" == "fedora" -a "$ver" -ge 32 ] - then echo "key 2020" - rpmsign --define '_gpg_path /home/remi/.gnupg2020' --define "_gpg_name Remi's RPM repository" --addsign $(cat $TMP) - - elif [ "$dis" == "fedora" -a "$ver" -ge 30 ] - then echo "key 2019" - rpmsign --define '_gpg_path /home/remi/.gnupg2019' --define "_gpg_name Remi's RPM repository" --addsign $(cat $TMP) - - elif [ "$dis" == "fedora" -a "$ver" -ge 28 ] - then echo "key 2018" - rpmsign --define '_gpg_path /home/remi/.gnupg2018' --define "_gpg_name Remi's RPM repository" --addsign $(cat $TMP) - - elif [ "$dis" == "enterprise" -a "$ver" -ge 8 ] - then echo "key 2018" - rpmsign --define '_gpg_path /home/remi/.gnupg2018' --define "_gpg_name Remi's RPM repository" --addsign $(cat $TMP) - - elif [ "$dis" == "fedora" -a "$ver" -ge 26 ] - then echo "key 2017" - rpmsign --define '_gpg_path /home/remi/.gnupg2017' --define "_gpg_name Remi's RPM repository" --addsign $(cat $TMP) - - else echo "old key" - rpmsign --define '_gpg_path /home/remi/.gnupgrpm' --define "_gpg_name Remi Collet" --addsign $(cat $TMP) - fi - else echo OK. + rpmsign --define "_gpg_path $GPG_PATH" --define "_gpg_name $GPG_NAME" --addsign $(cat $TMP) + else + echo OK. fi fi @@ -101,6 +102,8 @@ else --compress-type=bz2 \ --database . fi +rm -f repodata/repomd.xml.asc +gpg --armor --detach-sign --default-key "$GPG_NAME" --homedir "$GPG_PATH" repodata/repomd.xml #echo "+ Génération repoview" #nom=${PWD#/home/rpmbuild/site/rpms/} -- cgit