ubuntu-archive-publishing

Merge lp:~cjwatson/ubuntu-archive-publishing/sign-parts into lp:ubuntu-archive-publishing

  1. sign-parts
  2. Merge into trunk
Proposed by Colin Watson
Status: Merged
Merged at revision: 100
Proposed branch: lp:~cjwatson/ubuntu-archive-publishing/sign-parts
Merge into: lp:ubuntu-archive-publishing
Diff against target: 151 lines (+141/-0)
2 files modified
sign.d/10-sign (+116/-0)
sign.d/README.txt (+25/-0)
To merge this branch: bzr merge lp:~cjwatson/ubuntu-archive-publishing/sign-parts
Reviewer Review Type Date Requested Status
William Grant code Approve
Review via email: mp+336347@code.launchpad.net

Commit message

Add a new sign.d run-parts directory.

Forthcoming Launchpad changes will make use of this to sign individual
files. At the moment it duplicates publish-distro.d/10-sign-releases, but
once Launchpad makes use of this we can drop that other script.

Description of the change

The motivation for this is that I want to have InRelease available earlier so that I can inject it into by-hash directories, but that's difficult at the moment because it's all entirely out of Launchpad's hands. This gives us a finer-grained interface to signing files, while still preserving the detailed control over keys and signature mechanisms that we want for the primary archive.

To post a comment you must log in.
Revision history for this message
William Grant (wgrant) :
review: Approve (code)
lp:~cjwatson/ubuntu-archive-publishing/sign-parts updated
100. By Colin Watson

Make check for InRelease files more precise.

101. By Colin Watson

Fix variable names to match documentation.

102. By Colin Watson

Explain oddity in is_inrelease.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== added directory 'sign.d'
2=== added file 'sign.d/10-sign'
3--- sign.d/10-sign 1970-01-01 00:00:00 +0000
4+++ sign.d/10-sign 2018-03-20 22:39:54 +0000
5@@ -0,0 +1,116 @@
6+#! /bin/sh
7+set -e
8+
9+# The calling script may set GNUPGHOME to a value set up by Launchpad's
10+# script machinery. In production, we have a dedicated directory set up
11+# for this.
12+export GNUPGHOME="$ARCHIVEROOT/../gnupg-home"
13+
14+if ! test -d "$GNUPGHOME"
15+then
16+ echo "There is no $GNUPGHOME; not signing files."
17+ exit 0
18+fi
19+
20+# Return additional GPG options to be used when signing files for a given
21+# series.
22+gpg_opts () {
23+ local series
24+ series="${SUITE%%-*}"
25+ case $LPCONFIG in
26+ ftpmaster-publish)
27+ case "$series:$1" in
28+ # Use single-signature 1024 key SHA1 for old releases
29+ warty:*|hoary:*|breezy:*|dapper:*|edgy:*|feisty:*|gutsy:*|hardy:*|intrepid:*|jaunty:*|karmic:*|lucid:*|maverick:*|natty:*|oneiric:*|precise:*)
30+ printf '%s\n' "-u 0x630239CC130E1A7FD81A27B140976EAF437D05B5 --digest-algo SHA1"
31+ ;;
32+ # Use single-signature 1024 key SHA1 for upgrades from distributions with 1k key only
33+ quantal:*/dist-upgrader*|raring:*/dist-upgrader*|saucy:*/dist-upgrader*|trusty:*/dist-upgrader*)
34+ printf '%s\n' "-u 0x630239CC130E1A7FD81A27B140976EAF437D05B5 --digest-algo SHA1"
35+ ;;
36+ # Use single-signature 4096 key SHA512 for upgrades from distributions with 4k present
37+ utopic:*/dist-upgrader*|vivid:*/dist-upgrader*|wily:*/dist-upgrader*|xenial:*/dist-upgrader*|yakkety:*/dist-upgrader*)
38+ printf '%s\n' "-u 0x790BC7277767219C42C86F933B4FE6ACC0B21F32 --digest-algo SHA512"
39+ ;;
40+ # Use dual-signatures 1024 & 4096 keys SHA512 for the archive, for a transitioning period, to allow e.g. precise .0 to bootstrap any of these
41+ quantal:*|raring:*|saucy:*|trusty:*|utopic:*|vivid:*|wily:*|xenial:*|yakkety:*)
42+ printf '%s\n' "-u 0x630239CC130E1A7FD81A27B140976EAF437D05B5 -u 0x790BC7277767219C42C86F933B4FE6ACC0B21F32 --digest-algo SHA512"
43+ ;;
44+ *)
45+ # Use single-signature 4096 key SHA512 for zesty and up, including dist-upgrade tarballs
46+ printf '%s\n' "-u 0x790BC7277767219C42C86F933B4FE6ACC0B21F32 --digest-algo SHA512"
47+ ;;
48+ esac
49+ ;;
50+ derived-distro-publish)
51+ case $DISTRIBUTION in
52+ ubuntu-rtm)
53+ printf '%s\n' "-u 5810338B"
54+ ;;
55+ esac
56+ ;;
57+ dogfood-publish)
58+ case $DISTRIBUTION in
59+ ubuntu-rtm)
60+ printf '%s\n' "-u 272AD8D5"
61+ ;;
62+ esac
63+ ;;
64+ esac
65+}
66+
67+# True if the given path refers to an InRelease file.
68+is_inrelease () {
69+ # Launchpad signs files as .new and then moves them into place.
70+ local path="${1%.new}"
71+ [ "${path%/InRelease}" != "$path" ]
72+}
73+
74+need_inrelease () {
75+ local series
76+ series="${SUITE%%-*}"
77+ case $series in
78+ warty|hoary|breezy|dapper|edgy|feisty|gutsy|hardy|intrepid|jaunty|karmic|lucid|maverick|natty|oneiric|quantal|raring|saucy|utopic)
79+ # Skip all suites from before InRelease was implemented in
80+ # Ubuntu.
81+ return 1
82+ ;;
83+ precise|trusty)
84+ case $SUITE in
85+ precise|trusty)
86+ # Skip LTS release pockets for the moment, because
87+ # it will cause apt to redownload the world.
88+ return 1
89+ ;;
90+ *)
91+ return 0
92+ ;;
93+ esac
94+ ;;
95+ *)
96+ return 0
97+ ;;
98+ esac
99+}
100+
101+case $MODE in
102+ detached)
103+ opts="$(gpg_opts "$INPUT_PATH")"
104+ echo "$(date -R): (re-)signing $INPUT_PATH as $OUTPUT_PATH ($opts)"
105+ gpg --yes --detach-sign --armor -o "$OUTPUT_PATH" \
106+ --sign --no-permission-warning $opts "$INPUT_PATH"
107+ ;;
108+ clear)
109+ if is_inrelease "$OUTPUT_PATH" && ! need_inrelease; then
110+ exit 0
111+ fi
112+ opts="$(gpg_opts "$INPUT_PATH")"
113+ echo "$(date -R): (re-)signing $INPUT_PATH as $OUTPUT_PATH ($opts)"
114+ gpg --yes --clearsign --armor -o "$OUTPUT_PATH" \
115+ --no-permission-warning $opts "$INPUT_PATH"
116+ ;;
117+ *)
118+ echo "unknown MODE: $MODE" >&2
119+ exit 1
120+ ;;
121+esac
122
123=== added file 'sign.d/README.txt'
124--- sign.d/README.txt 1970-01-01 00:00:00 +0000
125+++ sign.d/README.txt 2018-03-20 22:39:54 +0000
126@@ -0,0 +1,25 @@
127+Put scripts here that should be run to sign files. They will be executed
128+through the run-parts command, in alphabetical order.
129+
130+The scripts' filenames must consist entirely of ASCII letters (both upper and
131+lower case allowed), digits, underscores, and hyphens. All other files,
132+including this text file, are ignored.
133+
134+Scripts in this directory will be run for each file that is a candidate for
135+signing, including Release files.
136+
137+The following variables will be set for the script:
138+
139+INPUT_PATH - the path to the cleartext file to be signed
140+
141+OUTPUT_PATH - the path where the signature should be written
142+
143+MODE - either "detached" for a detached signature, or "clear" for a
144+cleartext signature
145+
146+DISTRIBUTION - the distribution name
147+
148+SUITE - the suite name
149+
150+The script's PATH will be extended with the Launchpad source tree's
151+cronscripts/publishing directory.

Subscribers

People subscribed via source and target branches