[tor-browser-build/master] Bug 32751: Sign incrementals sha256sums too if var/sign_build is set - tbb-commits

14 Dec 2019

commit adf23abdceb488864de0639fc74affd3556eb2fc
Author: Nicolas Vigier boklm@torproject.org
Date:   Fri Dec 13 17:12:23 2019 +0100
Bug 32751: Sign incrementals sha256sums too if var/sign_build is set
---
 README                             | 10 +++++-----
 projects/release/hash_incrementals |  3 +++
 rbm.local.conf.example             |  5 +++--
 3 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/README b/README
index d77a460..5dbf77e 100644
--- a/README
+++ b/README
@@ -155,11 +155,11 @@ Signing builds
 --------------
If the environment variable RBM_SIGN_BUILD is set to 1, the
-sha256sums-unsigned-build.txt file will be signed with gpg.
-You can use the RBM_GPG_OPTS environment variable to add some options
-to the gpg command used to sign the file. You can also set the
-var/sign_build and var/sign_build_gpg_opts options in the rbm.local.conf
-file.
+sha256sums-unsigned-build.txt and sha256sums-unsigned-build.incrementals.txt
+files will be signed with gpg. You can use the RBM_GPG_OPTS environment
+variable to add some options to the gpg command used to sign the file.
+You can also set the var/sign_build and var/sign_build_gpg_opts options
+in the rbm.local.conf file.
Cleaning obsolete files and containers images
diff --git a/projects/release/hash_incrementals b/projects/release/hash_incrementals
index ba95ac7..cf31bfd 100644
--- a/projects/release/hash_incrementals
+++ b/projects/release/hash_incrementals
@@ -6,3 +6,6 @@
   cd [% shell_quote(path(dest_dir)) %]/[% c("var/signed_status") %]/[% c("version") %]-[% c("var/torbrowser_build") %]
 [% END -%]
 sha256sum `ls -1 | grep '.incremental.mar$' | sort` > sha256sums-[% c("var/signed_status") %]-build.incrementals.txt
+[% IF c("var/sign_build") -%]
+  gpg -abs [% c("var/sign_build_gpg_opts") %] sha256sums-[% c("var/signed_status") %]-build.incrementals.txt
+[% END -%]
diff --git a/rbm.local.conf.example b/rbm.local.conf.example
index dc3f038..dd59034 100644
--- a/rbm.local.conf.example
+++ b/rbm.local.conf.example
@@ -45,12 +45,13 @@ var:
   local_conf: 1
### The var/sign_build option defines if you want to sign the
-  ### sha256sums-unsigned-build.txt file with gpg.
+  ### sha256sums-unsigned-build.txt and
+  ### sha256sums-unsigned-build.incrementals.txt files with gpg.
   #sign_build: 1
### The var/sign_build_gpg_opts option can be used to define some gpg
   ### options to select the key to use to sign the sha256sums-unsigned-build.txt
-  ### file.
+  ### and sha256sums-unsigned-build.incrementals.txt files.
   #sign_build_gpg_opts: '--local-user XXXXXXXX'
### The clean configuration is used by the cleaning script to find the

    