Repository signing: add support for dual signing (#8320)

* Repository signing: add support for dual signing
2025-06-23 17:25:48 +02:00 · 2025-06-23 17:25:48 +02:00 · 028cdb9c39
parent c9835d6aa3
commit 028cdb9c39
1 changed files with 36 additions and 0 deletions
--- a/tools/repository/repo
+++ b/tools/repository/repo
@ -134,6 +134,7 @@ publishing(){
 		echo "Publishing $release"

 		aptly publish \
+			-skip-signing \
 			-architectures="armhf,arm64,amd64,riscv64,i386,all" \
 			-passphrase="${4}" \
 			-origin="Armbian" \
@ -154,6 +155,38 @@ showall
 }


+# Sign repository Release files in the given output folder using provided GPG keys
+# $1: Output folder path
+# $@: GPG key IDs to use for signing
+signing() {
+    local output_folder="$1"
+    shift
+    local gpg_keys=("$@")
+
+    if [[ ${#gpg_keys[@]} -eq 0 ]]; then
+        echo "No GPG keys provided for signing." >&2
+        return 1
+    fi
+
+    local gpg_params=("--yes" "--armor")
+    for key in "${gpg_keys[@]}"; do
+        if ! gpg --list-secret-keys "$key" >/dev/null 2>&1; then
+            echo "Warning: GPG key $key not found on this system." >&2
+			continue
+        fi
+        gpg_params+=("-u" "$key")
+    done
+
+    find "$output_folder/public/dists" -type f -name Release | while read -r release_file; do
+        local distro_path
+        distro_path="$(dirname "$release_file")"
+        echo "Signing release at: $distro_path" | sudo tee -a "$DEBUGFILE"
+        gpg "${gpg_params[@]}" --clear-sign -o "$distro_path/InRelease" "$release_file"
+        gpg "${gpg_params[@]}" --detach-sign -o "$distro_path/Release.gpg" "$release_file"
+    done
+}
+
+
 #
 # $1: Input folder
 # $2: Output folder
@ -250,6 +283,8 @@ case $3 in
 		# remove old releases from publishing
 		drop_unsupported_releases "all"
 		publishing "$1" "$2" "$3" "$4" "$5"
+		# use the signing function to sign the repository
+		signing "$2" "DF00FAF1C577104B50BF1D0093D6889F9F0E78D5" "8CFA83D13EB2181EEF5843E41EB30FAF236099FE"
 		;;

 	*)
@ -285,6 +320,7 @@ Usage: $0 [ -short | --long ]
 -c --command

          [show] displays packages in each repository
+          [sign] sign repository
          [html] displays packages in each repository in html form
          [serve] serve repository - useful for local diagnostics
          [unique] manually select which package should be removed from all repositories