status-im/status-desktop
2
0
Fork 0
mirror of https://github.com/status-im/status-desktop.git synced 2025-01-09 13:56:10 +00:00
Code Issues Projects Releases Wiki Activity
status-desktop/scripts/sign-linux-file.sh
Jakub Sokołowski 2df6def7f9 ci: add scripts/sign-linux-tarball.sh for GPG signing 
Adds `scripts/sign-linux-file.sh` which expectes the following variables set:

* `LINUX_GPG_PRIVATE_KEY_FILE` - Path to the GPG export of private key.
* `LINUX_GPG_PRIVATE_KEY_PASS` - Password necessary to use the private key.

Given a file it creates a file with a `.asc` suffix containing the signature:
```
 > wget -q https://status-im-prs.ams3.digitaloceanspaces.com/StatusIm-210809-104514-156806-pr.tar.gz

 > tar xvf StatusIm-210809-104514-156806-pr.tar.gz
StatusIm-210809-104514-156806-pr.AppImage
StatusIm-210809-104514-156806-pr.AppImage.asc

 > gpg --verify StatusIm-210809-104514-156806-pr.AppImage.asc
gpg: assuming signed data in 'StatusIm-210809-104514-156806-pr.AppImage'
gpg: Signature made Mon 09 Aug 2021 12:54:49 PM CEST using RSA key ID E20B4DFD
gpg: Good signature from "Status.im Devel Signing (GPG key for signing Status.im development builds.) <devel@status.im>" [ultimate]
Primary key fingerprint: BBF0 5F92 536B ED19 30A9  FD44 009F B3BF E20B 4DFD
```

Issue: https://github.com/status-im/infra-ci/issues/25
Requires: https://github.com/status-im/status-jenkins-lib/pull/32

Signed-off-by: Jakub Sokołowski <jakub@status.im>
2021-08-16 11:21:36 -04:00

73 lines
2.1 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
set -eof pipefail
# Checks -----------------------------------------------------------------------
if [[ $(uname) != 'Linux' ]]; then
echo 'This only works on Linux.' >&2
exit 1
fi
if [[ $# -lt 1 ]]; then
echo 'sign-linux-tarball.sh <file_to_sign>' >&2
exit 1
fi
if [[ -z "${LINUX_GPG_PRIVATE_KEY_FILE}" ]]; then
echo "Unable to import GPG key file if LINUX_GPG_PRIVATE_KEY_FILE is not set!" >&2
exit 1
fi
if [[ -z "${LINUX_GPG_PRIVATE_KEY_PASS}" ]]; then
echo "Unable to import GPG key file if LINUX_GPG_PRIVATE_KEY_PASS is not set!" >&2
exit 1
fi
if [[ ! -f "${LINUX_GPG_PRIVATE_KEY_FILE}" ]]; then
echo "No such file exists: ${LINUX_GPG_PRIVATE_KEY_FILE}" >&2
exit 1
fi
# Signing ----------------------------------------------------------------------
function clean_up {
STATUS=$?
if [[ "${STATUS}" -ne 0 ]]; then
echo -e "\n###### ERROR: See above for details."
fi
set +e
echo -e "\n### Removing Temporary Keyring..."
rm -frv "${GNUPGHOME}"
exit $STATUS
}
# First and only argument is the file to create signature for
TARGET="${1}"
# Use a temporary GPG home and for the keyring.
export GNUPGHOME=$(mktemp -d $HOME/.gnupg.tmp.XXXXXX)
# Remove the GPG home along with the keyring regardless of how script exits.
trap clean_up EXIT
# Fix for 'gpg: signing failed: Inappropriate ioctl for device' in Docker
echo 'allow-loopback-pinentry' > "${GNUPGHOME}/gpg-agent.conf"
echo 'pinentry-mode loopback' > "${GNUPGHOME}/gpg.conf"
# Import the GPG key file into the temporary keyring.
echo -e "\n### Importing GPG private key..."
gpg2 --batch --yes --passphrase-fd 0 \
--import "${LINUX_GPG_PRIVATE_KEY_FILE}" \
<<< "${LINUX_GPG_PRIVATE_KEY_PASS}"
# Trust all immported keys ultimately.
gpg2 --list-secret-keys --with-colons \
| awk -F: '/fpr/{printf "%s:6:\n", $10}' \
| gpg2 --import-ownertrust --batch
echo -e "\n### Signing target..."
gpg2 --batch --yes --passphrase-fd 0 --verbose \
--armor --detach-sign "${TARGET}" \
<<< "${LINUX_GPG_PRIVATE_KEY_PASS}"
echo -e "\n### Verifying signature..."
gpg2 --batch --verify "${TARGET}.asc" "${TARGET}"
echo -e "\n### DONE"
Reference in New Issue View Git Blame Copy Permalink