Skip to content

Commit

Permalink
Ship signature file to object storage when repo was signed.
Browse files Browse the repository at this point in the history
Explicitly name the signature file and ship it along with the checksum
and info files.
  • Loading branch information
mmlr committed Aug 29, 2024
1 parent ad55f5f commit 39095f1
Showing 1 changed file with 17 additions and 7 deletions.
24 changes: 17 additions & 7 deletions HaikuPorter/PackageRepository.py
Original file line number Diff line number Diff line change
Expand Up @@ -234,12 +234,19 @@ def createPackageRepository(self, outputPath):

repoChecksumFile = repoFile + '.sha256'
self._checksumPackageRepository(repoFile, repoChecksumFile)
self._signPackageRepository(repoFile)

repoSignatureFile = repoFile + '.minisig'
wasSigned = self._signPackageRepository(repoFile, repoSignatureFile)

if self.storageBackend is not None:
extraFiles = [repoInfoFile, repoFile, repoChecksumFile]
if wasSigned:
extraFiles.append(repoSignatureFile)

extraFiles.append(packageListFile)

self._stubLocalPackages(localPackages)
self._populateStorageBackendFiles(
[repoInfoFile, repoFile, repoChecksumFile, packageListFile])
self._populateStorageBackendFiles(extraFiles)
self._pruneStorageBackend(packageNameList)

def _checksumPackageRepository(self, repoFile, repoChecksumFile):
Expand All @@ -255,13 +262,14 @@ def _checksumPackageRepository(self, repoFile, repoChecksumFile):
with open(repoChecksumFile, 'w') as outputFile:
outputFile.write(checksum.hexdigest())

def _signPackageRepository(self, repoFile):
def _signPackageRepository(self, repoFile, repoSignatureFile):
"""Sign the package repository if a private key was provided"""
privateKeyFile = getOption('packageRepositorySignPrivateKeyFile')
privateKeyPass = getOption('packageRepositorySignPrivateKeyPass')
if not privateKeyFile and not privateKeyPass:
info("Warning: unsigned package repository")
return
return False

if not os.path.exists(privateKeyFile):
sysExit('specified package repo private key file missing!')

Expand All @@ -274,10 +282,12 @@ def _signPackageRepository(self, repoFile):

# minisign -s /tmp/minisign.key -Sm ${ARTIFACT}
info("signing repository")
output = subprocess.check_output([minisignCommand, '-s',
privateKeyFile, "-Sm", repoFile], input=privateKeyPass.encode('utf-8'),
output = subprocess.check_output([minisignCommand,
'-x', repoSignatureFile, '-s', privateKeyFile, "-Sm", repoFile],
input=privateKeyPass.encode('utf-8'),
stderr=subprocess.STDOUT).decode('utf-8')
info(output)
return True

def checkPackageRepositoryConsistency(self):
"""Check consistency of package repository by dependency solving all
Expand Down

0 comments on commit 39095f1

Please sign in to comment.