Bug#821051: [PATCH v3 2/3] byhand-code-sign: intermediate script for code sign

Tue, 15 Nov 2016 18:48:28 -0800 

This script is meant to be called by AutomaticByHandPackages mechanism,
it will receive the a .tar.xz file with efi images and/or linux
modules, call byhand-code-sign-user as codesign user to generate another
.tar.xz with detached signatures and publish it in the 
$ftpdir/dists/$suitedir/main/code-sign/

Contributions:
        Ben Hutchings <b...@decadent.org.uk>
---

This patch series is based on https://ftp-master.debian.org/git/dak.git master
Patches are also available here: 
https://github.com/helen-fornazier/dak/tree/review

 scripts/debian/byhand-code-sign | 52 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 52 insertions(+)
 create mode 100755 scripts/debian/byhand-code-sign

diff --git a/scripts/debian/byhand-code-sign b/scripts/debian/byhand-code-sign
new file mode 100755
index 0000000..f3eceab
--- /dev/null
+++ b/scripts/debian/byhand-code-sign
@@ -0,0 +1,52 @@
+#!/bin/bash
+
+set -u
+set -e
+set -o pipefail
+
+if [ $# -lt 5 ]; then
+       echo "Usage: $0 filename version arch changes_file suite"
+       exit 1
+fi
+
+IN_TARBALL="$1"        # Tarball to read, compressed with xz
+VERSION="$2"
+ARCH="$3"
+CHANGES="$4"   # Changes file for the upload
+SUITE="$5"
+
+error() {
+       echo >&2 "E: $*"
+       exit 1
+}
+
+# Read dak configuration for security or main archive.
+# Also determine subdirectory for the suite.
+case "$0" in
+    /srv/security-master.debian.org/*)
+       configdir="/srv/security-master.debian.org/dak/config/debian-security"
+       suitedir="$SUITE/updates"
+       ;;
+    /srv/ftp-master.debian.org/*)
+       configdir="/srv/ftp-master.debian.org/dak/config/debian"
+       suitedir="$SUITE"
+       ;;
+    *)
+       error "$0: Can't tell if security or not"
+       ;;
+esac
+. "$configdir/vars"
+
+TARGET="$ftpdir/dists/$suitedir/main/code-sign/"
+OUT_TARBALL="$TARGET/${IN_TARBALL##*/}"
+OUT_TARBALL="${OUT_TARBALL%.tar.xz}_sigs.tar.xz"
+
+# Check that this source/arch/version hasn't already been signed
+if [ -e "$OUT_TARBALL" ]; then
+       error "Signature tarball already exists: $OUT_TARBALL"
+fi
+
+mkdir -p "${OUT_TARBALL%/*}"
+
+sudo -u codesign "${0%/*}/byhand-code-sign-user" 
"$configdir/byhand-code-sign.conf" < "$IN_TARBALL" > "$OUT_TARBALL"
+echo "I: Created $OUT_TARBALL"
-- 
2.7.4

Reply via email to