[Git][ftp-team/dak][master] add script to merge multiple PGP signature blocks

Ansgar pushed to branch master at Debian FTP Team / dak

Commits:

1bc66206

by Ansgar Burchardt at 2019-09-06T22:20:53Z

add script to merge multiple PGP signature blocks

2 changed files:

config/debian/pointrelease
+ scripts/debian/gpg-merge-signatures

Changes:

config/debian/pointrelease

@@ -387,19 +387,32 @@ log "Release file generated, waiting for RMs checking and (hopefully) signing"
  merge-release-signatures() {
      local archiveroot="${1}"
      local s="${2}"
 -    local releasefile="${3}"
 -    rm -f ${archiveroot}/dists/${s}/InRelease ${archiveroot}/zzz-dists/${s}/InRelease
 +    local oursignature="${3}"
 +    local ourmessage="${4}"
 +    local releasefile="${5}"
++
 +    echo "==== Processing ${s}/${oursignature}..."
++
 +    # backup ${oursignature} before we modify it...
 +    cp --no-clobber ${archiveroot}/zzz-dists/${s}/${oursignature} ~/${suitename}_${newrev}/${oursignature}
++
      cd ~/${suitename}_${newrev}
      while ! ${wget} -O "${releasefile}" "${release_base}/${releasefile}"; do
          sleep 10
      done
 -    cd ${archiveroot}/dists/${s}
 -    cat ~/${suitename}_${newrev}/${releasefile} >> Release.gpg
 -    gpg --no-default-keyring --keyring /usr/share/keyrings/debian-archive-keyring.gpg --trust-model=always --verify Release.gpg Release
 +    ${scriptsdir}/gpg-merge-signatures "${oursignature}" "${releasefile}" > ${archiveroot}/dists/${s}/${oursignature}
++
 +    gpg --no-default-keyring --keyring /usr/share/keyrings/debian-archive-keyring.gpg --trust-model=always --verify ${oursignature} ${ourmessage}
+ }
 -merge-release-signatures $(get_archiveroot ftp-master) ${suite} Release-${newrev}.gpg
 -merge-release-signatures $(get_archiveroot debian-debug) ${suite}-debug Release-${newrev}-debug.gpg
 +merge-release-signatures $(get_archiveroot ftp-master) ${suite} Release.gpg Release Release-${newrev}.gpg
 +merge-release-signatures $(get_archiveroot debian-debug) ${suite}-debug Release.gpg Release Release-${newrev}-debug.gpg
 +if [ "${suitename}" = stretch ]; then
 +    rm -f ${archiveroot}/dists/${suite}/InRelease ${archiveroot}/zzz-dists/${suite}/InRelease
 +else
 +    merge-release-signatures $(get_archiveroot ftp-master) ${suite} InRelease "" InRelease-${newrev}.gpg
 +    merge-release-signatures $(get_archiveroot debian-debug) ${suite}-debug InRelease "" InRelease-${newrev}-debug.gpg
 +fi
  echo "Done. Is a mirrorpush needed? Or just one to the cd-builder?"
  read -e -p "Mirrorpush? no/cd/yes " -i "cd" mirrorpush

scripts/debian/gpg-merge-signatures

 +#!/bin/bash
 +#
 +# Copyright (C) 2019, Ansgar Burchardt <ansgar@debian.org>
 +# License: GPL-2+
 +#
 +# This program is free software; you can redistribute it and/or modify
 +# it under the terms of the GNU General Public License as published by
 +# the Free Software Foundation; either version 2 of the License, or
 +# (at your option) any later version.
 +#
 +# This program is distributed in the hope that it will be useful,
 +# but WITHOUT ANY WARRANTY; without even the implied warranty of
 +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 +# GNU General Public License for more details.
 +#
 +# You should have received a copy of the GNU General Public License
 +# along with this program.  If not, see <https://www.gnu.org/licenses/>.
++
 +set -eu
 +set -o pipefail
++
 +if [ $# -le 1 ]; then
 +    echo >&2 "usage: $0 <files...>"
 +    echo >&2
 +    echo >&2 "merge multiple (cleartext or detached) signatures into one"
 +    exit 0
 +fi
++
 +sed '/^-----BEGIN PGP SIGNATURE-----/ Q' "${1}"
++
 +sed -sn '/^-----BEGIN PGP SIGNATURE-----/,$ p' "${@}" |
 +    gpg --dearmor - |
 +    gpg --enarmor - |
 +    sed 's/^-----\(.*\) PGP ARMORED FILE-----/-----\1 PGP SIGNATURE-----/; /^Comment:/ d'