From 439c7ff2058c85475db2566a55f45f1531d67a20 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Mon, 3 May 2021 12:18:39 +0200
Subject: sign repo metadata gh#175
---
mkmodular | 27 +++++++++++++++++++++++++++
mkrepo | 59 +++++++++++++++++++++++++++++++----------------------------
2 files changed, 58 insertions(+), 28 deletions(-)
diff --git a/mkmodular b/mkmodular
index 9ad0754..51fd59a 100755
--- a/mkmodular
+++ b/mkmodular
@@ -327,7 +327,31 @@ function createRepo($dest, $mod) {
$old = getcwd();
chdir($dest);
+// Key
+[$dis,$ver]=explode("/", $dest);
+$GPG_NAME="Remi's RPM repository";
+if ($dis == "fedora") {
+ if ($ver >= 34) {
+ $GPG_PATH="/home/remi/.gnupg2021";
+ } else if ($ver >= 32) {
+ $GPG_PATH="/home/remi/.gnupg2020";
+ } else {
+ $GPG_PATH="/home/remi/.gnupg2019";
+ }
+} else {
+ if ($ver >= 8) {
+ $GPG_PATH="/home/remi/.gnupg2018";
+ } else {
+ $GPG_PATH="/home/remi/.gnupgrpm";
+ $GPG_NAME="Remi Collet";
+ }
+}
+echo "Metadata, signing with $GPG_PATH, ";
+
+// Repository content
exec("mkrepo nocheck noclean");
+
+// Modular data
$data = '/tmp/modules.yaml';
file_put_contents($data, $mod);
$hash = hash('sha256', $mod);
@@ -335,6 +359,9 @@ exec("modifyrepo_c --mdtype=modules $data repodata >/dev/null");
$arch = basename($dest);
rename($data, "$data.$arch");
+// Sign
+@unlink("repodata/repomd.xml.asc");
+exec("gpg --armor --detach-sign --default-key \"$GPG_NAME\" --homedir \"$GPG_PATH\" repodata/repomd.xml");
chdir($old);
}
/*
diff --git a/mkrepo b/mkrepo
index 5f25de6..93e946e 100755
--- a/mkrepo
+++ b/mkrepo
@@ -23,39 +23,40 @@ else
dst=/data/rpms/old
fi
+GPG_NAME="Remi's RPM repository"
+if [ "$dis" == "fedora" ]; then
+ # Fedora
+ if [ "$ver" -ge 34 ]
+ then echo "key 2021"
+ GPG_PATH=/home/remi/.gnupg2021
+ elif [ "$ver" -ge 32 ]
+ then echo "key 2020"
+ GPG_PATH=/home/remi/.gnupg2020
+ elif [ "$ver" -ge 30 ]
+ then echo "key 2019"
+ GPG_PATH=/home/remi/.gnupg2019
+ else echo "older key"
+ exit 1
+ fi
+else
+ # Enterprise
+ if [ "$dis" == "enterprise" -a "$ver" -ge 8 ]
+ then echo "key 2018"
+ GPG_PATH=/home/remi/.gnupg2018
+ else echo "old key"
+ GPG_PATH=/home/remi/.gnupgrpm
+ GPG_NAME="Remi Collet"
+ fi
+fi
+
if [ ${1:-check} != nocheck ]; then
echo "+ Controle des signatures"
rpm -K *.rpm | grep -v 'signatures.*OK' | cut -d: -f1 | tee $TMP
if [ -s $TMP ]
then
- if [ "$dis" == "fedora" -a "$ver" -ge 34 ]
- then echo "key 2021"
- rpmsign --define '_gpg_path /home/remi/.gnupg2021' --define "_gpg_name Remi's RPM repository" --addsign $(cat $TMP)
-
- elif [ "$dis" == "fedora" -a "$ver" -ge 32 ]
- then echo "key 2020"
- rpmsign --define '_gpg_path /home/remi/.gnupg2020' --define "_gpg_name Remi's RPM repository" --addsign $(cat $TMP)
-
- elif [ "$dis" == "fedora" -a "$ver" -ge 30 ]
- then echo "key 2019"
- rpmsign --define '_gpg_path /home/remi/.gnupg2019' --define "_gpg_name Remi's RPM repository" --addsign $(cat $TMP)
-
- elif [ "$dis" == "fedora" -a "$ver" -ge 28 ]
- then echo "key 2018"
- rpmsign --define '_gpg_path /home/remi/.gnupg2018' --define "_gpg_name Remi's RPM repository" --addsign $(cat $TMP)
-
- elif [ "$dis" == "enterprise" -a "$ver" -ge 8 ]
- then echo "key 2018"
- rpmsign --define '_gpg_path /home/remi/.gnupg2018' --define "_gpg_name Remi's RPM repository" --addsign $(cat $TMP)
-
- elif [ "$dis" == "fedora" -a "$ver" -ge 26 ]
- then echo "key 2017"
- rpmsign --define '_gpg_path /home/remi/.gnupg2017' --define "_gpg_name Remi's RPM repository" --addsign $(cat $TMP)
-
- else echo "old key"
- rpmsign --define '_gpg_path /home/remi/.gnupgrpm' --define "_gpg_name Remi Collet" --addsign $(cat $TMP)
- fi
- else echo OK.
+ rpmsign --define "_gpg_path $GPG_PATH" --define "_gpg_name $GPG_NAME" --addsign $(cat $TMP)
+ else
+ echo OK.
fi
fi
@@ -101,6 +102,8 @@ else
--compress-type=bz2 \
--database .
fi
+rm -f repodata/repomd.xml.asc
+gpg --armor --detach-sign --default-key "$GPG_NAME" --homedir "$GPG_PATH" repodata/repomd.xml
#echo "+ Génération repoview"
#nom=${PWD#/home/rpmbuild/site/rpms/}
--
cgit