-
Notifications
You must be signed in to change notification settings - Fork 4
/
signify-releases
executable file
·97 lines (81 loc) · 2.35 KB
/
signify-releases
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
#!/bin/sh
# verify all releases, architectures and packages with signify
set -eu
if [ $# != 0 ]
then
echo usage: signify-releases >&2
exit 2
fi
versions=`jot - 99 55 -1`
debug="${debug:=debug}"
ftp="/data/mirror/openbsd/ftp"
tag="signify-releases[$$]"
logger -p daemon.info -t "$tag" "openbsd start"
for version in $versions
do
release="${version%[0-9]}.${version##[0-9]}"
dir="$ftp/$release"
[ -d "$dir" ] || continue
logger -p daemon.info -t "$tag" "openbsd $version start"
# verify release directory
key="/etc/signify/openbsd-$version-base.pub"
if ! ( cd "$dir" && signify -C -p $key -x SHA256.sig )
then
logger -p daemon.warning -s -t "$tag" "openbsd $dir fail"
fi | logger -p "daemon.$debug" -t signify
# verify each architecture release
for dir in $ftp/$release/*
do
[ -d "$dir" ] || continue
arch="${dir##*/}"
case "$arch" in
Changelogs|packages|tools) continue ;;
esac
logger -p daemon.info -t "$tag" "openbsd $arch start"
if ! ( cd "$dir" && signify -C -p $key -x SHA256.sig )
then
logger -p daemon.warning -s -t "$tag" \
"openbsd $dir fail"
else
logger -p daemon.notice -t "$tag" \
"openbsd $arch success"
fi | logger -p "daemon.$debug" -t signify
done
# verify each architecture package
key="/etc/signify/openbsd-$version-pkg.pub"
for dir in $ftp/$release/packages/*
do
[ -d "$dir" ] || continue
package="${dir##*/}"
logger -p daemon.info -t "$tag" "openbsd $package start"
if ! ( cd "$dir" && signify -C -p $key -x SHA256.sig )
then
logger -p daemon.warning -s -t "$tag" \
"openbsd $dir fail"
else
logger -p daemon.notice -t "$tag" \
"openbsd $package success"
fi | logger -p "daemon.$debug" -t signify
done
# verify each patch
dir="$ftp/patches/$release/common"
[ -d "$dir" ] || continue
key="/etc/signify/openbsd-$version-base.pub"
for file in "$dir"/*.sig
do
[ -f "$file" ] || continue
patch="${file##*/}"
logger -p daemon.info -t "$tag" "openbsd $patch start"
if ! ( cd "$dir" && signify -V -e -p $key -x $patch -m /dev/null )
then
logger -p daemon.warning -s -t "$tag" \
"openbsd $file fail"
else
logger -p daemon.notice -t "$tag" \
"openbsd $patch success"
fi | logger -p "daemon.$debug" -t signify
done
logger -p daemon.notice -t "$tag" "openbsd $version success"
done
logger -p daemon.notice -t "$tag" "openbsd finished"
exit 0