signed tar files (was: [ANNOUNCE] xf86-video-ati 7.3.0)

Julien Cristau jcristau at debian.org
Sat Jan 25 12:30:19 PST 2014


On Sat, Jan 25, 2014 at 10:46:03 -0800, Alan Coopersmith wrote:

> On 01/25/14 07:09 AM, Claus Assmann wrote:
> >On Sat, Jan 25, 2014, Julien Cristau wrote:
> >
> >>gpg: BAD signature from "Alex Deucher <alexdeucher at gmail.com>"
> >
> >Same here.
> >
> >>If this isn't just me, any chance to get the tarball checksums in a
> >>properly signed mail?
> >
> >Hmm, maybe it would be a good idea to have signed tar files
> >(on the server)?
> 
> If someone can translate that into commands to add to our tarball
> release script, then we can do that.  There was discussion in the
> past, but no one came up with a explanation of what they wanted to
> see or what we needed to do for it.  (I think there's even an open
> bug in bugzilla still.)
> 
Something like this (untested)?

diff --git a/release.sh b/release.sh
index a4a725d..603dd4c 100755
--- a/release.sh
+++ b/release.sh
@@ -298,6 +298,11 @@ process_module() {
        cd $top_src
        return 1
     fi
+    signatures=""
+    for tarball in $targz $tarbz2 $tarxz; do
+        gpg --detach-sign --armor $tarball
+        signatures="$signatures ${tarball}.asc"
+    done
 
     # Obtain the top commit SHA which should be the version bump
     # It should not have been tagged yet (the script will do it later)
@@ -501,7 +506,7 @@ process_module() {
     # Upload to host using the 'scp' remote file copy program
     if [ x"$DRY_RUN" = x ]; then
        echo "Info: uploading tarballs to web server:"
-       scp $targz $tarbz2 $tarxz $USER_NAME$hostname:$srv_path
+       scp $targz $tarbz2 $tarxz $signatures $USER_NAME$hostname:$srv_path
        if [ $? -ne 0 ]; then
            echo "Error: the tarballs uploading failed."
            cd $top_src

Cheers,
Julien
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.x.org/archives/xorg/attachments/20140125/93c1aa39/attachment.pgp>


More information about the xorg mailing list