commit adf23abdceb488864de0639fc74affd3556eb2fc
Author: Nicolas Vigier <boklm(a)torproject.org>
Date: Fri Dec 13 17:12:23 2019 +0100
Bug 32751: Sign incrementals sha256sums too if var/sign_build is set
---
README | 10 +++++-----
projects/release/hash_incrementals | 3 +++
rbm.local.conf.example | 5 +++--
3 files changed, 11 insertions(+), 7 deletions(-)
diff --git a/README b/README
index d77a460..5dbf77e 100644
--- a/README
+++ b/README
@@ -155,11 +155,11 @@ Signing builds
--------------
If the environment variable RBM_SIGN_BUILD is set to 1, the
-sha256sums-unsigned-build.txt file will be signed with gpg.
-You can use the RBM_GPG_OPTS environment variable to add some options
-to the gpg command used to sign the file. You can also set the
-var/sign_build and var/sign_build_gpg_opts options in the rbm.local.conf
-file.
+sha256sums-unsigned-build.txt and sha256sums-unsigned-build.incrementals.txt
+files will be signed with gpg. You can use the RBM_GPG_OPTS environment
+variable to add some options to the gpg command used to sign the file.
+You can also set the var/sign_build and var/sign_build_gpg_opts options
+in the rbm.local.conf file.
Cleaning obsolete files and containers images
diff --git a/projects/release/hash_incrementals b/projects/release/hash_incrementals
index ba95ac7..cf31bfd 100644
--- a/projects/release/hash_incrementals
+++ b/projects/release/hash_incrementals
@@ -6,3 +6,6 @@
cd [% shell_quote(path(dest_dir)) %]/[% c("var/signed_status") %]/[% c("version") %]-[% c("var/torbrowser_build") %]
[% END -%]
sha256sum `ls -1 | grep '\.incremental\.mar$' | sort` > sha256sums-[% c("var/signed_status") %]-build.incrementals.txt
+[% IF c("var/sign_build") -%]
+ gpg -abs [% c("var/sign_build_gpg_opts") %] sha256sums-[% c("var/signed_status") %]-build.incrementals.txt
+[% END -%]
diff --git a/rbm.local.conf.example b/rbm.local.conf.example
index dc3f038..dd59034 100644
--- a/rbm.local.conf.example
+++ b/rbm.local.conf.example
@@ -45,12 +45,13 @@ var:
local_conf: 1
### The var/sign_build option defines if you want to sign the
- ### sha256sums-unsigned-build.txt file with gpg.
+ ### sha256sums-unsigned-build.txt and
+ ### sha256sums-unsigned-build.incrementals.txt files with gpg.
#sign_build: 1
### The var/sign_build_gpg_opts option can be used to define some gpg
### options to select the key to use to sign the sha256sums-unsigned-build.txt
- ### file.
+ ### and sha256sums-unsigned-build.incrementals.txt files.
#sign_build_gpg_opts: '--local-user XXXXXXXX'
### The clean configuration is used by the cleaning script to find the