153 lines
4.6 KiB
Bash
Executable File
153 lines
4.6 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# Copyright 2018 The gVisor Authors.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
if [[ "$#" -le 3 ]]; then
|
|
echo "usage: $0 <private-key> <suite> <root> <packages...>"
|
|
exit 1
|
|
fi
|
|
declare private_key
|
|
declare suite
|
|
declare root
|
|
private_key="$(readlink -e "$1")"
|
|
suite="$2"
|
|
root="$(readlink -m "$3")"
|
|
readonly private_key
|
|
readonly suite
|
|
readonly root
|
|
shift; shift; shift # For "$@" below.
|
|
|
|
# Ensure that we have the correct packages installed.
|
|
function apt_install() {
|
|
while true; do
|
|
sudo apt-get update &&
|
|
sudo apt-get install -y "$@" &&
|
|
true
|
|
result="${?}"
|
|
case $result in
|
|
0)
|
|
break
|
|
;;
|
|
100)
|
|
# 100 is the error code that apt-get returns.
|
|
;;
|
|
*)
|
|
exit $result
|
|
;;
|
|
esac
|
|
done
|
|
}
|
|
dpkg-sig --help >/dev/null 2>&1 || apt_install dpkg-sig
|
|
apt-ftparchive --help >/dev/null 2>&1 || apt_install apt-utils
|
|
xz --help >/dev/null 2>&1 || apt_install xz-utils
|
|
|
|
# Verbose from this point.
|
|
set -xeo pipefail
|
|
|
|
# Create a directory for the release.
|
|
declare -r release="${root}/dists/${suite}"
|
|
mkdir -p "${release}"
|
|
|
|
# Create a temporary keyring, and ensure it is cleaned up.
|
|
# Using separate homedir allows us to install apt repositories multiple times
|
|
# using the same key. This is a limitation in GnuPG pre-2.1.
|
|
declare keyring
|
|
declare homedir
|
|
declare gpg_opts
|
|
keyring="$(mktemp /tmp/keyringXXXXXX.gpg)"
|
|
homedir="$(mktemp -d /tmp/homedirXXXXXX)"
|
|
gpg_opts=("--no-default-keyring" "--secret-keyring" "${keyring}" "--homedir" "${homedir}")
|
|
readonly keyring
|
|
readonly homedir
|
|
readonly gpg_opts
|
|
cleanup() {
|
|
rm -rf "${keyring}" "${homedir}"
|
|
}
|
|
trap cleanup EXIT
|
|
|
|
# We attempt the import twice because the first one will fail if the public key
|
|
# is not found. This isn't actually a failure for us, because we don't require
|
|
# the public key (this may be stored separately). The second import will succeed
|
|
# because, in reality, the first import succeeded and it's a no-op.
|
|
gpg "${gpg_opts[@]}" --import "${private_key}" || \
|
|
gpg "${gpg_opts[@]}" --import "${private_key}"
|
|
|
|
# Copy the packages into the root.
|
|
for pkg in "$@"; do
|
|
if ! [[ -f "${pkg}" ]]; then
|
|
continue
|
|
fi
|
|
ext=${pkg##*.}
|
|
if [[ "${ext}" != "deb" ]]; then
|
|
continue
|
|
fi
|
|
|
|
# Extract package information.
|
|
name=$(basename "${pkg}" ".${ext}")
|
|
arch=$(dpkg --info "${pkg}" | grep 'Architecture:' | cut -d':' -f2)
|
|
version=$(dpkg --info "${pkg}" | grep 'Version:' | cut -d':' -f2)
|
|
arch=${arch// /} # Trim whitespace.
|
|
version=${version// /} # Ditto.
|
|
destdir="${root}/pool/${version}/binary-${arch}"
|
|
|
|
# Copy & sign the package.
|
|
mkdir -p "${destdir}"
|
|
cp -a -L "$(dirname "${pkg}")/${name}.deb" "${destdir}"
|
|
cp -a -L "$(dirname "${pkg}")/${name}.changes" "${destdir}"
|
|
chmod 0644 "${destdir}"/"${name}".*
|
|
# Sign a package only if it isn't signed yet.
|
|
# We use [*] here to expand the gpg_opts array into a single shell-word.
|
|
dpkg-sig -g "${gpg_opts[*]}" --verify "${destdir}/${name}.deb" ||
|
|
dpkg-sig -g "${gpg_opts[*]}" --sign builder "${destdir}/${name}.deb"
|
|
done
|
|
|
|
# Build the package list.
|
|
declare arches=()
|
|
for dir in "${root}"/pool/*/binary-*; do
|
|
name=$(basename "${dir}")
|
|
arch=${name##binary-}
|
|
arches+=("${arch}")
|
|
repo_packages="${release}"/main/"${name}"
|
|
mkdir -p "${repo_packages}"
|
|
(cd "${root}" && apt-ftparchive packages "${dir##${root}/}" > "${repo_packages}"/Packages)
|
|
if ! [[ -s "${repo_packages}"/Packages ]]; then
|
|
echo "Packages file is size zero." >&2
|
|
exit 1
|
|
fi
|
|
(cd "${repo_packages}" && cat Packages | gzip > Packages.gz)
|
|
(cd "${repo_packages}" && cat Packages | xz > Packages.xz)
|
|
done
|
|
|
|
# Build the release list.
|
|
cat > "${release}"/apt.conf <<EOF
|
|
APT {
|
|
FTPArchive {
|
|
Release {
|
|
Architectures "${arches[@]}";
|
|
Suite "${suite}";
|
|
Components "main";
|
|
};
|
|
};
|
|
};
|
|
EOF
|
|
(cd "${release}" && apt-ftparchive -c=apt.conf release . > Release)
|
|
rm "${release}"/apt.conf
|
|
|
|
# Sign the release.
|
|
declare -r digest_opts=("--digest-algo" "SHA512" "--cert-digest-algo" "SHA512")
|
|
(cd "${release}" && rm -f Release.gpg InRelease)
|
|
(cd "${release}" && gpg "${gpg_opts[@]}" --clearsign "${digest_opts[@]}" -o InRelease Release)
|
|
(cd "${release}" && gpg "${gpg_opts[@]}" -abs "${digest_opts[@]}" -o Release.gpg Release)
|