Added Release files signing logic to update-apt-repo.

This commit is contained in:
Fabio Manganiello 2023-09-20 00:03:49 +02:00
parent e3fb0eeb11
commit af4a586014
Signed by untrusted user: blacklight
GPG key ID: D90FBA7F76362774

View file

@ -429,6 +429,10 @@ steps:
from_secret: aws_access_key_id
AWS_SECRET_ACCESS_KEY:
from_secret: aws_secret_access_key
PGP_PUBKEY:
from_secret: apt_pgp_pub_key
PGP_PRIVKEY:
from_secret: apt_pgp_priv_key
when:
branch:
@ -443,7 +447,7 @@ steps:
commands:
- echo "-- Installing dependencies"
- apt update
- apt install -y s3fs dpkg-dev
- apt install -y s3fs dpkg-dev gpg
- echo "-- Mounting the S3 bucket"
- mkdir -p "$BUCKET_MNT"
@ -515,6 +519,22 @@ steps:
add_hashes "$dist_dir" "sha256sum" "SHA256" >> "$release_file"
done
- echo "-- Importing and refreshing PGP key"
- echo "$PGP_PUBKEY" > "$APT_ROOT/pubkey.txt"
- export PGP_KEYID=$(echo "$PGP_PUBKEY" | gpg --with-colons --import-options show-only --import --fingerprint | grep -e '^fpr:' | head -1 | awk -F ':' '{print $(NF - 1)}')
- |
cat <<EOF | gpg --import --armor
$PGP_PRIVKEY
EOF
- echo "-- Signing Release files"
- |
find "$APT_ROOT/dists" -type f -name Release | while read file; do
dirname="$(dirname "$file")"
cat "$file" | gpg -q --default-key "$PGP_KEYID" -abs > "$file.gpg"
cat "$file" | gpg -q --default-key "$PGP_KEYID" -abs --clearsign > "$dirname/InRelease"
done
###
### Updates the pip package upon new releases
###