5
by Jeroen Vermeulen
Lint. |
1 |
#!/bin/sh -e
|
2 |
||
10.1.1
by Jeroen Vermeulen
Set GNUPGHOME to production value in sign-releases plugin script. |
3 |
# The calling script may set GNUPGHOME to a value set up by Launchpad's
|
4 |
# script machinery. In production, we have a dedicated directory set up
|
|
5 |
# for this.
|
|
58
by Colin Watson
Compute GNUPGHOME from ARCHIVEROOT rather than hardcoding it. |
6 |
export GNUPGHOME="$ARCHIVEROOT/../gnupg-home" |
10.1.1
by Jeroen Vermeulen
Set GNUPGHOME to production value in sign-releases plugin script. |
7 |
|
16.1.1
by Jeroen Vermeulen
Don't try to GPG on systems that don't have the setup. Breaks pointlessly on dogfood. |
8 |
if ! test -d "$GNUPGHOME" |
9 |
then
|
|
10 |
echo "There is no $GNUPGHOME; not signing Release files." |
|
11 |
exit 0 |
|
12 |
fi
|
|
13 |
||
30
by Colin Watson
Sign >= quantal with the new archive signing key (C0B21F32) as well as the old (437D05B5). |
14 |
# Calculate the series from a path.
|
15 |
path_to_series () { |
|
16 |
local series
|
|
17 |
series="$(echo "$1" | sed 's,.*/dists/\([^/-][^/-]*\).*,\1,')" |
|
18 |
case $series in |
|
19 |
*/*)
|
|
20 |
return
|
|
21 |
;;
|
|
22 |
*)
|
|
23 |
echo "$series" |
|
24 |
;;
|
|
25 |
esac
|
|
26 |
}
|
|
27 |
||
28 |
# Return additional GPG options to be used when signing files for a given
|
|
29 |
# series.
|
|
30 |
gpg_opts () { |
|
31
by Colin Watson
publish-distro.d/10-sign-releases: only sign dist-upgrader tarball with old key |
31 |
local series
|
32 |
series="$(path_to_series "$1")" |
|
30
by Colin Watson
Sign >= quantal with the new archive signing key (C0B21F32) as well as the old (437D05B5). |
33 |
case $LPCONFIG in |
34 |
ftpmaster-publish)
|
|
31
by Colin Watson
publish-distro.d/10-sign-releases: only sign dist-upgrader tarball with old key |
35 |
case "$series:$1" in |
87.1.6
by Dimitri John Ledkov
Encode digest-algo in the code, update comments for consistency and clarity. |
36 |
# Use single-signature 1024 key SHA1 for old releases
|
87.1.1
by Dimitri John Ledkov
Preserve existing signing combinations, use 4k RSA key only for z-series and up. |
37 |
warty:*|hoary:*|breezy:*|dapper:*|edgy:*|feisty:*|gutsy:*|hardy:*|intrepid:*|jaunty:*|karmic:*|lucid:*|maverick:*|natty:*|oneiric:*|precise:*) |
87.1.6
by Dimitri John Ledkov
Encode digest-algo in the code, update comments for consistency and clarity. |
38 |
printf '%s\n' "-u 0x630239CC130E1A7FD81A27B140976EAF437D05B5 --digest-algo SHA1" |
87.1.1
by Dimitri John Ledkov
Preserve existing signing combinations, use 4k RSA key only for z-series and up. |
39 |
;;
|
87.1.6
by Dimitri John Ledkov
Encode digest-algo in the code, update comments for consistency and clarity. |
40 |
# Use single-signature 1024 key SHA1 for upgrades from distributions with 1k key only
|
87.1.4
by Dimitri John Ledkov
Make dist-upgrader tarballs of ->utopic..yakkety upgrades with a 4k key. |
41 |
quantal:*/dist-upgrader*|raring:*/dist-upgrader*|saucy:*/dist-upgrader*|trusty:*/dist-upgrader*) |
87.1.6
by Dimitri John Ledkov
Encode digest-algo in the code, update comments for consistency and clarity. |
42 |
printf '%s\n' "-u 0x630239CC130E1A7FD81A27B140976EAF437D05B5 --digest-algo SHA1" |
87.1.1
by Dimitri John Ledkov
Preserve existing signing combinations, use 4k RSA key only for z-series and up. |
43 |
;;
|
87.1.6
by Dimitri John Ledkov
Encode digest-algo in the code, update comments for consistency and clarity. |
44 |
# Use single-signature 4096 key SHA512 for upgrades from distributions with 4k present
|
87.1.4
by Dimitri John Ledkov
Make dist-upgrader tarballs of ->utopic..yakkety upgrades with a 4k key. |
45 |
utopic:*/dist-upgrader*|vivid:*/dist-upgrader*|wily:*/dist-upgrader*|xenial:*/dist-upgrader*|yakkety:*/dist-upgrader*) |
87.1.6
by Dimitri John Ledkov
Encode digest-algo in the code, update comments for consistency and clarity. |
46 |
printf '%s\n' "-u 0x790BC7277767219C42C86F933B4FE6ACC0B21F32 --digest-algo SHA512" |
87.1.4
by Dimitri John Ledkov
Make dist-upgrader tarballs of ->utopic..yakkety upgrades with a 4k key. |
47 |
;;
|
87.1.6
by Dimitri John Ledkov
Encode digest-algo in the code, update comments for consistency and clarity. |
48 |
# Use dual-signatures 1024 & 4096 keys SHA512 for the archive, for a transitioning period, to allow e.g. precise .0 to bootstrap any of these
|
87.1.1
by Dimitri John Ledkov
Preserve existing signing combinations, use 4k RSA key only for z-series and up. |
49 |
quantal:*|raring:*|saucy:*|trusty:*|utopic:*|vivid:*|wily:*|xenial:*|yakkety:*) |
87.1.3
by Dimitri John Ledkov
Use key fingerprints for all signatures. |
50 |
printf '%s\n' "-u 0x630239CC130E1A7FD81A27B140976EAF437D05B5 -u 0x790BC7277767219C42C86F933B4FE6ACC0B21F32 --digest-algo SHA512" |
30
by Colin Watson
Sign >= quantal with the new archive signing key (C0B21F32) as well as the old (437D05B5). |
51 |
;;
|
104.1.1
by Dimitri John Ledkov
signing: Post-cosmic dual-sign with 2012 and 2018 4k keys. |
52 |
# Use single-signature 4096 key SHA512 for zesty..cosmic, including dist-upgrade tarballs
|
53 |
zesty:*|artful:*|bionic:*|cosmic:*) |
|
54 |
printf '%s\n' "-u 0x790BC7277767219C42C86F933B4FE6ACC0B21F32 --digest-algo SHA512" |
|
55 |
;;
|
|
113
by Sebastien Bacher
Revert r112, the updated key is available in Xenial now |
56 |
# Use dual-signature using 2012 & 2018 4k keys and SHA512 for the disco-focal, including dist-upgrade tarballs
|
57 |
disco:*|eoan:*|focal:*) |
|
58 |
printf '%s\n' "-u 0x790BC7277767219C42C86F933B4FE6ACC0B21F32 -u 0xF6ECB3762474EDA9D21B7022871920D1991BC93C --digest-algo SHA512" |
|
59 |
;;
|
|
60 |
# Use single-signature using 2018 4k keys and SHA512 for the rest (GG-), including dist-upgrade tarballs
|
|
112
by Colin Watson
Temporarily revert r109 until ubuntu-archive-keyring is SRUed to xenial. |
61 |
*)
|
113
by Sebastien Bacher
Revert r112, the updated key is available in Xenial now |
62 |
printf '%s\n' "-u 0xF6ECB3762474EDA9D21B7022871920D1991BC93C --digest-algo SHA512" |
108.1.2
by Dimitri John Ledkov
Also change 10-sign-releases |
63 |
;;
|
30
by Colin Watson
Sign >= quantal with the new archive signing key (C0B21F32) as well as the old (437D05B5). |
64 |
esac
|
65 |
;;
|
|
61
by Colin Watson
Sign the ubuntu-rtm archive with 0x5810338B. |
66 |
derived-distro-publish)
|
67 |
case $ARCHIVEROOT in |
|
68 |
*/ubuntu-rtm)
|
|
69 |
printf '%s\n' "-u 5810338B" |
|
70 |
;;
|
|
71 |
esac
|
|
72 |
;;
|
|
56
by Colin Watson
Sign ubuntu-rtm on dogfood. |
73 |
dogfood-publish)
|
74 |
local distribution
|
|
75 |
distribution="$(basename "$ARCHIVEROOT")" |
|
76 |
case "$distribution" in |
|
77 |
ubuntu-rtm)
|
|
78 |
printf '%s\n' "-u 272AD8D5" |
|
79 |
;;
|
|
80 |
esac
|
|
81 |
;;
|
|
30
by Colin Watson
Sign >= quantal with the new archive signing key (C0B21F32) as well as the old (437D05B5). |
82 |
esac
|
83 |
}
|
|
84 |
||
73
by Colin Watson
Don't generate InRelease files for LTS release pockets for the moment, to stop apt redownloading the world. |
85 |
# Calculate the suite from a path.
|
86 |
path_to_suite () { |
|
87 |
local suite
|
|
88 |
suite="$(echo "$1" | sed 's,.*/dists/\([^/][^/]*\).*,\1,')" |
|
89 |
case $suite in |
|
90 |
*/*)
|
|
91 |
return
|
|
92 |
;;
|
|
93 |
*)
|
|
94 |
echo "$suite" |
|
95 |
;;
|
|
96 |
esac
|
|
97 |
}
|
|
98 |
||
99 |
need_inrelease () { |
|
100 |
local suite
|
|
101 |
suite="$(path_to_suite "$1")" |
|
102 |
case $suite in |
|
103 |
warty*|hoary*|breezy*|dapper*|edgy*|feisty*|gutsy*|hardy*|intrepid*|jaunty*|karmic*|lucid*|maverick*|natty*|oneiric*|quantal*|raring*|saucy*|utopic*) |
|
104 |
# Skip all suites from before InRelease was implemented in
|
|
105 |
# Ubuntu.
|
|
106 |
return 1 |
|
107 |
;;
|
|
108 |
precise|trusty) |
|
109 |
# Skip LTS release pockets for the moment, because it will
|
|
110 |
# cause apt to redownload the world.
|
|
111 |
return 1 |
|
112 |
;;
|
|
113 |
*)
|
|
114 |
return 0 |
|
115 |
;;
|
|
116 |
esac
|
|
117 |
}
|
|
118 |
||
10.4.3
by Jeroen Vermeulen
The DISTSROOT the run-parts scripts get is the working copy, not the real thing. |
119 |
RELEASE_FILES=`find $DISTSROOT -maxdepth 2 -name Release` |
5
by Jeroen Vermeulen
Lint. |
120 |
DIST_UPGRADER_TARBALLS=` |
10.4.3
by Jeroen Vermeulen
The DISTSROOT the run-parts scripts get is the working copy, not the real thing. |
121 |
find $DISTSROOT/*/*/dist-upgrader* -name "*.tar.gz" || true` |
83.1.1
by Colin Watson
Sign published checksum files for raw-signing/raw-uefi uploads. |
122 |
CUSTOM_CHECKSUMS=` |
123 |
find $DISTSROOT/*/*/installer-* \ |
|
124 |
$DISTSROOT/*/*/signed \ |
|
125 |
$DISTSROOT/*/*/uefi \ |
|
126 |
-name "*SUMS" || true` |
|
5
by Jeroen Vermeulen
Lint. |
127 |
|
83.1.1
by Colin Watson
Sign published checksum files for raw-signing/raw-uefi uploads. |
128 |
for CANDIDATE in $RELEASE_FILES $DIST_UPGRADER_TARBALLS $CUSTOM_CHECKSUMS |
5
by Jeroen Vermeulen
Lint. |
129 |
do
|
10.3.2
by Jeroen Vermeulen
Re-thought the shell quoting; can't double-escape. |
130 |
if [ ! -f "$CANDIDATE.gpg" ] || [ "$CANDIDATE" -nt "$CANDIDATE.gpg" ] |
5
by Jeroen Vermeulen
Lint. |
131 |
then
|
31
by Colin Watson
publish-distro.d/10-sign-releases: only sign dist-upgrader tarball with old key |
132 |
opts="$(gpg_opts "$CANDIDATE")" |
30
by Colin Watson
Sign >= quantal with the new archive signing key (C0B21F32) as well as the old (437D05B5). |
133 |
echo "$(date -R): (re-)signing $CANDIDATE ($opts)" |
10.3.2
by Jeroen Vermeulen
Re-thought the shell quoting; can't double-escape. |
134 |
gpg --yes --detach-sign --armor -o "$CANDIDATE.gpg" \ |
40
by Adam Conrad
Stop spamming the log about our goofy homedir permissions |
135 |
--sign --no-permission-warning $opts "$CANDIDATE" |
71
by Colin Watson
Make signatures have the same timestamp as the unsigned files, to aid cache configuration. |
136 |
touch --reference "$CANDIDATE" "$CANDIDATE.gpg" |
5
by Jeroen Vermeulen
Lint. |
137 |
fi
|
138 |
done
|
|
70.1.1
by Colin Watson
Add clearsigned InRelease files for archives. |
139 |
|
140 |
for CANDIDATE in $RELEASE_FILES |
|
141 |
do
|
|
142 |
INRELEASE="${CANDIDATE%/Release}/InRelease" |
|
73
by Colin Watson
Don't generate InRelease files for LTS release pockets for the moment, to stop apt redownloading the world. |
143 |
if ([ ! -f "$INRELEASE" ] || [ "$CANDIDATE" -nt "$INRELEASE" ]) && \ |
144 |
need_inrelease "$CANDIDATE"; then |
|
70.1.1
by Colin Watson
Add clearsigned InRelease files for archives. |
145 |
opts="$(gpg_opts "$CANDIDATE")" |
70.1.3
by Colin Watson
Clarify log message. |
146 |
echo "$(date -R): (re-)signing $INRELEASE ($opts)" |
70.1.1
by Colin Watson
Add clearsigned InRelease files for archives. |
147 |
gpg --yes --clearsign --armor -o "$INRELEASE" \ |
148 |
--no-permission-warning $opts "$CANDIDATE" |
|
70.1.2
by Colin Watson
Merge trunk, applying same timestamp fix to InRelease. |
149 |
touch --reference "$CANDIDATE" "$INRELEASE" |
70.1.1
by Colin Watson
Add clearsigned InRelease files for archives. |
150 |
fi
|
151 |
done
|