sign-autobuilds: link signatures20231012T234914Z

Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>

1 files changed, 62 insertions, 15 deletions

diff --git a/sign-autobuilds.sh b/sign-autobuilds.sh
index 595bf26..29dc29b 100755
--- a/sign-autobuilds.sh
+++ b/sign-autobuilds.sh
@@ -25,6 +25,10 @@ VERBOSEP=false
 # needs more debugging
 # set -e
 
+warn() {
+	echo "WARN: $*" 1>&2
+}
+
 signone() {
 	f="$1"
 	$DEBUGP "${GPG[@]}" --armor --detach-sign "${f}"
@@ -32,9 +36,9 @@ signone() {
 
 signone_clearsign() {
 	# only for text files!
-	f="$1"
-	d=".${1}.asc.tmp"
-	rm -f "$d"
+	f="${1}"
+	d="$(dirname "${f}")/.$(basename "${f}").asc.tmp"
+	rm -f "${d}"
 	# Clearsign aborts if the destfile exists
 	$DEBUGP "${GPG[@]}" --armor --clearsign --output "$d" "${f}"
 	$DEBUGP mv "${d}" "${f}"
@@ -70,9 +74,7 @@ cd "$RELEASES/$a" >/dev/null || continue
 # 2023/10/08: Unknown if the latest files are consumed by any machine-readable
 # process that would break if the changed into being clearsigned, so use a
 # detached signature for now.
-find_files_cmd=(
-	find autobuilds
-	-type f
+find_src_names=(
 	'('
 		-false
 		-or -name '*.tar.xz'
@@ -89,14 +91,34 @@ find_files_cmd=(
 	')'
 )
 
-find_sigs_cmd=(
+find_src_files_cmd=(
 	find autobuilds
 	-type f
+	"${find_src_names[@]}"
+)
+
+find_src_links_cmd=(
+	find autobuilds
+	-type l
+	"${find_src_names[@]}"
+)
+
+find_sig_names=(
 	'('
 		-false
 		-or -name '*.asc'
 	')'
 )
+find_sig_files_cmd=(
+	find autobuilds
+	-type f
+	"${find_sig_names[@]}"
+)
+find_sig_links_cmd=(
+	find autobuilds
+	-type l
+	"${find_sig_names[@]}"
+)
 
 find_unsigned_helper_cmd=(
 	find autobuilds
@@ -113,21 +135,46 @@ find_unsigned_helper_cmd=(
 	-exec grep -L -e '^-----BEGIN PGP SIGNED MESSAGE-----$' \{\} \+
 )
 
-files="$( "${find_files_cmd[@]}" )"
-sigs="$( "${find_sigs_cmd[@]}" )"
-unsigned="$(comm -23 <(echo "$files" |sort) <(echo "$sigs" | sed -e 's,.asc$,,g' |sort))"
+src_files="$( "${find_src_files_cmd[@]}" )"
+src_links="$( "${find_src_links_cmd[@]}" )"
+sig_files="$( "${find_sig_files_cmd[@]}" )"
+sig_links="$( "${find_sig_links_cmd[@]}" )"
+
+unsigned_files="$(comm -23 <(echo "$src_files" |sort) <(echo "$sig_files" | sed -e 's,.asc$,,g' |sort))"
+unsigned_links="$(comm -23 <(echo "$src_links" |sort) <(echo "$sig_links" | sed -e 's,.asc$,,g' |sort))"
 
 #$VERBOSEP echo "=== ARCH: $a"
 
-for src in ${unsigned} ; do
+for src in ${unsigned_files} ; do
 	dgst=${src}.asc
-	if [[ -f "$src" ]] && [[ ! -f "${dgst}" ]]; then
-		$VERBOSEP echo "Signing $src"
-		signone "$src"
+	if [[ -f "${src}" ]]; then
+		if [[ ! -e "${dgst}" ]]; then
+			$VERBOSEP echo "Signing $src"
+			signone "$src"
+		fi
+		# what if it existed but was NOT a file, this is an error
+		if [[ -e "${dgst}" ]] && [[ ! -f "${dgst}" ]]; then
+			warn "Unexpected link: $dgst"
+		fi
+	fi
+done
+
+for src in ${unsigned_links}; do
+	dgst=${src}.asc
+	if [[ -L "${src}" ]] && [[ ! -e "${dgst}" ]]; then
+		link_rel=$(readlink "${src}")
+		link_rel_sig=${link_rel}.asc
+		link_abs=$(readlink -f "${src}")
+		link_abs_sig=${link_abs}.asc
+		if [[ -e "${link_rel_sig}" ]] || [[ -e "${link_abs_sig}" ]]; then
+			ln -sf "${link_rel_sig}" "${dgst}"
+		else
+			warn "Link with no obvious signature: ${src} ; checked $link_rel_sig and $link_abs_sig"
+		fi
 	fi
 done
 
-for dgst in ${sigs}; do
+for dgst in ${sig_files}; do
 	src=${dgst%.asc}
 	# If both the source & signature are files, not symlinks, and the source is
 	# newer, then resign. Need to check both for being files, in case we are in