Browse Source
build-package.sh: verify release files with gpg when doing autobuilds (#5062)
master
Leonid Plyushch
5 years ago
committed by
GitHub
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with
28 additions and
1 deletions
-
build-package.sh
-
scripts/build/termux_get_repo_files.sh
-
scripts/setup-ubuntu.sh
|
|
|
@ -268,6 +268,27 @@ shift $((OPTIND-1)) |
|
|
|
if [ "$#" -lt 1 ]; then _show_usage; fi |
|
|
|
unset -f _show_usage |
|
|
|
|
|
|
|
if [ "$TERMUX_INSTALL_DEPS" = "true" ]; then |
|
|
|
# Setup PGP keys for verifying integrity of dependencies. |
|
|
|
# Keys are obtained from our keyring package. |
|
|
|
gpg --list-keys 2218893D3F679BEFC421FD976700B77E6D8D0AE7 > /dev/null 2>&1 || { |
|
|
|
gpg --import "$TERMUX_SCRIPTDIR/packages/termux-keyring/fornwall.gpg" |
|
|
|
gpg --command-file <(echo -e "trust\n5\ny") --edit-key 2218893D3F679BEFC421FD976700B77E6D8D0AE7 |
|
|
|
} |
|
|
|
gpg --list-keys B63168609E8839CA9150CE2DD9EFD56891B2BB50 > /dev/null 2>&1 || { |
|
|
|
gpg --import "$TERMUX_SCRIPTDIR/packages/termux-keyring/grimler.gpg" |
|
|
|
gpg --command-file <(echo -e "trust\n5\ny") --edit-key B63168609E8839CA9150CE2DD9EFD56891B2BB50 |
|
|
|
} |
|
|
|
gpg --list-keys CC72CF8BA7DBFA0182877D045A897D96E57CF20C > /dev/null 2>&1 || { |
|
|
|
gpg --import "$TERMUX_SCRIPTDIR/packages/termux-keyring/termux-autobuilds.gpg" |
|
|
|
gpg --command-file <(echo -e "trust\n5\ny") --edit-key CC72CF8BA7DBFA0182877D045A897D96E57CF20C |
|
|
|
} |
|
|
|
gpg --list-keys 3B6B548ADE5EA3BDD33CEEF045F2964132545795 > /dev/null 2>&1 || { |
|
|
|
gpg --import "$TERMUX_SCRIPTDIR/packages/termux-keyring/xeffyr.gpg" |
|
|
|
gpg --command-file <(echo -e "trust\n5\ny") --edit-key 3B6B548ADE5EA3BDD33CEEF045F2964132545795 |
|
|
|
} |
|
|
|
fi |
|
|
|
|
|
|
|
while (($# > 0)); do |
|
|
|
# Following commands must be executed under lock to prevent running |
|
|
|
# multiple instances of "./build-package.sh". |
|
|
|
|
|
|
|
@ -28,6 +28,11 @@ termux_get_repo_files() { |
|
|
|
termux_download "${TERMUX_REPO_URL[$idx-1]}/dists/${TERMUX_REPO_DISTRIBUTION[$idx-1]}/Release" \ |
|
|
|
"$RELEASE_FILE" SKIP_CHECKSUM |
|
|
|
|
|
|
|
termux_download "${TERMUX_REPO_URL[$idx-1]}/dists/${TERMUX_REPO_DISTRIBUTION[$idx-1]}/Release.gpg" \ |
|
|
|
"${RELEASE_FILE}.gpg" SKIP_CHECKSUM |
|
|
|
|
|
|
|
gpg --verify "${RELEASE_FILE}.gpg" "$RELEASE_FILE" |
|
|
|
|
|
|
|
for arch in all $TERMUX_ARCH; do |
|
|
|
local PACKAGES_HASH=$(./scripts/get_hash_from_file.py ${RELEASE_FILE} $arch ${TERMUX_REPO_COMPONENT[$idx-1]}) |
|
|
|
# If packages_hash = "" then the repo probably doesn't contain debs for $arch |
|
|
|
|
|
|
|
@ -7,7 +7,8 @@ PACKAGES="" |
|
|
|
PACKAGES+=" locales" |
|
|
|
|
|
|
|
# Used by build-package.sh and CI/CD scripts. |
|
|
|
PACKAGES+=" curl" # Used for fetching sources. |
|
|
|
PACKAGES+=" curl" |
|
|
|
PACKAGES+=" gnupg" |
|
|
|
PACKAGES+=" jq" |
|
|
|
|
|
|
|
# Used for fetching package sources from Git repositories. |
|
|
|
|
