qiurui
/
armbian-build
mirror of https://github.com/armbian/build.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Repository signing: add support for dual signing (#8320) 

* Repository signing: add support for dual signing
This commit is contained in:
Igor 2025-06-23 17:25:48 +02:00 committed by GitHub
parent c9835d6aa3
commit 028cdb9c39
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 36 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
tools/repository/repo
View File

@ -134,6 +134,7 @@ publishing(){
echo "Publishing $release" echo "Publishing $release"
aptly publish \ aptly publish \
-skip-signing \
-architectures="armhf,arm64,amd64,riscv64,i386,all" \ -architectures="armhf,arm64,amd64,riscv64,i386,all" \
-passphrase="${4}" \ -passphrase="${4}" \
-origin="Armbian" \ -origin="Armbian" \
@ -154,6 +155,38 @@ showall
} }
# Sign repository Release files in the given output folder using provided GPG keys
# $1: Output folder path
# $@: GPG key IDs to use for signing
signing() {
local output_folder="$1"
shift
local gpg_keys=("$@")
if [[ ${#gpg_keys[@]} -eq 0 ]]; then
echo "No GPG keys provided for signing." >&2
return 1
fi
local gpg_params=("--yes" "--armor")
for key in "${gpg_keys[@]}"; do
if ! gpg --list-secret-keys "$key" >/dev/null 2>&1; then
echo "Warning: GPG key $key not found on this system." >&2
continue
fi
gpg_params+=("-u" "$key")
done
find "$output_folder/public/dists" -type f -name Release | while read -r release_file; do
local distro_path
distro_path="$(dirname "$release_file")"
echo "Signing release at: $distro_path" | sudo tee -a "$DEBUGFILE"
gpg "${gpg_params[@]}" --clear-sign -o "$distro_path/InRelease" "$release_file"
gpg "${gpg_params[@]}" --detach-sign -o "$distro_path/Release.gpg" "$release_file"
done
}
# #
# $1: Input folder # $1: Input folder
# $2: Output folder # $2: Output folder
@ -250,6 +283,8 @@ case $3 in
# remove old releases from publishing # remove old releases from publishing
drop_unsupported_releases "all" drop_unsupported_releases "all"
publishing "$1" "$2" "$3" "$4" "$5" publishing "$1" "$2" "$3" "$4" "$5"
# use the signing function to sign the repository
signing "$2" "DF00FAF1C577104B50BF1D0093D6889F9F0E78D5" "8CFA83D13EB2181EEF5843E41EB30FAF236099FE"
;; ;;
*) *)
@ -285,6 +320,7 @@ Usage: $0 [ -short | --long ]
-c --command -c --command
[show] displays packages in each repository [show] displays packages in each repository
[sign] sign repository
[html] displays packages in each repository in html form [html] displays packages in each repository in html form
[serve] serve repository - useful for local diagnostics [serve] serve repository - useful for local diagnostics
[unique] manually select which package should be removed from all repositories [unique] manually select which package should be removed from all repositories