73 lines
2.1 KiB
Bash
73 lines
2.1 KiB
Bash
|
#!/usr/bin/env bash
|
||
|
set -eof pipefail
|
||
|
|
||
|
# Checks -----------------------------------------------------------------------
|
||
|
|
||
|
if [[ $(uname) != 'Linux' ]]; then
|
||
|
echo 'This only works on Linux.' >&2
|
||
|
exit 1
|
||
|
fi
|
||
|
if [[ $# -lt 1 ]]; then
|
||
|
echo 'sign-linux-tarball.sh <file_to_sign>' >&2
|
||
|
exit 1
|
||
|
fi
|
||
|
if [[ -z "${LINUX_GPG_PRIVATE_KEY_FILE}" ]]; then
|
||
|
echo "Unable to import GPG key file if LINUX_GPG_PRIVATE_KEY_FILE is not set!" >&2
|
||
|
exit 1
|
||
|
fi
|
||
|
if [[ -z "${LINUX_GPG_PRIVATE_KEY_PASS}" ]]; then
|
||
|
echo "Unable to import GPG key file if LINUX_GPG_PRIVATE_KEY_PASS is not set!" >&2
|
||
|
exit 1
|
||
|
fi
|
||
|
if [[ ! -f "${LINUX_GPG_PRIVATE_KEY_FILE}" ]]; then
|
||
|
echo "No such file exists: ${LINUX_GPG_PRIVATE_KEY_FILE}" >&2
|
||
|
exit 1
|
||
|
fi
|
||
|
|
||
|
# Signing ----------------------------------------------------------------------
|
||
|
|
||
|
function clean_up {
|
||
|
STATUS=$?
|
||
|
if [[ "${STATUS}" -ne 0 ]]; then
|
||
|
echo -e "\n###### ERROR: See above for details."
|
||
|
fi
|
||
|
set +e
|
||
|
|
||
|
echo -e "\n### Removing Temporary Keyring..."
|
||
|
rm -frv "${GNUPGHOME}"
|
||
|
exit $STATUS
|
||
|
}
|
||
|
|
||
|
# First and only argument is the file to create signature for
|
||
|
TARGET="${1}"
|
||
|
|
||
|
# Use a temporary GPG home and for the keyring.
|
||
|
export GNUPGHOME=$(mktemp -d $HOME/.gnupg.tmp.XXXXXX)
|
||
|
# Remove the GPG home along with the keyring regardless of how script exits.
|
||
|
trap clean_up EXIT
|
||
|
|
||
|
# Fix for 'gpg: signing failed: Inappropriate ioctl for device' in Docker
|
||
|
echo 'allow-loopback-pinentry' > "${GNUPGHOME}/gpg-agent.conf"
|
||
|
echo 'pinentry-mode loopback' > "${GNUPGHOME}/gpg.conf"
|
||
|
|
||
|
# Import the GPG key file into the temporary keyring.
|
||
|
echo -e "\n### Importing GPG private key..."
|
||
|
gpg2 --batch --yes --passphrase-fd 0 \
|
||
|
--import "${LINUX_GPG_PRIVATE_KEY_FILE}" \
|
||
|
<<< "${LINUX_GPG_PRIVATE_KEY_PASS}"
|
||
|
|
||
|
# Trust all immported keys ultimately.
|
||
|
gpg2 --list-secret-keys --with-colons \
|
||
|
| awk -F: '/fpr/{printf "%s:6:\n", $10}' \
|
||
|
| gpg2 --import-ownertrust --batch
|
||
|
|
||
|
echo -e "\n### Signing target..."
|
||
|
gpg2 --batch --yes --passphrase-fd 0 --verbose \
|
||
|
--armor --detach-sign "${TARGET}" \
|
||
|
<<< "${LINUX_GPG_PRIVATE_KEY_PASS}"
|
||
|
|
||
|
echo -e "\n### Verifying signature..."
|
||
|
gpg2 --batch --verify "${TARGET}.asc" "${TARGET}"
|
||
|
|
||
|
echo -e "\n### DONE"
|