commit adf23abdceb488864de0639fc74affd3556eb2fc Author: Nicolas Vigier <boklm@torproject.org> Date: Fri Dec 13 17:12:23 2019 +0100 Bug 32751: Sign incrementals sha256sums too if var/sign_build is set --- README | 10 +++++----- projects/release/hash_incrementals | 3 +++ rbm.local.conf.example | 5 +++-- 3 files changed, 11 insertions(+), 7 deletions(-) diff --git a/README b/README index d77a460..5dbf77e 100644 --- a/README +++ b/README @@ -155,11 +155,11 @@ Signing builds -------------- If the environment variable RBM_SIGN_BUILD is set to 1, the -sha256sums-unsigned-build.txt file will be signed with gpg. -You can use the RBM_GPG_OPTS environment variable to add some options -to the gpg command used to sign the file. You can also set the -var/sign_build and var/sign_build_gpg_opts options in the rbm.local.conf -file. +sha256sums-unsigned-build.txt and sha256sums-unsigned-build.incrementals.txt +files will be signed with gpg. You can use the RBM_GPG_OPTS environment +variable to add some options to the gpg command used to sign the file. +You can also set the var/sign_build and var/sign_build_gpg_opts options +in the rbm.local.conf file. Cleaning obsolete files and containers images diff --git a/projects/release/hash_incrementals b/projects/release/hash_incrementals index ba95ac7..cf31bfd 100644 --- a/projects/release/hash_incrementals +++ b/projects/release/hash_incrementals @@ -6,3 +6,6 @@ cd [% shell_quote(path(dest_dir)) %]/[% c("var/signed_status") %]/[% c("version") %]-[% c("var/torbrowser_build") %] [% END -%] sha256sum `ls -1 | grep '\.incremental\.mar$' | sort` > sha256sums-[% c("var/signed_status") %]-build.incrementals.txt +[% IF c("var/sign_build") -%] + gpg -abs [% c("var/sign_build_gpg_opts") %] sha256sums-[% c("var/signed_status") %]-build.incrementals.txt +[% END -%] diff --git a/rbm.local.conf.example b/rbm.local.conf.example index dc3f038..dd59034 100644 --- a/rbm.local.conf.example +++ b/rbm.local.conf.example @@ -45,12 +45,13 @@ var: local_conf: 1 ### The var/sign_build option defines if you want to sign the - ### sha256sums-unsigned-build.txt file with gpg. + ### sha256sums-unsigned-build.txt and + ### sha256sums-unsigned-build.incrementals.txt files with gpg. #sign_build: 1 ### The var/sign_build_gpg_opts option can be used to define some gpg ### options to select the key to use to sign the sha256sums-unsigned-build.txt - ### file. + ### and sha256sums-unsigned-build.incrementals.txt files. #sign_build_gpg_opts: '--local-user XXXXXXXX' ### The clean configuration is used by the cleaning script to find the