[buildbot] scripts: signall: fix wrong GPG signature on apk packages.adb index

LEDE Commits lede-commits at lists.infradead.org
Fri Oct 11 11:04:33 PDT 2024 

ynezz pushed a commit to buildbot.git, branch main:
https://git.openwrt.org/75930d3a890b1f4f4c3df153331a22f60d7429a9

commit 75930d3a890b1f4f4c3df153331a22f60d7429a9
Author: Petr Štetiar <ynezz at true.cz>
AuthorDate: Sat Sep 28 12:22:35 2024 +0000

    scripts: signall: fix wrong GPG signature on apk packages.adb index
    
    Currently the GPG signature verification of apk's packages.adb index
    fails as the file is modified with `apk adbsign` after its GPG signed.
    
    So lets fix it by moving the `apk adbsign` before the GPG signing step.
    
    Fixes: a94d4e15fdc1 ("add APK signing logic")
    Signed-off-by: Petr Štetiar <ynezz at true.cz>
---
 scripts/signall.sh | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/scripts/signall.sh b/scripts/signall.sh
index c15c9f2..2159349 100755
--- a/scripts/signall.sh
+++ b/scripts/signall.sh
@@ -71,6 +71,15 @@ USIGNCOMMENT="$(iniget "${CONFIG_INI:-config.ini}" "branch $branch" "usign_comme
 APKSIGNKEY="$(iniget "${CONFIG_INI:-config.ini}" "branch $branch" "apk_key")"
 fi
 
+if [ -n "$APKSIGNKEY" ]; then
+    umask 077
+    echo "$APKSIGNKEY" > "$tmpdir/apk.pem"
+
+    umask 022
+    find "$tmpdir/tar/" -type f -name "packages.adb" -exec \
+        "${APK_BIN:-apk}" adbsign --allow-untrusted --sign-key "$(readlink -f "$tmpdir/apk.pem")" "{}" \; || finish 6
+fi
+
 if echo "$GPGKEY" | grep -q "BEGIN PGP PRIVATE KEY BLOCK"; then
 	umask 077
 	echo "$GPGPASS" > "$tmpdir/gpg.pass"
@@ -105,15 +114,6 @@ if [ -n "$USIGNKEY" ]; then
 		signify-openbsd -S -s "$(readlink -f "$tmpdir/usign.sec")" -m "{}" \; || finish 5
 fi
 
-if [ -n "$APKSIGNKEY" ]; then
-    umask 077
-    echo "$APKSIGNKEY" > "$tmpdir/apk.pem"
-
-    umask 022
-    find "$tmpdir/tar/" -type f -name "packages.adb" -exec \
-        "${APK_BIN:-apk}" adbsign --allow-untrusted --sign-key "$(readlink -f "$tmpdir/apk.pem")" "{}" \; || finish 6
-fi
-
 tar -C "$tmpdir/tar/" -czf "$tarball" . || finish 6
 
 finish 0

More information about the lede-commits mailing list