← Back to branch summary

~hloeung/ubuntu-archive-publishing/remove-old-archive-syncproxy-wahoo 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151

#!/bin/sh -e

# The calling script may set GNUPGHOME to a value set up by Launchpad's
# script machinery.  In production, we have a dedicated directory set up
# for this.
export GNUPGHOME="$ARCHIVEROOT/../gnupg-home"

if ! test -d "$GNUPGHOME"
then
	echo "There is no $GNUPGHOME; not signing Release files."
	exit 0
fi

# Calculate the series from a path.
path_to_series () {
	local series
	series="$(echo "$1" | sed 's,.*/dists/\([^/-][^/-]*\).*,\1,')"
	case $series in
	    */*)
		return
		;;
	    *)
		echo "$series"
		;;
	esac
}

# Return additional GPG options to be used when signing files for a given
# series.
gpg_opts () {
	local series
	series="$(path_to_series "$1")"
	case $LPCONFIG in
	    ftpmaster-publish)
		case "$series:$1" in
		    # Use single-signature 1024 key SHA1 for old releases
		    warty:*|hoary:*|breezy:*|dapper:*|edgy:*|feisty:*|gutsy:*|hardy:*|intrepid:*|jaunty:*|karmic:*|lucid:*|maverick:*|natty:*|oneiric:*|precise:*)
			printf '%s\n' "-u 0x630239CC130E1A7FD81A27B140976EAF437D05B5 --digest-algo SHA1"
			;;
		    # Use single-signature 1024 key SHA1 for upgrades from distributions with 1k key only
		    quantal:*/dist-upgrader*|raring:*/dist-upgrader*|saucy:*/dist-upgrader*|trusty:*/dist-upgrader*)
			printf '%s\n' "-u 0x630239CC130E1A7FD81A27B140976EAF437D05B5 --digest-algo SHA1"
			;;
		    # Use single-signature 4096 key SHA512 for upgrades from distributions with 4k present
		    utopic:*/dist-upgrader*|vivid:*/dist-upgrader*|wily:*/dist-upgrader*|xenial:*/dist-upgrader*|yakkety:*/dist-upgrader*)
			printf '%s\n' "-u 0x790BC7277767219C42C86F933B4FE6ACC0B21F32 --digest-algo SHA512"
			;;
		    # Use dual-signatures 1024 & 4096 keys SHA512 for the archive, for a transitioning period, to allow e.g. precise .0 to bootstrap any of these
		    quantal:*|raring:*|saucy:*|trusty:*|utopic:*|vivid:*|wily:*|xenial:*|yakkety:*)
			printf '%s\n' "-u 0x630239CC130E1A7FD81A27B140976EAF437D05B5 -u 0x790BC7277767219C42C86F933B4FE6ACC0B21F32 --digest-algo SHA512"
			;;
		    # Use single-signature 4096 key SHA512 for zesty..cosmic, including dist-upgrade tarballs
		    zesty:*|artful:*|bionic:*|cosmic:*)
			printf '%s\n' "-u 0x790BC7277767219C42C86F933B4FE6ACC0B21F32 --digest-algo SHA512"
			;;
		    # Use dual-signature using 2012 & 2018 4k keys and SHA512 for the disco-focal, including dist-upgrade tarballs
		    disco:*|eoan:*|focal:*)
			printf '%s\n' "-u 0x790BC7277767219C42C86F933B4FE6ACC0B21F32 -u 0xF6ECB3762474EDA9D21B7022871920D1991BC93C --digest-algo SHA512"
			;;
		    # Use single-signature using 2018 4k keys and SHA512 for the rest (GG-), including dist-upgrade tarballs
		    *)
			printf '%s\n' "-u 0xF6ECB3762474EDA9D21B7022871920D1991BC93C --digest-algo SHA512"
			;;
		esac
		;;
	    derived-distro-publish)
		case $ARCHIVEROOT in
		    */ubuntu-rtm)
			printf '%s\n' "-u 5810338B"
			;;
		esac
		;;
	    dogfood-publish)
		local distribution
		distribution="$(basename "$ARCHIVEROOT")"
		case "$distribution" in
		    ubuntu-rtm)
			printf '%s\n' "-u 272AD8D5"
			;;
		esac
		;;
	esac
}

# Calculate the suite from a path.
path_to_suite () {
	local suite
	suite="$(echo "$1" | sed 's,.*/dists/\([^/][^/]*\).*,\1,')"
	case $suite in
	    */*)
		return
		;;
	    *)
		echo "$suite"
		;;
	esac
}

need_inrelease () {
	local suite
	suite="$(path_to_suite "$1")"
	case $suite in
	    warty*|hoary*|breezy*|dapper*|edgy*|feisty*|gutsy*|hardy*|intrepid*|jaunty*|karmic*|lucid*|maverick*|natty*|oneiric*|quantal*|raring*|saucy*|utopic*)
		# Skip all suites from before InRelease was implemented in
		# Ubuntu.
		return 1
		;;
	    precise|trusty)
		# Skip LTS release pockets for the moment, because it will
		# cause apt to redownload the world.
		return 1
		;;
	    *)
		return 0
		;;
	esac
}

RELEASE_FILES=`find $DISTSROOT -maxdepth 2 -name Release`
DIST_UPGRADER_TARBALLS=`
	find $DISTSROOT/*/*/dist-upgrader* -name "*.tar.gz" || true`
CUSTOM_CHECKSUMS=`
	find $DISTSROOT/*/*/installer-* \
	     $DISTSROOT/*/*/signed \
	     $DISTSROOT/*/*/uefi \
	     -name "*SUMS" || true`

for CANDIDATE in $RELEASE_FILES $DIST_UPGRADER_TARBALLS $CUSTOM_CHECKSUMS
do
    if [ ! -f "$CANDIDATE.gpg" ] || [ "$CANDIDATE" -nt "$CANDIDATE.gpg" ]
    then
        opts="$(gpg_opts "$CANDIDATE")"
        echo "$(date -R): (re-)signing $CANDIDATE ($opts)"
        gpg --yes --detach-sign --armor -o "$CANDIDATE.gpg" \
            --sign --no-permission-warning $opts "$CANDIDATE"
        touch --reference "$CANDIDATE" "$CANDIDATE.gpg"
    fi
done

for CANDIDATE in $RELEASE_FILES
do
    INRELEASE="${CANDIDATE%/Release}/InRelease"
    if ([ ! -f "$INRELEASE" ] || [ "$CANDIDATE" -nt "$INRELEASE" ]) && \
       need_inrelease "$CANDIDATE"; then
        opts="$(gpg_opts "$CANDIDATE")"
        echo "$(date -R): (re-)signing $INRELEASE ($opts)"
        gpg --yes --clearsign --armor -o "$INRELEASE" \
            --no-permission-warning $opts "$CANDIDATE"
        touch --reference "$CANDIDATE" "$INRELEASE"
    fi
done