#!/bin/sh # Script by Ypnose - http://ywstd.fr set -e # To generate a signify key pair, use this command: # $ signify -G -c 'my awesome repo' -p repo.pub -s repo.sec #################### # Environment RYPP_DEST="${SOLBASE:-/opt/rypp}" RYPP_ARCD="${RYPP_DEST}/repo}" RYPP_SECK="${RYPP_DEST}/keys/repo.sec}" RYPP_PUBK="${RYPP_DEST}/keys/repo.pub}" LC_ALL=C export LC_ALL #################### p_err() { printf "ERR: %s\n" "$1" >&2 exit 1 } #################### if [ ! -d "$RYPP_ARCD" ]; then p_err "$RYPP_ARCD repo directory is missing" fi # People are not reliable (find(1) doesn't return a helpful $? too) if [ -z "$(find "$RYPP_ARCD" -type f -iname "*.rypp.tgz")" ]; then p_err "No package found in $RYPP_ARCD" fi if [ ! -x "$(command -v signify)" ]; then p_err "signify not found in the PATH" fi # Keys are there? for k in "$RYPP_SECK" "$RYPP_PUBK"; do if [ ! -r "$k" ]; then p_err "$k is either missing or unreadable" fi done cd "$RYPP_ARCD" # Clear existing files if any rm -f SHA256SUM SHA256SUM.mes SHA256SUM.sign # Archive list for f in *.rypp.tgz; do if [ "${f%%_*}" = "$R_PKN" ]; then p_err "Another '${R_PKN}' version was already registered (${R_PKL})" fi R_PKN="${f%%_*}" R_PKL="${f%.rypp*}" printf "%s\n" "$R_PKL" done >RYPPLIST # Checksums sha256sum RYPPLIST *.rypp.tgz | while IFS=' ' read -r R_SUM R_ARC; do printf "%s %s\n" "$R_SUM" "$R_ARC" >>SHA256SUM # Emulate OpenBSD sha256(1) output printf "SHA256 (%s) = %s\n" "$R_ARC" "$R_SUM" >>SHA256SUM.mes done # Sign checksums file (embed message after signature) signify -S -e -s "$RYPP_SECK" -m SHA256SUM.mes -x SHA256SUM.sign rm SHA256SUM.mes # Full public key path is not necessary inplace SHA256SUM.sign sed "1c untrusted comment: verify with ${RYPP_PUBK##*/}" # Verify signatures using the public key. If a problem occurs online, we # are 101% sure it's not from us... signify -C -p "$RYPP_PUBK" -x SHA256SUM.sign printf "%s\n" "DONE" exit