From 028cdb9c39bee9202d226acce8d66d6e6479a8d3 Mon Sep 17 00:00:00 2001
From: Igor <igor@armbian.com>
Date: Mon, 23 Jun 2025 17:25:48 +0200
Subject: [PATCH] Repository signing: add support for dual signing (#8320)

* Repository signing: add support for dual signing
---
 tools/repository/repo | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/tools/repository/repo b/tools/repository/repo
index 681b04e05..60cfd6a0a 100755
--- a/tools/repository/repo
+++ b/tools/repository/repo
@@ -134,6 +134,7 @@ publishing(){
 		echo "Publishing $release"
 
 		aptly publish \
+			-skip-signing \
 			-architectures="armhf,arm64,amd64,riscv64,i386,all" \
 			-passphrase="${4}" \
 			-origin="Armbian" \
@@ -154,6 +155,38 @@ showall
 }
 
 
+# Sign repository Release files in the given output folder using provided GPG keys
+# $1: Output folder path
+# $@: GPG key IDs to use for signing
+signing() {
+    local output_folder="$1"
+    shift
+    local gpg_keys=("$@")
+
+    if [[ ${#gpg_keys[@]} -eq 0 ]]; then
+        echo "No GPG keys provided for signing." >&2
+        return 1
+    fi
+
+    local gpg_params=("--yes" "--armor")
+    for key in "${gpg_keys[@]}"; do
+        if ! gpg --list-secret-keys "$key" >/dev/null 2>&1; then
+            echo "Warning: GPG key $key not found on this system." >&2
+			continue
+        fi
+        gpg_params+=("-u" "$key")
+    done
+
+    find "$output_folder/public/dists" -type f -name Release | while read -r release_file; do
+        local distro_path
+        distro_path="$(dirname "$release_file")"
+        echo "Signing release at: $distro_path" | sudo tee -a "$DEBUGFILE"
+        gpg "${gpg_params[@]}" --clear-sign -o "$distro_path/InRelease" "$release_file"
+        gpg "${gpg_params[@]}" --detach-sign -o "$distro_path/Release.gpg" "$release_file"
+    done
+}
+
+
 #
 # $1: Input folder
 # $2: Output folder
@@ -250,6 +283,8 @@ case $3 in
 		# remove old releases from publishing
 		drop_unsupported_releases "all"
 		publishing "$1" "$2" "$3" "$4" "$5"
+		# use the signing function to sign the repository
+		signing "$2" "DF00FAF1C577104B50BF1D0093D6889F9F0E78D5" "8CFA83D13EB2181EEF5843E41EB30FAF236099FE"
 		;;
 
 	*)
@@ -285,6 +320,7 @@ Usage: $0 [ -short | --long ]
 -c --command
 
           [show] displays packages in each repository
+          [sign] sign repository
           [html] displays packages in each repository in html form
           [serve] serve repository - useful for local diagnostics
           [unique] manually select which package should be removed from all repositories