signed tar files (was: [ANNOUNCE] xf86-video-ati 7.3.0)
Julien Cristau
jcristau at debian.org
Sat Jan 25 12:30:19 PST 2014
On Sat, Jan 25, 2014 at 10:46:03 -0800, Alan Coopersmith wrote:
> On 01/25/14 07:09 AM, Claus Assmann wrote:
> >On Sat, Jan 25, 2014, Julien Cristau wrote:
> >
> >>gpg: BAD signature from "Alex Deucher <alexdeucher at gmail.com>"
> >
> >Same here.
> >
> >>If this isn't just me, any chance to get the tarball checksums in a
> >>properly signed mail?
> >
> >Hmm, maybe it would be a good idea to have signed tar files
> >(on the server)?
>
> If someone can translate that into commands to add to our tarball
> release script, then we can do that. There was discussion in the
> past, but no one came up with a explanation of what they wanted to
> see or what we needed to do for it. (I think there's even an open
> bug in bugzilla still.)
>
Something like this (untested)?
diff --git a/release.sh b/release.sh
index a4a725d..603dd4c 100755
--- a/release.sh
+++ b/release.sh
@@ -298,6 +298,11 @@ process_module() {
cd $top_src
return 1
fi
+ signatures=""
+ for tarball in $targz $tarbz2 $tarxz; do
+ gpg --detach-sign --armor $tarball
+ signatures="$signatures ${tarball}.asc"
+ done
# Obtain the top commit SHA which should be the version bump
# It should not have been tagged yet (the script will do it later)
@@ -501,7 +506,7 @@ process_module() {
# Upload to host using the 'scp' remote file copy program
if [ x"$DRY_RUN" = x ]; then
echo "Info: uploading tarballs to web server:"
- scp $targz $tarbz2 $tarxz $USER_NAME$hostname:$srv_path
+ scp $targz $tarbz2 $tarxz $signatures $USER_NAME$hostname:$srv_path
if [ $? -ne 0 ]; then
echo "Error: the tarballs uploading failed."
cd $top_src
Cheers,
Julien
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.x.org/archives/xorg/attachments/20140125/93c1aa39/attachment.pgp>
More information about the xorg
mailing list