From 028cdb9c39bee9202d226acce8d66d6e6479a8d3 Mon Sep 17 00:00:00 2001 From: Igor Date: Mon, 23 Jun 2025 17:25:48 +0200 Subject: [PATCH] Repository signing: add support for dual signing (#8320) * Repository signing: add support for dual signing --- tools/repository/repo | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/tools/repository/repo b/tools/repository/repo index 681b04e05..60cfd6a0a 100755 --- a/tools/repository/repo +++ b/tools/repository/repo @@ -134,6 +134,7 @@ publishing(){ echo "Publishing $release" aptly publish \ + -skip-signing \ -architectures="armhf,arm64,amd64,riscv64,i386,all" \ -passphrase="${4}" \ -origin="Armbian" \ @@ -154,6 +155,38 @@ showall } +# Sign repository Release files in the given output folder using provided GPG keys +# $1: Output folder path +# $@: GPG key IDs to use for signing +signing() { + local output_folder="$1" + shift + local gpg_keys=("$@") + + if [[ ${#gpg_keys[@]} -eq 0 ]]; then + echo "No GPG keys provided for signing." >&2 + return 1 + fi + + local gpg_params=("--yes" "--armor") + for key in "${gpg_keys[@]}"; do + if ! gpg --list-secret-keys "$key" >/dev/null 2>&1; then + echo "Warning: GPG key $key not found on this system." >&2 + continue + fi + gpg_params+=("-u" "$key") + done + + find "$output_folder/public/dists" -type f -name Release | while read -r release_file; do + local distro_path + distro_path="$(dirname "$release_file")" + echo "Signing release at: $distro_path" | sudo tee -a "$DEBUGFILE" + gpg "${gpg_params[@]}" --clear-sign -o "$distro_path/InRelease" "$release_file" + gpg "${gpg_params[@]}" --detach-sign -o "$distro_path/Release.gpg" "$release_file" + done +} + + # # $1: Input folder # $2: Output folder @@ -250,6 +283,8 @@ case $3 in # remove old releases from publishing drop_unsupported_releases "all" publishing "$1" "$2" "$3" "$4" "$5" + # use the signing function to sign the repository + signing "$2" "DF00FAF1C577104B50BF1D0093D6889F9F0E78D5" "8CFA83D13EB2181EEF5843E41EB30FAF236099FE" ;; *) @@ -285,6 +320,7 @@ Usage: $0 [ -short | --long ] -c --command [show] displays packages in each repository + [sign] sign repository [html] displays packages in each repository in html form [serve] serve repository - useful for local diagnostics [unique] manually select which package should be removed from all repositories