fix sign_build_list.sh and update README

This commit is contained in:
Trevor Batley 2024-11-15 13:57:44 +11:00
parent 437b6abda0
commit 3c674d4f26
4 changed files with 132 additions and 142 deletions

View File

@ -3,10 +3,41 @@
## sign_build.sh
Sign all rpms for a particular build
sign_rpm.sh <n-v-r | build_id | package | rpm> [<arch=*> | <debuginfo> | <latestfrom=> | <rpm> | <gpg_name=kojiadmin@koozali.org> | <debug>]
Required: (one of only)
- n-v-r: of the build (e.g. smeserver-backup-11.0.0-7.el8)
- build_id: e.g. 643
- package: e.g. smeserver-backup (used in conjunction with <latestfrom>)
- rpm: to sign a specific rpm (used in conjunction with <rpm>)
Optional:
- arch=<arch>: only rpms for these arches (comma seperated list - defaults to all)
- nodebuginfo: do NOT include debug rpms (defaults to included)
- latestfrom=<tag>: used with <package> and will use the latest build for this tag
- gpg_name=<gpg name>: name used to create the gpg key we want to sign with (default kojiadmin@koozali.org)
- debug: display debug information
## sign_build_list.sh
Sign all rpms for each build specified in a file (1 line per build)
## queue_builds.sh
Queue a build for each package supplied in a file
sign_build_list.sh <pkg list> [<arch=*> | <gpg_name=kojiadmin@koozali.org> | <gpg_key=44922a28> | <nodebuginfo> | <debug> | <dryrun> ]
## parse-list.sh
Required:
- file name of list containing builds to be signed
Optional:
- arch=<arch>: only rpms for these arches (comma seperated list - defaults to all)
- nodebuginfo: do NOT include debug rpms (defaults to included)
- gpg_name=<gpg name>: name used to create the gpg key we want to sign with (default kojiadmin@koozali.org)
- gpg_key=<gpg_key>: if you want to check if they have already been signed with this key (default - don't check)
- debug: display debug information
- dry_run: do a 'dry run' and only show what will be executed, don't do it
## queue_builds.sh
Queue a build the latest tag for each package supplied in a file (1 package per line)
queue-builds.sh <filename> [ <wait> | <org=smeserver> ]
- <wait> to wait for one build to complete before submitting the next one (default is nowait - queue them all)
- <org=organisation> (default is smecontribs)

View File

@ -1,71 +0,0 @@
#!/bin/bash
#
# Run script against every item in input file
if [[ -z $1 ]] ; then
echo "parse a list of parameters and execute script with those parameters"
echo "parse-list.sh <param file> <script> [<noisy> <additional> <additional> <additional>]"
echo "<param file> name of file containing parameters"
echo "<script> script to run (e.g. rename-e-smith-pkh.sh)"
echo "optional params can appear in any order"
echo " <review> show line being executed but do NOTHING!"
echo " <noisy> show line being executed"
echo " <additional> additional params to be passed (up to 3)"
exit 0
fi
# parse the command line parameters
PROCESSORG=
EXTRAPARAMS=
# using a file as input
if [[ ! -f $1 ]] ; then
echo "Can NOT find $1 - Aborting"
exit 1
fi
if [[ $(which $2 | grep "no $2") ]] ; then
echo "Can NOT find $2 - Aborting"
exit 1
fi
DEBUG=
REVIEW=
NOISY=
for param in $3 $4 $5 $6; do
if [ $param ] ; then
case $param in
review )
REVIEW=true ;;
noisy )
NOISY=true ;;
;;
debug )
DEBUG=true ;;
* )
EXTRAPARAMS=$EXTRAPARAMS" "$param ;;
esac
else
break
fi
done
# Build array of parameters to cycle through
PARAMLIST=()
# load array of parameters from input file
while read -r line ; do PARAMLIST+=($line) ; done < $1
# Cycle through array of parameters and execute script
for param in ${PARAMLIST[@]}
do
if [[ $NOISY || $REVIEW ]] ; then echo "$2 $param $EXTRAPARAMS" ; fi
if [[ -z $REVIEW ]] ; then
if [[ $param ]] ; then
RESPONSE=$($2 $param $EXTRAPARAMS) ; rc=$?
if [ $rc -ne 0 ] ; then echo "($rc)\n$RESPONSE" ; fi
if [ $DEBUG ] ; then echo "RESPONSE=$RESPONSE" ; fi
fi
fi
done
exit 0

View File

@ -2,35 +2,37 @@
if [[ -z $1 ]] ; then
echo "Must provide a package name"
echo "sign_rpm.sh <package name> [<arch=x86_64> | <debuginfo> | <repo=dist-sme11-os> | <latestfrom=*> | <gpg_key=kojiadmin@koozali.org> | <debug>]"
echo "sign_build.sh <n-v-r | build_id | package name | rpm> [<arch=x86_64> | <nodebuginfo> | <latestfrom=*> | <gpg_key=kojiadmin@koozali.org> | <debug>]"
exit 1
else
PACKAGE=$1
echo "PACKAGE=$PACKAGE"
fi
ARCH=x86_64
REPO="dist-sme11-os"
GPG_KEY="kojiadmin@koozali.org"
DEBUG=false
DEBUGINFO="--debuginfo"
ARCHES=
DEBUG=
RPM=
for param in $2 $3 $4 $5 $6 $7; do
if [ $param ] ; then
case $param in
-h | --help )
echo "sign_rpm.sh <package name> [<arch=x86_64> | <repo=dist-sme11-os> | <latestfrom=*> | <gpg_key=kojiadmin@koozali.org>]" ;;
echo "sign_build.sh <n-v-r | build_id | package name | rpm> [<arch=*> | <nodebuginfo> | <latestfrom=*> | <gpg_key=kojiadmin@koozali.org>]" ;;
debug )
DEBUG=true ;;
debuginfo )
DEBUGINFO="--debuginfo" ;;
nodebuginfo )
DEBUGINFO= ;;
arch=* )
ARCH=${param#*=} ;;
repo=* )
REPO=${param#*=} ;;
arches=${param#*=}
for arch in ${arches//,/ } ; do
ARCHES=ARCHES"--arch=$arch "
done
;;
latestfrom=* )
PACKAGE=$PACKAGE" --latestfrom="${param#*=} ;;
gpg_key=* )
GPG_KEY=${param#*=} ;;
gpg_name=* )
GPG_NAME=${param#*=} ;;
* )
echo "Unkown parameter $param - aborting"
exit 1
@ -41,20 +43,23 @@ for param in $2 $3 $4 $5 $6 $7; do
fi
done
# if <package name>=all, sign ALL rpms in defined repo (use pkglist to identify packages)
# else just sign the specified rpms (using either a git tag or the latestfrom)
# If an rpm name passed assume signing of an individual rpm
if (${1##*.} == "rpm") ; then RPM="--rpm" ; fi
# sign the specified rpms (using either a git tag or the latestfrom)
tmpdir="$(mktemp -d /tmp/sign.XXXXXX)"
pushd $tmpdir > /dev/null
if [[ $DEBUG ]] ; then
echo "PACKAGE=$PACKAGE"
echo "ARCH=$ARCH"
echo "REPO=$REPO"
echo "GPG_KEY=$GPG_KEY"
echo "ARCH=$ARCHES"
echo "DEBUGINFO=$DEBUGINFO"
echo "RPM=$RPM"
echo "GPG_NAME=$GPG_NAME"
fi
if [[ $DEBUG ]] ; then echo "koji download-build $DEBUGINFO $PACKAGE" ; fi
koji download-build $DEBUGINFO $PACKAGE
rpmsign --define "_gpg_name $GPG_KEY" --addsign *.rpm
if [[ $DEBUG ]] ; then echo "koji download-build $DEBUGINFO $RPM $ARCHES $PACKAGE" ; fi
koji download-build $DEBUGINFO $RPM $ARCHES $PACKAGE
rpmsign --define "_gpg_name $GPG_NAME" --addsign *.rpm
koji import-sig *.rpm
popd > /dev/null

View File

@ -2,34 +2,41 @@
# sign all rpms in the specified pkg list
if [[ -z $1 ]] ; then
echo "Must provide a pkg list"
echo "sign_build_list.sh <pkg list> [<arches=x86_64> | <gpg_key=kojiadmin@koozali.org> | <debuginfo> | <debug> | <dryrun> ]"
echo "sign_build_list.sh <pkg list> [<arch=*> | <gpg_name=kojiadmin@koozali.org> | <gpg_key=44922a28> | <nodebuginfo> | <debug> | <dryrun> ]"
exit 1
else
PKGLIST=$1
fi
ARCH=x86_64
GPG_KEY="kojiadmin@koozali.org"
GPG_ID='44922a28'
DEBUG=false
DRY_RUN=false
DEBUGINFO=
ARCHES=
GPG_NAME="kojiadmin@koozali.org"
GPG_KEY=
DEBUG=
DRY_RUN=
ARCHES=
DEBUGINFO="--debuginfo"
for param in $2 $3 $4 $5 $6 $7 ; do
if [ $param ] ; then
case $param in
-h | --help )
echo "sign_rpm_list.sh <pkg list> [<arches=x86_64> | <gpg_key=kojiadmin@koozali.org> | <debuginfo> | <debug> | <dryrun> ]"
echo "sign_build_list.sh <pkg list> [<arch=x86_64> | <gpg_name=kojiadmin@koozali.org> | <gpg_key=44922a28> | <nodebuginfo> | <debug> | <dryrun> ]"
exit
;;
debug )
DEBUG=true ;;
dryrun )
DRY_RUN=true ;;
debuginfo )
DEBUGINFO="--debuginfo" ;;
arches=* )
ARCH=${param#*=} ;;
nodebuginfo )
DEBUGINFO= ;;
arch=* )
arches=${param#*=}
for arch in ${arches//,/ } ; do
ARCHES=ARCHES"--arch=$arch "
done
;;
gpg_name=* )
GPG_NAME=${param#*=} ;;
gpg_key=* )
GPG_KEY=${param#*=} ;;
* )
@ -43,50 +50,68 @@ for param in $2 $3 $4 $5 $6 $7 ; do
done
if [[ $DEBUG ]] ; then
echo "PKGLIST=$PKGLIST"
echo "ARCH=$ARCH"
echo "ARCHES=$ARCHES"
echo "DEBUGINFO=$DEBUGINFO"
echo "GPG_NAME=$GPG_NAME"
echo "GPG_KEY=$GPG_KEY"
echo "DRY_RUN=$DRY_RUN"
fi
# use a temporary directory to export the rpms for signing
#if [[ $DRY_RUN ]] ; then
# echo "mktemp -d /tmp/sign.XXXXXX"
#else
if [[ $DRY_RUN ]] ; then
echo "mktemp -d /tmp/sign.XXXXXX"
else
tmpdir="$(mktemp -d /tmp/sign.XXXXXX)"
pushd $tmpdir > /dev/null
#fi
fi
if [[ -e "$PKGLIST" ]] ; then
# extract list of rpms to download
while read -r pkgline; do
BUILD=${pkgline##*/}
if [[ $DEBUG ]] ; then
echo "$pkgline"
echo "koji download-build ${pkgline##*/}"
echo "koji download-build $BUILD"
fi
BUILD=${pkgline##*/}
if [[ $DEBUG ]] ; then echo "BUILD=$BUILD" ; fi
DIR=/mnt/koji/packages/${BUILD%-*-*}/$(echo $BUILD | awk -F '-' '{print $(NF-1)}')/$(echo ${BUILD##*-})/data/signed/$GPG_ID
# If an rpm name passed assume signing of an individual rpm, else signing all
RPM=
if (${BUILD##*.} == "rpm") ; then
RPM="--rpm"
fi
if [[ $GPG_KEY ]] ; then # check if already signed with this key
DIR=/mnt/koji/packages/${BUILD%-*-*}/$(echo $BUILD | awk -F '-' '{print $(NF-1)}')/$(echo ${BUILD##*-})/data/signed/$GPG_KEY
if [[ $DEBUG ]] ; then echo "DIR=$DIR" ; fi
if [[ -d $DIR ]] ; then
echo "$BUILD already signed with this key - ignoring"
EXISTS=
if ($RPM == "--rpm") ; then
if [[ $DEBUG ]] ; then echo "Check for existing $DIR/$BUILD"
if [[ -f $DIR/$BUILD ]] ; then EXISTS=True ; fi
else
# if [[ $DRY_RUN ]] ; then
# echo "koji download-build $DEBUGINFO ${pkgline##*/}"
# else
koji download-build $DEBUGINFO $BUILD
# fi
if [[ $DEBUG ]] ; then echo "Check for existing $DIR"
if [[ -d $DIR ]] ; then EXISTS=True ; fi
fi
if [[ $EXISTS ]] ; then
echo "$BUILD already signed with this key - ignoring"
continue
fi
fi
if [[ $DRY_RUN ]] ; then
echo "koji download-build $DEBUGINFO $ARCHES $RPM $BUILD"
else
koji download-build $DEBUGINFO $ARCHES $RPM $BUILD
fi
fi
done <$PKGLIST
else
echo "Cannot find pkglist $PKGLIST - aborting"
exit 1
fi
#if [[ $DRY_RUN ]] ; then
# echo "rpmsign --define \"_gpg_name $GPG_KEY\" --addsign *.rpm"
# echo "koji import-sig *.rpm"
#else
rpmsign --define "_gpg_name $GPG_KEY" --addsign *.rpm
if [[ $DRY_RUN ]] ; then
echo "rpmsign --define \"_gpg_name $GPG_NAME\" --addsign *.rpm"
echo "koji import-sig *.rpm"
else
rpmsign --define "_gpg_name $GPG_NAME" --addsign *.rpm
koji import-sig *.rpm
popd > /dev/null
#fi
fi
exit 0