~hloeung/ubuntu-archive-publishing/remove-old-archive-syncproxy-wahoo : contents of publish-distro.d/10-sign-releases at revision 115

~hloeung/ubuntu-archive-publishing/remove-old-archive-syncproxy-wahoo : (revision 115)

#!/bin/sh -e

# The calling script may set GNUPGHOME to a value set up by Launchpad's
# script machinery.  In production, we have a dedicated directory set up
# for this.
export GNUPGHOME="$ARCHIVEROOT/../gnupg-home"

if ! test -d "$GNUPGHOME"
then
	echo "There is no $GNUPGHOME; not signing Release files."
	exit 0
fi

# Calculate the series from a path.
path_to_series () {
	local series
	series="$(echo "$1" | sed 's,.*/dists/\([^/-][^/-]*\).*,\1,')"
	case $series in
	    */*)
		return
		;;
	    *)
		echo "$series"
		;;
	esac
}

# Return additional GPG options to be used when signing files for a given
# series.
gpg_opts () {
	local series
	series="$(path_to_series "$1")"
	case $LPCONFIG in
	    ftpmaster-publish)
		case "$series:$1" in
		    # Use single-signature 1024 key SHA1 for old releases
		    warty:*|hoary:*|breezy:*|dapper:*|edgy:*|feisty:*|gutsy:*|hardy:*|intrepid:*|jaunty:*|karmic:*|lucid:*|maverick:*|natty:*|oneiric:*|precise:*)
			printf '%s\n' "-u 0x630239CC130E1A7FD81A27B140976EAF437D05B5 --digest-algo SHA1"
			;;
		    # Use single-signature 1024 key SHA1 for upgrades from distributions with 1k key only
		    quantal:*/dist-upgrader*|raring:*/dist-upgrader*|saucy:*/dist-upgrader*|trusty:*/dist-upgrader*)
			printf '%s\n' "-u 0x630239CC130E1A7FD81A27B140976EAF437D05B5 --digest-algo SHA1"
			;;
		    # Use single-signature 4096 key SHA512 for upgrades from distributions with 4k present
		    utopic:*/dist-upgrader*|vivid:*/dist-upgrader*|wily:*/dist-upgrader*|xenial:*/dist-upgrader*|yakkety:*/dist-upgrader*)
			printf '%s\n' "-u 0x790BC7277767219C42C86F933B4FE6ACC0B21F32 --digest-algo SHA512"
			;;
		    # Use dual-signatures 1024 & 4096 keys SHA512 for the archive, for a transitioning period, to allow e.g. precise .0 to bootstrap any of these
		    quantal:*|raring:*|saucy:*|trusty:*|utopic:*|vivid:*|wily:*|xenial:*|yakkety:*)
			printf '%s\n' "-u 0x630239CC130E1A7FD81A27B140976EAF437D05B5 -u 0x790BC7277767219C42C86F933B4FE6ACC0B21F32 --digest-algo SHA512"
			;;
		    # Use single-signature 4096 key SHA512 for zesty..cosmic, including dist-upgrade tarballs
		    zesty:*|artful:*|bionic:*|cosmic:*)
			printf '%s\n' "-u 0x790BC7277767219C42C86F933B4FE6ACC0B21F32 --digest-algo SHA512"
			;;
		    # Use dual-signature using 2012 & 2018 4k keys and SHA512 for the disco-focal, including dist-upgrade tarballs
		    disco:*|eoan:*|focal:*)
			printf '%s\n' "-u 0x790BC7277767219C42C86F933B4FE6ACC0B21F32 -u 0xF6ECB3762474EDA9D21B7022871920D1991BC93C --digest-algo SHA512"
			;;
		    # Use single-signature using 2018 4k keys and SHA512 for the rest (GG-), including dist-upgrade tarballs
		    *)
			printf '%s\n' "-u 0xF6ECB3762474EDA9D21B7022871920D1991BC93C --digest-algo SHA512"
			;;
		esac
		;;
	    derived-distro-publish)
		case $ARCHIVEROOT in
		    */ubuntu-rtm)
			printf '%s\n' "-u 5810338B"
			;;
		esac
		;;
	    dogfood-publish)
		local distribution
		distribution="$(basename "$ARCHIVEROOT")"
		case "$distribution" in
		    ubuntu-rtm)
			printf '%s\n' "-u 272AD8D5"
			;;
		esac
		;;
	esac
}

# Calculate the suite from a path.
path_to_suite () {
	local suite
	suite="$(echo "$1" | sed 's,.*/dists/\([^/][^/]*\).*,\1,')"
	case $suite in
	    */*)
		return
		;;
	    *)
		echo "$suite"
		;;
	esac
}

need_inrelease () {
	local suite
	suite="$(path_to_suite "$1")"
	case $suite in
	    warty*|hoary*|breezy*|dapper*|edgy*|feisty*|gutsy*|hardy*|intrepid*|jaunty*|karmic*|lucid*|maverick*|natty*|oneiric*|quantal*|raring*|saucy*|utopic*)
		# Skip all suites from before InRelease was implemented in
		# Ubuntu.
		return 1
		;;
	    precise|trusty)
		# Skip LTS release pockets for the moment, because it will
		# cause apt to redownload the world.
		return 1
		;;
	    *)
		return 0
		;;
	esac
}

RELEASE_FILES=`find $DISTSROOT -maxdepth 2 -name Release`
DIST_UPGRADER_TARBALLS=`
	find $DISTSROOT/*/*/dist-upgrader* -name "*.tar.gz" || true`
CUSTOM_CHECKSUMS=`
	find $DISTSROOT/*/*/installer-* \
	     $DISTSROOT/*/*/signed \
	     $DISTSROOT/*/*/uefi \
	     -name "*SUMS" || true`

for CANDIDATE in $RELEASE_FILES $DIST_UPGRADER_TARBALLS $CUSTOM_CHECKSUMS
do
    if [ ! -f "$CANDIDATE.gpg" ] || [ "$CANDIDATE" -nt "$CANDIDATE.gpg" ]
    then
        opts="$(gpg_opts "$CANDIDATE")"
        echo "$(date -R): (re-)signing $CANDIDATE ($opts)"
        gpg --yes --detach-sign --armor -o "$CANDIDATE.gpg" \
            --sign --no-permission-warning $opts "$CANDIDATE"
        touch --reference "$CANDIDATE" "$CANDIDATE.gpg"
    fi
done

for CANDIDATE in $RELEASE_FILES
do
    INRELEASE="${CANDIDATE%/Release}/InRelease"
    if ([ ! -f "$INRELEASE" ] || [ "$CANDIDATE" -nt "$INRELEASE" ]) && \
       need_inrelease "$CANDIDATE"; then
        opts="$(gpg_opts "$CANDIDATE")"
        echo "$(date -R): (re-)signing $INRELEASE ($opts)"
        gpg --yes --clearsign --armor -o "$INRELEASE" \
            --no-permission-warning $opts "$CANDIDATE"
        touch --reference "$CANDIDATE" "$INRELEASE"
    fi
done

5 by Jeroen Vermeulen Lint.	1	#!/bin/sh -e
5 by Jeroen Vermeulen Lint.	2
10.1.1 by Jeroen Vermeulen Set GNUPGHOME to production value in sign-releases plugin script.	3	# The calling script may set GNUPGHOME to a value set up by Launchpad's
	4	# script machinery. In production, we have a dedicated directory set up
	5	# for this.
58 by Colin Watson Compute GNUPGHOME from ARCHIVEROOT rather than hardcoding it.	6	export GNUPGHOME="$ARCHIVEROOT/../gnupg-home"
10.1.1 by Jeroen Vermeulen Set GNUPGHOME to production value in sign-releases plugin script.	7
16.1.1 by Jeroen Vermeulen Don't try to GPG on systems that don't have the setup. Breaks pointlessly on dogfood.	8	if ! test -d "$GNUPGHOME"
	9	then
	10	echo "There is no $GNUPGHOME; not signing Release files."
	11	exit 0
	12	fi
	13
30 by Colin Watson Sign >= quantal with the new archive signing key (C0B21F32) as well as the old (437D05B5).	14	# Calculate the series from a path.
	15	path_to_series () {
	16	local series
	17	series="$(echo "$1" \| sed 's,./dists/\([^/-][^/-]\).*,\1,')"
	18	case $series in
	19	/)
	20	return
	21	;;
	22	*)
	23	echo "$series"
	24	;;
	25	esac
	26	}
	27
	28	# Return additional GPG options to be used when signing files for a given
	29	# series.
	30	gpg_opts () {
31 by Colin Watson publish-distro.d/10-sign-releases: only sign dist-upgrader tarball with old key	31	local series
	32	series="$(path_to_series "$1")"
30 by Colin Watson Sign >= quantal with the new archive signing key (C0B21F32) as well as the old (437D05B5).	33	case $LPCONFIG in
	34	ftpmaster-publish)
31 by Colin Watson publish-distro.d/10-sign-releases: only sign dist-upgrader tarball with old key	35	case "$series:$1" in
87.1.6 by Dimitri John Ledkov Encode digest-algo in the code, update comments for consistency and clarity.	36	# Use single-signature 1024 key SHA1 for old releases
87.1.1 by Dimitri John Ledkov Preserve existing signing combinations, use 4k RSA key only for z-series and up.	37	warty:\|hoary:\|breezy:\|dapper:\|edgy:\|feisty:\|gutsy:\|hardy:\|intrepid:\|jaunty:\|karmic:\|lucid:\|maverick:\|natty:\|oneiric:\|precise:)
87.1.6 by Dimitri John Ledkov Encode digest-algo in the code, update comments for consistency and clarity.	38	printf '%s\n' "-u 0x630239CC130E1A7FD81A27B140976EAF437D05B5 --digest-algo SHA1"
87.1.1 by Dimitri John Ledkov Preserve existing signing combinations, use 4k RSA key only for z-series and up.	39	;;
87.1.6 by Dimitri John Ledkov Encode digest-algo in the code, update comments for consistency and clarity.	40	# Use single-signature 1024 key SHA1 for upgrades from distributions with 1k key only
87.1.4 by Dimitri John Ledkov Make dist-upgrader tarballs of ->utopic..yakkety upgrades with a 4k key.	41	quantal:/dist-upgrader\|raring:/dist-upgrader\|saucy:/dist-upgrader\|trusty:/dist-upgrader)
87.1.6 by Dimitri John Ledkov Encode digest-algo in the code, update comments for consistency and clarity.	42	printf '%s\n' "-u 0x630239CC130E1A7FD81A27B140976EAF437D05B5 --digest-algo SHA1"
87.1.1 by Dimitri John Ledkov Preserve existing signing combinations, use 4k RSA key only for z-series and up.	43	;;
87.1.6 by Dimitri John Ledkov Encode digest-algo in the code, update comments for consistency and clarity.	44	# Use single-signature 4096 key SHA512 for upgrades from distributions with 4k present
87.1.4 by Dimitri John Ledkov Make dist-upgrader tarballs of ->utopic..yakkety upgrades with a 4k key.	45	utopic:/dist-upgrader\|vivid:/dist-upgrader\|wily:/dist-upgrader\|xenial:/dist-upgrader\|yakkety:/dist-upgrader)
87.1.6 by Dimitri John Ledkov Encode digest-algo in the code, update comments for consistency and clarity.	46	printf '%s\n' "-u 0x790BC7277767219C42C86F933B4FE6ACC0B21F32 --digest-algo SHA512"
87.1.4 by Dimitri John Ledkov Make dist-upgrader tarballs of ->utopic..yakkety upgrades with a 4k key.	47	;;
87.1.6 by Dimitri John Ledkov Encode digest-algo in the code, update comments for consistency and clarity.	48	# Use dual-signatures 1024 & 4096 keys SHA512 for the archive, for a transitioning period, to allow e.g. precise .0 to bootstrap any of these
87.1.1 by Dimitri John Ledkov Preserve existing signing combinations, use 4k RSA key only for z-series and up.	49	quantal:\|raring:\|saucy:\|trusty:\|utopic:\|vivid:\|wily:\|xenial:\|yakkety:*)
87.1.3 by Dimitri John Ledkov Use key fingerprints for all signatures.	50	printf '%s\n' "-u 0x630239CC130E1A7FD81A27B140976EAF437D05B5 -u 0x790BC7277767219C42C86F933B4FE6ACC0B21F32 --digest-algo SHA512"
30 by Colin Watson Sign >= quantal with the new archive signing key (C0B21F32) as well as the old (437D05B5).	51	;;
104.1.1 by Dimitri John Ledkov signing: Post-cosmic dual-sign with 2012 and 2018 4k keys.	52	# Use single-signature 4096 key SHA512 for zesty..cosmic, including dist-upgrade tarballs
	53	zesty:\|artful:\|bionic:\|cosmic:)
	54	printf '%s\n' "-u 0x790BC7277767219C42C86F933B4FE6ACC0B21F32 --digest-algo SHA512"
	55	;;
113 by Sebastien Bacher Revert r112, the updated key is available in Xenial now	56	# Use dual-signature using 2012 & 2018 4k keys and SHA512 for the disco-focal, including dist-upgrade tarballs
	57	disco:\|eoan:\|focal:*)
	58	printf '%s\n' "-u 0x790BC7277767219C42C86F933B4FE6ACC0B21F32 -u 0xF6ECB3762474EDA9D21B7022871920D1991BC93C --digest-algo SHA512"
	59	;;
	60	# Use single-signature using 2018 4k keys and SHA512 for the rest (GG-), including dist-upgrade tarballs
112 by Colin Watson Temporarily revert r109 until ubuntu-archive-keyring is SRUed to xenial.	61	*)
113 by Sebastien Bacher Revert r112, the updated key is available in Xenial now	62	printf '%s\n' "-u 0xF6ECB3762474EDA9D21B7022871920D1991BC93C --digest-algo SHA512"
108.1.2 by Dimitri John Ledkov Also change 10-sign-releases	63	;;
30 by Colin Watson Sign >= quantal with the new archive signing key (C0B21F32) as well as the old (437D05B5).	64	esac
	65	;;
61 by Colin Watson Sign the ubuntu-rtm archive with 0x5810338B.	66	derived-distro-publish)
	67	case $ARCHIVEROOT in
	68	*/ubuntu-rtm)
	69	printf '%s\n' "-u 5810338B"
	70	;;
	71	esac
	72	;;
56 by Colin Watson Sign ubuntu-rtm on dogfood.	73	dogfood-publish)
	74	local distribution
	75	distribution="$(basename "$ARCHIVEROOT")"
	76	case "$distribution" in
	77	ubuntu-rtm)
	78	printf '%s\n' "-u 272AD8D5"
	79	;;
	80	esac
	81	;;
30 by Colin Watson Sign >= quantal with the new archive signing key (C0B21F32) as well as the old (437D05B5).	82	esac
	83	}
	84
73 by Colin Watson Don't generate InRelease files for LTS release pockets for the moment, to stop apt redownloading the world.	85	# Calculate the suite from a path.
	86	path_to_suite () {
	87	local suite
	88	suite="$(echo "$1" \| sed 's,./dists/\([^/][^/]\).*,\1,')"
	89	case $suite in
	90	/)
	91	return
	92	;;
	93	*)
	94	echo "$suite"
	95	;;
	96	esac
	97	}
	98
	99	need_inrelease () {
	100	local suite
	101	suite="$(path_to_suite "$1")"
	102	case $suite in
	103	warty\|hoary\|breezy\|dapper\|edgy\|feisty\|gutsy\|hardy\|intrepid\|jaunty\|karmic\|lucid\|maverick\|natty\|oneiric\|quantal\|raring\|saucy\|utopic*)
	104	# Skip all suites from before InRelease was implemented in
	105	# Ubuntu.
	106	return 1
	107	;;
	108	precise\|trusty)
	109	# Skip LTS release pockets for the moment, because it will
	110	# cause apt to redownload the world.
	111	return 1
	112	;;
	113	*)
	114	return 0
	115	;;
	116	esac
	117	}
	118
10.4.3 by Jeroen Vermeulen The DISTSROOT the run-parts scripts get is the working copy, not the real thing.	119	RELEASE_FILES=`find $DISTSROOT -maxdepth 2 -name Release`
5 by Jeroen Vermeulen Lint.	120	DIST_UPGRADER_TARBALLS=`
10.4.3 by Jeroen Vermeulen The DISTSROOT the run-parts scripts get is the working copy, not the real thing.	121	find $DISTSROOT///dist-upgrader* -name "*.tar.gz" \|\| true`
83.1.1 by Colin Watson Sign published checksum files for raw-signing/raw-uefi uploads.	122	CUSTOM_CHECKSUMS=`
	123	find $DISTSROOT///installer-* \
	124	$DISTSROOT///signed \
	125	$DISTSROOT///uefi \
	126	-name "*SUMS" \|\| true`
5 by Jeroen Vermeulen Lint.	127
83.1.1 by Colin Watson Sign published checksum files for raw-signing/raw-uefi uploads.	128	for CANDIDATE in $RELEASE_FILES $DIST_UPGRADER_TARBALLS $CUSTOM_CHECKSUMS
5 by Jeroen Vermeulen Lint.	129	do
10.3.2 by Jeroen Vermeulen Re-thought the shell quoting; can't double-escape.	130	if [ ! -f "$CANDIDATE.gpg" ] \|\| [ "$CANDIDATE" -nt "$CANDIDATE.gpg" ]
5 by Jeroen Vermeulen Lint.	131	then
31 by Colin Watson publish-distro.d/10-sign-releases: only sign dist-upgrader tarball with old key	132	opts="$(gpg_opts "$CANDIDATE")"
30 by Colin Watson Sign >= quantal with the new archive signing key (C0B21F32) as well as the old (437D05B5).	133	echo "$(date -R): (re-)signing $CANDIDATE ($opts)"
10.3.2 by Jeroen Vermeulen Re-thought the shell quoting; can't double-escape.	134	gpg --yes --detach-sign --armor -o "$CANDIDATE.gpg" \
40 by Adam Conrad Stop spamming the log about our goofy homedir permissions	135	--sign --no-permission-warning $opts "$CANDIDATE"
71 by Colin Watson Make signatures have the same timestamp as the unsigned files, to aid cache configuration.	136	touch --reference "$CANDIDATE" "$CANDIDATE.gpg"
5 by Jeroen Vermeulen Lint.	137	fi
5 by Jeroen Vermeulen Lint.	138	done
70.1.1 by Colin Watson Add clearsigned InRelease files for archives.	139
	140	for CANDIDATE in $RELEASE_FILES
	141	do
	142	INRELEASE="${CANDIDATE%/Release}/InRelease"
73 by Colin Watson Don't generate InRelease files for LTS release pockets for the moment, to stop apt redownloading the world.	143	if ([ ! -f "$INRELEASE" ] \|\| [ "$CANDIDATE" -nt "$INRELEASE" ]) && \
	144	need_inrelease "$CANDIDATE"; then
70.1.1 by Colin Watson Add clearsigned InRelease files for archives.	145	opts="$(gpg_opts "$CANDIDATE")"
70.1.3 by Colin Watson Clarify log message.	146	echo "$(date -R): (re-)signing $INRELEASE ($opts)"
70.1.1 by Colin Watson Add clearsigned InRelease files for archives.	147	gpg --yes --clearsign --armor -o "$INRELEASE" \
	148	--no-permission-warning $opts "$CANDIDATE"
70.1.2 by Colin Watson Merge trunk, applying same timestamp fix to InRelease.	149	touch --reference "$CANDIDATE" "$INRELEASE"
70.1.1 by Colin Watson Add clearsigned InRelease files for archives.	150	fi
	151	done