[buildbot] scripts: signall: fix wrong sha256sum on apk packages.adb index

Fri Oct 11 11:04:37 PDT 2024

ynezz pushed a commit to buildbot.git, branch main:
https://git.openwrt.org/75b1334a00b099b884e5141fc9c52226c2404fc6

commit 75b1334a00b099b884e5141fc9c52226c2404fc6
Author: Petr Štetiar <ynezz at true.cz>
AuthorDate: Sat Sep 28 12:22:35 2024 +0000

    scripts: signall: fix wrong sha256sum on apk packages.adb index
    
    Currently the sha256sum verification of apk's packages.adb index
    fails as the file is modified with `apk adbsign`.
    
    So lets update sha256sum of all packages.adb indexes after they were
    signed with `apk adbsign`.
    
    While at it fix formatting.
    
    Fixes: a94d4e15fdc1 ("add APK signing logic")
    Signed-off-by: Petr Štetiar <ynezz at true.cz>
---
 scripts/signall.sh | 26 +++++++++++++++++++++-----
 1 file changed, 21 insertions(+), 5 deletions(-)

diff --git a/scripts/signall.sh b/scripts/signall.sh
index 2159349..4c7ef49 100755
--- a/scripts/signall.sh
+++ b/scripts/signall.sh
@@ -72,12 +72,28 @@ APKSIGNKEY="$(iniget "${CONFIG_INI:-config.ini}" "branch $branch" "apk_key")"
 fi
 
 if [ -n "$APKSIGNKEY" ]; then
-    umask 077
-    echo "$APKSIGNKEY" > "$tmpdir/apk.pem"
+	umask 077
+	echo "$APKSIGNKEY" > "$tmpdir/apk.pem"
 
-    umask 022
-    find "$tmpdir/tar/" -type f -name "packages.adb" -exec \
-        "${APK_BIN:-apk}" adbsign --allow-untrusted --sign-key "$(readlink -f "$tmpdir/apk.pem")" "{}" \; || finish 6
+	umask 022
+	find "$tmpdir/tar/" -type f -name "packages.adb" -exec \
+		"${APK_BIN:-apk}" adbsign --allow-untrusted --sign-key "$(readlink -f "$tmpdir/apk.pem")" "{}" \; || finish 3
+
+	find "$tmpdir/tar/" -type f -name sha256sums | while read -r file; do
+		dir=$(dirname "$file")
+		pushd "$dir" || finish 3
+
+		grep 'packages\.adb' sha256sums | while IFS= read -r line; do
+			filename="${line#*' *'}"
+			escaped_filename="${filename//\//\\\/}"
+			escaped_filename="${escaped_filename//&/\\&}"
+			checksum_output=$(sha256sum --binary -- "$filename")
+			new_checksum_line="${checksum_output%% *} *${checksum_output#*' *'}"
+			sed -i "s#.*[[:space:]]\*$escaped_filename\$#$new_checksum_line#" sha256sums
+		done
+
+		popd || finish 3
+	done
 fi
 
 if echo "$GPGKEY" | grep -q "BEGIN PGP PRIVATE KEY BLOCK"; then


