blob: 2acdd5fad508d1af56da6965925ef3df19a41ca3 (
plain) (
tree)
|
|
#!/bin/sh
set -e
errx() {
printf '%s\n' "$*" >&2
exit 1
}
usage() {
errx 'usage: git sign-for-cgit [-f format] <object>'
}
seckey=${SIGNIFY_SECKEY:-$HOME/.signify/release.sec}
format="$(git config --get package.format)" || true
: "${format:=tar.gz}"
while getopts f: opt; do
case $opt in
f) format=$OPTARG;;
?) usage;;
esac
done
shift $((OPTIND - 1))
test $# -eq 1 || usage
git archive -l | grep -Fqx "$format" || errx 'fatal: unknown format'
name=$(basename "$(git rev-parse --show-toplevel)")
object=$1
tmpdir=$(mktemp -d --suffix .sign-for-cgit)
# We do want to expand tmpdir now rather than later,
# and mktemp should give us a path without spaces.
# shellcheck disable=SC2064
trap "{ rm -r $tmpdir; }" EXIT
archive_base=$name-$object.$format
archive_path=$tmpdir/$archive_base
git archive --prefix="$name-$object/" -o "$archive_path" -- "$object"
(
cd "$tmpdir"
sha256sum --tag "$archive_base" > "${archive_base}.SHA256"
signify -Ses "$seckey" -m "${archive_base}.SHA256"
)
id=$(git hash-object -w "${archive_path}.SHA256.sig")
# do not use exec here because otherwise the EXIT trap will not fire
git notes --ref="refs/notes/signatures/$format" add -C "$id" "$object"
|