Initial import

1 files changed, 54 insertions, 0 deletions

diff --git a/git-sign-for-cgit b/git-sign-for-cgit
new file mode 100755
index 0000000..fe127a8
--- /dev/null
+++ b/git-sign-for-cgit
@@ -0,0 +1,54 @@
+#!/bin/sh
+
+set -e
+
+errx() {
+	printf '%s\n' "$*" >&2
+	exit 1
+}
+
+usage() {
+	errx 'usage: git sign-for-cgit [-f format] <object>\n'
+}
+
+seckey=${SIGNIFY_SECKEY:-$HOME/.signify/release.sec}
+
+format="$(git config --get package.format)"
+: "${format:=tar.gz}"
+
+while getopts f: opt; do
+	case $opt in
+		f) format=$OPTARG;;
+		?) usage;;
+	esac
+done
+shift $((OPTIND - 1))
+test $# -eq 1 || usage
+
+git archive -l | grep -Fqx "$format" || errx "fatal: unknown format"
+
+name=$(basename "$(git rev-parse --show-toplevel)")
+object=$1
+
+tmpdir=$(mktemp -d --suffix .sign-for-cgit)
+
+# We do want to expand tmpdir now rather than later, 
+# and mktemp should give us a path without spaces.
+# shellcheck disable=SC2064
+trap "{ rm -r $tmpdir; }" EXIT
+
+archive_base=$name-$object.$format
+archive_path=$tmpdir/$archive_base
+
+git archive --prefix="$name-$object/" -o "$archive_path" -- "$object"
+
+(
+	cd "$tmpdir"
+	sha256sum --tag "$archive_base" > "${archive_base}.SHA256"
+	signify -Ses "$seckey" -m "${archive_base}.SHA256"
+)
+
+id=$(git hash-object -w "${archive_path}.SHA256.sig")
+
+# do not use exec here because otherwise the EXIT trap will not fire
+git notes --ref="refs/notes/signatures/$format" add -C "$id" "$object"