summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPhil Pennock <pdp@exim.org>2017-02-19 17:27:11 -0500
committerPhil Pennock <pdp@exim.org>2017-02-19 17:27:11 -0500
commitb7e8c96e9bfd6fe9505230359138f59b731054e5 (patch)
tree7bf015c78257fad3b54c0dc39cef491773c589c1
parent1a13c13c325cdb119fdf68a6d9ecffcaa2c3756d (diff)
releng: able to use gnupg default keys for signing
Git and our previous "must specify one keyid" approach is more constraining than GnuPG allows; cleanest and simplest way, without breaking support for people with multiple keys and such like, is to just provide a way to break out of our logic and say "use the configured default GnuPG keys". My PGP key has multiple signing subkeys, one RSA and one Ed25519; I think I might try a dual-signature in an upcoming RC to see how many people scream with broken OpenPGP clients.
-rwxr-xr-xrelease-process/scripts/sign_exim_packages32
1 files changed, 28 insertions, 4 deletions
diff --git a/release-process/scripts/sign_exim_packages b/release-process/scripts/sign_exim_packages
index bd02d1183..a504ea826 100755
--- a/release-process/scripts/sign_exim_packages
+++ b/release-process/scripts/sign_exim_packages
@@ -12,14 +12,38 @@
# woe betide the poor sod who does not use a gpg agent, so has
# to enter their password for every file...
+prog="$(basename "$0")"
+warn() { printf >&2 "%s: %s\n" "$prog" "$*" ; }
+
+: "${GPG_COMMAND:=gpg}"
+umask 022
+
+# We've always expected an explicit key for signing, instead of just using the
+# gnupg config. It make sense to honor the git config value. It makes sense
+# to honor env. But git doesn't allow specifying multiple subkeys, it only
+# passes one -u option.
+# UID specs explicitly allow whitespace in several formats.
+# We have one scalar value, we're sh, we're not going to try using an array.
+#
+# So if you want to sign with multiple subkeys, then set it up with multiple
+# local-user directives in ~/.gnupg/gpg.conf & set EXIM_KEY=default in environ.
+
if repo_signing_key="$(git config user.signingkey)"; then
: "${EXIM_KEY:=$repo_signing_key}"
else
- : "${EXIM_KEY:?Need a PGP key uid to sign with}"
+ if [ ".${EXIM_KEY:-}" = "." ]; then
+ warn "no EXIM_KEY found, trusting local gpg config"
+ fi
fi
-: "${GPG_COMMAND:=gpg}"
-umask 022
+case "${EXIM_KEY:-default}" in
+default|DEFAULT)
+ gpg_sign() { ${GPG_COMMAND} --detach-sig --armor "${1:?}" ; }
+ ;;
+*)
+ gpg_sign() { ${GPG_COMMAND} --local-user "${EXIM_KEY}" --detach-sig --armor "${1:?}" ; }
+ ;;
+esac
cd_to() { echo "Working in: $1"; cd "$1"; }
@@ -49,5 +73,5 @@ set $(find . -name '*.asc' -prune -o -type f -print | cut -c 3- | sort)
for FILE
do
echo "Signing: $FILE"
- ${GPG_COMMAND} --local-user "${EXIM_KEY}" --detach-sig --armor "$FILE"
+ gpg_sign "$FILE"
done