mirror of
https://github.com/status-im/status-desktop.git
synced 2025-01-15 00:55:22 +00:00
Jakub Sokołowski
2df6def7f9
Adds `scripts/sign-linux-file.sh` which expectes the following variables set: * `LINUX_GPG_PRIVATE_KEY_FILE` - Path to the GPG export of private key. * `LINUX_GPG_PRIVATE_KEY_PASS` - Password necessary to use the private key. Given a file it creates a file with a `.asc` suffix containing the signature: ``` > wget -q https://status-im-prs.ams3.digitaloceanspaces.com/StatusIm-210809-104514-156806-pr.tar.gz > tar xvf StatusIm-210809-104514-156806-pr.tar.gz StatusIm-210809-104514-156806-pr.AppImage StatusIm-210809-104514-156806-pr.AppImage.asc > gpg --verify StatusIm-210809-104514-156806-pr.AppImage.asc gpg: assuming signed data in 'StatusIm-210809-104514-156806-pr.AppImage' gpg: Signature made Mon 09 Aug 2021 12:54:49 PM CEST using RSA key ID E20B4DFD gpg: Good signature from "Status.im Devel Signing (GPG key for signing Status.im development builds.) <devel@status.im>" [ultimate] Primary key fingerprint: BBF0 5F92 536B ED19 30A9 FD44 009F B3BF E20B 4DFD ``` Issue: https://github.com/status-im/infra-ci/issues/25 Requires: https://github.com/status-im/status-jenkins-lib/pull/32 Signed-off-by: Jakub Sokołowski <jakub@status.im>
73 lines
2.1 KiB
Bash
Executable File
73 lines
2.1 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
set -eof pipefail
|
|
|
|
# Checks -----------------------------------------------------------------------
|
|
|
|
if [[ $(uname) != 'Linux' ]]; then
|
|
echo 'This only works on Linux.' >&2
|
|
exit 1
|
|
fi
|
|
if [[ $# -lt 1 ]]; then
|
|
echo 'sign-linux-tarball.sh <file_to_sign>' >&2
|
|
exit 1
|
|
fi
|
|
if [[ -z "${LINUX_GPG_PRIVATE_KEY_FILE}" ]]; then
|
|
echo "Unable to import GPG key file if LINUX_GPG_PRIVATE_KEY_FILE is not set!" >&2
|
|
exit 1
|
|
fi
|
|
if [[ -z "${LINUX_GPG_PRIVATE_KEY_PASS}" ]]; then
|
|
echo "Unable to import GPG key file if LINUX_GPG_PRIVATE_KEY_PASS is not set!" >&2
|
|
exit 1
|
|
fi
|
|
if [[ ! -f "${LINUX_GPG_PRIVATE_KEY_FILE}" ]]; then
|
|
echo "No such file exists: ${LINUX_GPG_PRIVATE_KEY_FILE}" >&2
|
|
exit 1
|
|
fi
|
|
|
|
# Signing ----------------------------------------------------------------------
|
|
|
|
function clean_up {
|
|
STATUS=$?
|
|
if [[ "${STATUS}" -ne 0 ]]; then
|
|
echo -e "\n###### ERROR: See above for details."
|
|
fi
|
|
set +e
|
|
|
|
echo -e "\n### Removing Temporary Keyring..."
|
|
rm -frv "${GNUPGHOME}"
|
|
exit $STATUS
|
|
}
|
|
|
|
# First and only argument is the file to create signature for
|
|
TARGET="${1}"
|
|
|
|
# Use a temporary GPG home and for the keyring.
|
|
export GNUPGHOME=$(mktemp -d $HOME/.gnupg.tmp.XXXXXX)
|
|
# Remove the GPG home along with the keyring regardless of how script exits.
|
|
trap clean_up EXIT
|
|
|
|
# Fix for 'gpg: signing failed: Inappropriate ioctl for device' in Docker
|
|
echo 'allow-loopback-pinentry' > "${GNUPGHOME}/gpg-agent.conf"
|
|
echo 'pinentry-mode loopback' > "${GNUPGHOME}/gpg.conf"
|
|
|
|
# Import the GPG key file into the temporary keyring.
|
|
echo -e "\n### Importing GPG private key..."
|
|
gpg2 --batch --yes --passphrase-fd 0 \
|
|
--import "${LINUX_GPG_PRIVATE_KEY_FILE}" \
|
|
<<< "${LINUX_GPG_PRIVATE_KEY_PASS}"
|
|
|
|
# Trust all immported keys ultimately.
|
|
gpg2 --list-secret-keys --with-colons \
|
|
| awk -F: '/fpr/{printf "%s:6:\n", $10}' \
|
|
| gpg2 --import-ownertrust --batch
|
|
|
|
echo -e "\n### Signing target..."
|
|
gpg2 --batch --yes --passphrase-fd 0 --verbose \
|
|
--armor --detach-sign "${TARGET}" \
|
|
<<< "${LINUX_GPG_PRIVATE_KEY_PASS}"
|
|
|
|
echo -e "\n### Verifying signature..."
|
|
gpg2 --batch --verify "${TARGET}.asc" "${TARGET}"
|
|
|
|
echo -e "\n### DONE"
|