From: Faiyaz Ahmed Date: Thu, 26 Jun 2008 20:47:14 +0000 (+0000) Subject: Sign packages and create repo when done. X-Git-Tag: 4.2-rc21~37 X-Git-Url: http://git.onelab.eu/?a=commitdiff_plain;h=65c472ab4de7c80c4d48863999f919c09361093a;p=build.git Sign packages and create repo when done. --- diff --git a/vbuild-nightly.sh b/vbuild-nightly.sh index 32c99d79..a9e5892c 100755 --- a/vbuild-nightly.sh +++ b/vbuild-nightly.sh @@ -17,6 +17,11 @@ DEFAULT_IFNAME=eth0 # web publishing results DEFAULT_WEBPATH="/build/@PLDISTRO@/" +# default gpg path used in signing yum repo +DEFAULT_GPGPATH="/etc/planetlab" +# default email to use in gpg secring +DEFAULT_GPGUID="root@$( /bin/hostname )" + # for the test part TESTBUILDURL="http://build.one-lab.org/" TESTBOXSSH=root@testbox.one-lab.org @@ -261,6 +266,9 @@ function usage () { echo " -s svnpath - where to fetch the build module" echo " -c testconfig - defaults to $DEFAULT_TESTCONFIG" echo " -w webpath - defaults to $DEFAULT_WEBPATH" + echo " -y create (and sign) yum repo in webpath" + echo " -g path to gpg secring used to sign rpms. Defaults to $DEFAULT_GPGPATH" + echo " -u gpg email used in secring. Defaults to $DEFAULT_GPGUID" echo " -m mailto - no default" echo " -O : overwrite - re-run in base directory, do not re-create vserver" echo " -B : run build only" @@ -293,6 +301,9 @@ function main () { s) SVNPATH=$OPTARG ;; c) TESTCONFIG="$TESTCONFIG $OPTARG" ;; w) WEBPATH=$OPTARG ;; + y) MKYUMREPO=$OPTARG;; + g) GPGPATH=$OPTARG;; + u) GPGUID=$OPTARG;; m) MAILTO=$OPTARG ;; O) OVERWRITEMODE=true ;; B) DO_TEST= ;; @@ -424,7 +435,82 @@ function main () { rsync --archive --delete --verbose /vservers/$BASE/build/SRPMS/ $WEBPATH/$BASE/SRPMS/ # publish myplc-release rsync --verbose /vservers/$BASE/build/myplc-release $WEBPATH/$BASE - + + # create yum repo and sign packages. + if [ -n $MKYUMREPO ] ; then + echo "Signing signing node packages" + + ### availability of repo indexing tools + # old one - might be needed for old-style nodes + type -p yum-arch > /dev/null && have_yum_arch="true" + # new one + type -p createrepo > /dev/null && have_createrepo="true" + + repository=$WEBPATH/$BASE/RPMS/ + # the rpms that need signing + new_rpms= + # and the corresponding stamps + new_stamps= + # is there a need to refresh yum metadata + need_yum_arch= + need_createrepo= + + # right after installation, no package is present + # but we still need to create index + [ -n "$have_yum_arch" -a ! -f $repository/headers/header.info ] && need_yum_arch=true + [ -n "$have_createrepo" -a ! -f $repository/repodata/repomd.xml ] && need_createrepo=true + + for package in $(find $repository/ -name '*.rpm') ; do + stamp=$repository/signed-stamps/$(basename $package).signed + # If package is newer than signature stamp + if [ $package -nt $stamp ] ; then + new_rpms="$new_rpms $package" + new_stamps="$new_stamps $stamp" + fi + # Or than yum-arch headers + [ -n "$have_yum_arch" ] && [ $package -nt $repository/headers/header.info ] && need_yum +_arch=true + # Or than createrepo database + [ -n "$have_createrepo" ] && [ $package -nt $repository/repodata/repomd.xml ] && need_c +reaterepo=true + done + + if [ -n "$new_rpms" ] ; then + # Create a stamp once the package gets signed + mkdir $repository/signed-stamps 2> /dev/null + + # Sign RPMS. setsid detaches rpm from the terminal, + # allowing the (hopefully blank) GPG password to be + # entered from stdin instead of /dev/tty. + echo | setsid rpm \ + --define "_signature gpg" \ + --define "_gpg_path $GPGPATH" \ + --define "_gpg_name $GPGUID" \ + --resign $new_rpms && touch $new_stamps + check + fi + + # Update repository index / yum metadata. + + if [ -n "$need_yum_arch" ] ; then + # yum-arch sometimes leaves behind + # .oldheaders and .olddata directories accidentally. + rm -rf $repository/{.oldheaders,.olddata} + yum-arch $repository + check + fi + + if [ -n "$need_createrepo" ] ; then + if [ -f $repository/yumgroups.xml ] ; then + createrepo --quiet -g yumgroups.xml $repository + else + createrepo --quiet $repository + fi + check + fi + + fi + if [ -n "$DO_TEST" ] ; then runtest fi