File: generate_artifact_checksums

package info (click to toggle)
triplea 1.9.0.0.7062-2
  • links: PTS, VCS
  • area: main
  • in suites: bullseye, sid
  • size: 25,964 kB
  • sloc: java: 143,218; xml: 70,206; sh: 133; makefile: 7
file content (40 lines) | stat: -rwxr-xr-x 1,370 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
#!/bin/bash -e
#
# This script generates checksums for all release artifacts.
#

readonly ARTIFACTS_DIR=./build/artifacts
readonly -a ENGINES=(md5sum sha1sum sha256sum)

# Change to artifacts directory so file names in checksum files are bare
cd $ARTIFACTS_DIR

# Write checksum files outside the artifacts directory so they are not
# considered by subsequent engines 
declare -A checksum_files=()
for engine in ${ENGINES[@]}; do
  echo "Generating artifact checksums using '$engine'..."
  checksum_files[$engine]=$(mktemp)
  eval "$engine * > ${checksum_files[$engine]}"
done

# Move checksum files to artifacts directory after all engines have run
for engine in ${ENGINES[@]}; do
  mv ${checksum_files[$engine]} ./${engine}.txt
done

# Sign checksum files
#
# We use detached signatures so that
#
# a) users can verify the checksum files using *sum without any warnings about
#    incorrectly-formatted lines, and
# b) signing the checksum file itself is susceptible to spoofing because the
#    *sum commands will process checksums outside the signature block (see
#    https://github.com/nodejs/node/issues/6821#issuecomment-220033176)
for engine in ${ENGINES[@]}; do
  echo "Signing artifact checksums for '$engine'..."
  gpg2 --batch --no-tty --yes --armor --detach-sign \
      --passphrase-file <(echo "$GPG_PRIVATE_KEY_PASSPHRASE") \
      ./${engine}.txt
done