1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
|
#!/bin/sh -e
# The calling script may set GNUPGHOME to a value set up by Launchpad's
# script machinery. In production, we have a dedicated directory set up
# for this.
export GNUPGHOME="$ARCHIVEROOT/../gnupg-home"
if ! test -d "$GNUPGHOME"
then
echo "There is no $GNUPGHOME; not signing Release files."
exit 0
fi
# Calculate the series from a path.
path_to_series () {
local series
series="$(echo "$1" | sed 's,.*/dists/\([^/-][^/-]*\).*,\1,')"
case $series in
*/*)
return
;;
*)
echo "$series"
;;
esac
}
# Return additional GPG options to be used when signing files for a given
# series.
gpg_opts () {
local series
series="$(path_to_series "$1")"
case $LPCONFIG in
ftpmaster-publish)
case "$series:$1" in
# Use single-signature 1024 key SHA1 for old releases
warty:*|hoary:*|breezy:*|dapper:*|edgy:*|feisty:*|gutsy:*|hardy:*|intrepid:*|jaunty:*|karmic:*|lucid:*|maverick:*|natty:*|oneiric:*|precise:*)
printf '%s\n' "-u 0x630239CC130E1A7FD81A27B140976EAF437D05B5 --digest-algo SHA1"
;;
# Use single-signature 1024 key SHA1 for upgrades from distributions with 1k key only
quantal:*/dist-upgrader*|raring:*/dist-upgrader*|saucy:*/dist-upgrader*|trusty:*/dist-upgrader*)
printf '%s\n' "-u 0x630239CC130E1A7FD81A27B140976EAF437D05B5 --digest-algo SHA1"
;;
# Use single-signature 4096 key SHA512 for upgrades from distributions with 4k present
utopic:*/dist-upgrader*|vivid:*/dist-upgrader*|wily:*/dist-upgrader*|xenial:*/dist-upgrader*|yakkety:*/dist-upgrader*)
printf '%s\n' "-u 0x790BC7277767219C42C86F933B4FE6ACC0B21F32 --digest-algo SHA512"
;;
# Use dual-signatures 1024 & 4096 keys SHA512 for the archive, for a transitioning period, to allow e.g. precise .0 to bootstrap any of these
quantal:*|raring:*|saucy:*|trusty:*|utopic:*|vivid:*|wily:*|xenial:*|yakkety:*)
printf '%s\n' "-u 0x630239CC130E1A7FD81A27B140976EAF437D05B5 -u 0x790BC7277767219C42C86F933B4FE6ACC0B21F32 --digest-algo SHA512"
;;
# Use single-signature 4096 key SHA512 for zesty..cosmic, including dist-upgrade tarballs
zesty:*|artful:*|bionic:*|cosmic:*)
printf '%s\n' "-u 0x790BC7277767219C42C86F933B4FE6ACC0B21F32 --digest-algo SHA512"
;;
# Use dual-signature using 2012 & 2018 4k keys and SHA512 for the disco-focal, including dist-upgrade tarballs
disco:*|eoan:*|focal:*)
printf '%s\n' "-u 0x790BC7277767219C42C86F933B4FE6ACC0B21F32 -u 0xF6ECB3762474EDA9D21B7022871920D1991BC93C --digest-algo SHA512"
;;
# Use single-signature using 2018 4k keys and SHA512 for the rest (GG-), including dist-upgrade tarballs
*)
printf '%s\n' "-u 0xF6ECB3762474EDA9D21B7022871920D1991BC93C --digest-algo SHA512"
;;
esac
;;
derived-distro-publish)
case $ARCHIVEROOT in
*/ubuntu-rtm)
printf '%s\n' "-u 5810338B"
;;
esac
;;
dogfood-publish)
local distribution
distribution="$(basename "$ARCHIVEROOT")"
case "$distribution" in
ubuntu-rtm)
printf '%s\n' "-u 272AD8D5"
;;
esac
;;
esac
}
# Calculate the suite from a path.
path_to_suite () {
local suite
suite="$(echo "$1" | sed 's,.*/dists/\([^/][^/]*\).*,\1,')"
case $suite in
*/*)
return
;;
*)
echo "$suite"
;;
esac
}
need_inrelease () {
local suite
suite="$(path_to_suite "$1")"
case $suite in
warty*|hoary*|breezy*|dapper*|edgy*|feisty*|gutsy*|hardy*|intrepid*|jaunty*|karmic*|lucid*|maverick*|natty*|oneiric*|quantal*|raring*|saucy*|utopic*)
# Skip all suites from before InRelease was implemented in
# Ubuntu.
return 1
;;
precise|trusty)
# Skip LTS release pockets for the moment, because it will
# cause apt to redownload the world.
return 1
;;
*)
return 0
;;
esac
}
RELEASE_FILES=`find $DISTSROOT -maxdepth 2 -name Release`
DIST_UPGRADER_TARBALLS=`
find $DISTSROOT/*/*/dist-upgrader* -name "*.tar.gz" || true`
CUSTOM_CHECKSUMS=`
find $DISTSROOT/*/*/installer-* \
$DISTSROOT/*/*/signed \
$DISTSROOT/*/*/uefi \
-name "*SUMS" || true`
for CANDIDATE in $RELEASE_FILES $DIST_UPGRADER_TARBALLS $CUSTOM_CHECKSUMS
do
if [ ! -f "$CANDIDATE.gpg" ] || [ "$CANDIDATE" -nt "$CANDIDATE.gpg" ]
then
opts="$(gpg_opts "$CANDIDATE")"
echo "$(date -R): (re-)signing $CANDIDATE ($opts)"
gpg --yes --detach-sign --armor -o "$CANDIDATE.gpg" \
--sign --no-permission-warning $opts "$CANDIDATE"
touch --reference "$CANDIDATE" "$CANDIDATE.gpg"
fi
done
for CANDIDATE in $RELEASE_FILES
do
INRELEASE="${CANDIDATE%/Release}/InRelease"
if ([ ! -f "$INRELEASE" ] || [ "$CANDIDATE" -nt "$INRELEASE" ]) && \
need_inrelease "$CANDIDATE"; then
opts="$(gpg_opts "$CANDIDATE")"
echo "$(date -R): (re-)signing $INRELEASE ($opts)"
gpg --yes --clearsign --armor -o "$INRELEASE" \
--no-permission-warning $opts "$CANDIDATE"
touch --reference "$CANDIDATE" "$INRELEASE"
fi
done
|