[Merge] lp:~cjwatson/ubuntu-archive-publishing/sign-parts into lp:ubuntu-archive-publishing

Tue Mar 20 09:28:11 UTC 2018

Review: Approve code

Diff comments:

> === added directory 'sign.d'
> === added file 'sign.d/10-sign'
> --- sign.d/10-sign	1970-01-01 00:00:00 +0000
> +++ sign.d/10-sign	2018-01-19 09:41:05 +0000
> @@ -0,0 +1,109 @@
> +#! /bin/sh
> +set -e
> +
> +# The calling script may set GNUPGHOME to a value set up by Launchpad's
> +# script machinery.  In production, we have a dedicated directory set up
> +# for this.
> +export GNUPGHOME="$ARCHIVEROOT/../gnupg-home"
> +
> +if ! test -d "$GNUPGHOME"
> +then
> +	echo "There is no $GNUPGHOME; not signing files."
> +	exit 0
> +fi
> +
> +# Return additional GPG options to be used when signing files for a given
> +# series.
> +gpg_opts () {
> +	local series
> +	series="${SUITE%%-*}"
> +	case $LPCONFIG in
> +	    ftpmaster-publish)
> +		case "$series:$1" in
> +		    # Use single-signature 1024 key SHA1 for old releases
> +		    warty:*|hoary:*|breezy:*|dapper:*|edgy:*|feisty:*|gutsy:*|hardy:*|intrepid:*|jaunty:*|karmic:*|lucid:*|maverick:*|natty:*|oneiric:*|precise:*)
> +			printf '%s\n' "-u 0x630239CC130E1A7FD81A27B140976EAF437D05B5 --digest-algo SHA1"
> +			;;
> +		    # Use single-signature 1024 key SHA1 for upgrades from distributions with 1k key only
> +		    quantal:*/dist-upgrader*|raring:*/dist-upgrader*|saucy:*/dist-upgrader*|trusty:*/dist-upgrader*)
> +			printf '%s\n' "-u 0x630239CC130E1A7FD81A27B140976EAF437D05B5 --digest-algo SHA1"
> +			;;
> +		    # Use single-signature 4096 key SHA512 for upgrades from distributions with 4k present
> +		    utopic:*/dist-upgrader*|vivid:*/dist-upgrader*|wily:*/dist-upgrader*|xenial:*/dist-upgrader*|yakkety:*/dist-upgrader*)
> +			printf '%s\n' "-u 0x790BC7277767219C42C86F933B4FE6ACC0B21F32 --digest-algo SHA512"
> +			;;
> +		    # Use dual-signatures 1024 & 4096 keys SHA512 for the archive, for a transitioning period, to allow e.g. precise .0 to bootstrap any of these
> +		    quantal:*|raring:*|saucy:*|trusty:*|utopic:*|vivid:*|wily:*|xenial:*|yakkety:*)
> +			printf '%s\n' "-u 0x630239CC130E1A7FD81A27B140976EAF437D05B5 -u 0x790BC7277767219C42C86F933B4FE6ACC0B21F32 --digest-algo SHA512"
> +			;;
> +		    *)
> +		    # Use single-signature 4096 key SHA512 for zesty and up, including dist-upgrade tarballs
> +			printf '%s\n' "-u 0x790BC7277767219C42C86F933B4FE6ACC0B21F32 --digest-algo SHA512"
> +			;;
> +		esac
> +		;;
> +	    derived-distro-publish)
> +		case $DISTRIBUTION in
> +		    ubuntu-rtm)
> +			printf '%s\n' "-u 5810338B"
> +			;;
> +		esac
> +		;;
> +	    dogfood-publish)
> +		case $DISTRIBUTION in
> +		    ubuntu-rtm)
> +			printf '%s\n' "-u 272AD8D5"
> +			;;
> +		esac
> +		;;
> +	esac
> +}
> +
> +need_inrelease () {
> +	local series
> +	series="${SUITE%%-*}"
> +	case $series in
> +	    warty|hoary|breezy|dapper|edgy|feisty|gutsy|hardy|intrepid|jaunty|karmic|lucid|maverick|natty|oneiric|quantal|raring|saucy|utopic)
> +		# Skip all suites from before InRelease was implemented in
> +		# Ubuntu.
> +		return 1
> +		;;
> +	    precise|trusty)
> +		case $SUITE in
> +		    precise|trusty)
> +			# Skip LTS release pockets for the moment, because
> +			# it will cause apt to redownload the world.
> +			return 1
> +			;;
> +		    *)
> +			return 0
> +			;;
> +		esac
> +		;;
> +	    *)
> +		return 0
> +		;;
> +	esac
> +}
> +
> +case $MODE in
> +    detached)
> +	opts="$(gpg_opts "$INPUT_FILE")"
> +        echo "$(date -R): (re-)signing $INPUT_FILE as $OUTPUT_FILE ($opts)"
> +        gpg --yes --detach-sign --armor -o "$OUTPUT_FILE" \
> +            --sign --no-permission-warning $opts "$INPUT_FILE"
> +	;;
> +    clear)
> +	if echo "$OUTPUT_FILE" | grep -qs InRelease && ! need_inrelease; then

I'd consider something more precise like [ -z "`expr match "$OUTPUT_FILE" '/\(InRelease\)$'`" ]

> +	    exit 0
> +	fi
> +        opts="$(gpg_opts "$INPUT_FILE")"
> +        echo "$(date -R): (re-)signing $INPUT_FILE as $OUTPUT_FILE ($opts)"
> +        gpg --yes --clearsign --armor -o "$OUTPUT_FILE" \
> +            --no-permission-warning $opts "$INPUT_FILE"
> +	;;
> +    *)
> +	echo "unknown MODE: $MODE" >&2
> +	exit 1
> +	;;
> +esac

-- 
https://code.launchpad.net/~cjwatson/ubuntu-archive-publishing/sign-parts/+merge/336347
Your team Ubuntu Package Archive Administrators is subscribed to branch lp:ubuntu-archive-publishing.