build-package.sh: verify release files with gpg when doing autobuilds (#5062)
This commit is contained in:
Leonid Pliushch
GitHub
parent
9954394e75
commit
d523f61477
@ -268,6 +268,27 @@ shift $((OPTIND-1))
|
|||||||
if [ "$#" -lt 1 ]; then _show_usage; fi
|
if [ "$#" -lt 1 ]; then _show_usage; fi
|
||||||
unset -f _show_usage
|
unset -f _show_usage
|
||||||
|
|
||||||
|
if [ "$TERMUX_INSTALL_DEPS" = "true" ]; then
|
||||||
|
# Setup PGP keys for verifying integrity of dependencies.
|
||||||
|
# Keys are obtained from our keyring package.
|
||||||
|
gpg --list-keys 2218893D3F679BEFC421FD976700B77E6D8D0AE7 > /dev/null 2>&1 || {
|
||||||
|
gpg --import "$TERMUX_SCRIPTDIR/packages/termux-keyring/fornwall.gpg"
|
||||||
|
gpg --command-file <(echo -e "trust\n5\ny") --edit-key 2218893D3F679BEFC421FD976700B77E6D8D0AE7
|
||||||
|
}
|
||||||
|
gpg --list-keys B63168609E8839CA9150CE2DD9EFD56891B2BB50 > /dev/null 2>&1 || {
|
||||||
|
gpg --import "$TERMUX_SCRIPTDIR/packages/termux-keyring/grimler.gpg"
|
||||||
|
gpg --command-file <(echo -e "trust\n5\ny") --edit-key B63168609E8839CA9150CE2DD9EFD56891B2BB50
|
||||||
|
}
|
||||||
|
gpg --list-keys CC72CF8BA7DBFA0182877D045A897D96E57CF20C > /dev/null 2>&1 || {
|
||||||
|
gpg --import "$TERMUX_SCRIPTDIR/packages/termux-keyring/termux-autobuilds.gpg"
|
||||||
|
gpg --command-file <(echo -e "trust\n5\ny") --edit-key CC72CF8BA7DBFA0182877D045A897D96E57CF20C
|
||||||
|
}
|
||||||
|
gpg --list-keys 3B6B548ADE5EA3BDD33CEEF045F2964132545795 > /dev/null 2>&1 || {
|
||||||
|
gpg --import "$TERMUX_SCRIPTDIR/packages/termux-keyring/xeffyr.gpg"
|
||||||
|
gpg --command-file <(echo -e "trust\n5\ny") --edit-key 3B6B548ADE5EA3BDD33CEEF045F2964132545795
|
||||||
|
}
|
||||||
|
fi
|
||||||
|
|
||||||
while (($# > 0)); do
|
while (($# > 0)); do
|
||||||
# Following commands must be executed under lock to prevent running
|
# Following commands must be executed under lock to prevent running
|
||||||
# multiple instances of "./build-package.sh".
|
# multiple instances of "./build-package.sh".
|
||||||
|
|||||||
@ -28,6 +28,11 @@ termux_get_repo_files() {
|
|||||||
termux_download "${TERMUX_REPO_URL[$idx-1]}/dists/${TERMUX_REPO_DISTRIBUTION[$idx-1]}/Release" \
|
termux_download "${TERMUX_REPO_URL[$idx-1]}/dists/${TERMUX_REPO_DISTRIBUTION[$idx-1]}/Release" \
|
||||||
"$RELEASE_FILE" SKIP_CHECKSUM
|
"$RELEASE_FILE" SKIP_CHECKSUM
|
||||||
|
|
||||||
|
termux_download "${TERMUX_REPO_URL[$idx-1]}/dists/${TERMUX_REPO_DISTRIBUTION[$idx-1]}/Release.gpg" \
|
||||||
|
"${RELEASE_FILE}.gpg" SKIP_CHECKSUM
|
||||||
|
|
||||||
|
gpg --verify "${RELEASE_FILE}.gpg" "$RELEASE_FILE"
|
||||||
|
|
||||||
for arch in all $TERMUX_ARCH; do
|
for arch in all $TERMUX_ARCH; do
|
||||||
local PACKAGES_HASH=$(./scripts/get_hash_from_file.py ${RELEASE_FILE} $arch ${TERMUX_REPO_COMPONENT[$idx-1]})
|
local PACKAGES_HASH=$(./scripts/get_hash_from_file.py ${RELEASE_FILE} $arch ${TERMUX_REPO_COMPONENT[$idx-1]})
|
||||||
# If packages_hash = "" then the repo probably doesn't contain debs for $arch
|
# If packages_hash = "" then the repo probably doesn't contain debs for $arch
|
||||||
|
|||||||
@ -7,7 +7,8 @@ PACKAGES=""
|
|||||||
PACKAGES+=" locales"
|
PACKAGES+=" locales"
|
||||||
|
|
||||||
# Used by build-package.sh and CI/CD scripts.
|
# Used by build-package.sh and CI/CD scripts.
|
||||||
PACKAGES+=" curl" # Used for fetching sources.
|
PACKAGES+=" curl"
|
||||||
|
PACKAGES+=" gnupg"
|
||||||
PACKAGES+=" jq"
|
PACKAGES+=" jq"
|
||||||
|
|
||||||
# Used for fetching package sources from Git repositories.
|
# Used for fetching package sources from Git repositories.
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user