pesign-obs-integration/pesign-install-post

#!/bin/bash
# This script is run by rpmbuild at the end of install section. It computes
# hashes of files listed in the %sign_files macro and stores them in
# %_topdir/OTHER/%name.cpio.rsasign. It also puts a specfile there, that
# is later used to repackage the RPMs.
#
# Copyright (c) 2013 SUSE Linux Products GmbH, Nuernberg, Germany.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA

set -e

files=
output=
while test $# -gt 0; do
	case "$1" in
	--files)
		files=$2
		shift 2
		;;
	--output)
		output=$2
		shift 2
		;;
	*)
		echo "$0: Unknown option: $1" >&2
		exit 1
	esac
done
if test -z "$files"; then
	exit 0
fi
if test -z "$output"; then
	echo "$0: --output not specified" >&2
	exit 1
fi
if test -z "$RPM_BUILD_ROOT"; then
	echo "$0: warning: \$RPM_BUILD_ROOT not set, using the root directory" >&2
	RPM_BUILD_ROOT=/
fi

mkdir -p "$output"
cert=$RPM_SOURCE_DIR/_projectcert.crt
if test -e "$cert"; then
	echo "Using signing certificate $cert"
else
	echo "No buildservice signing certificate"
	cert=/dev/null
fi
sed "
	s:@NAME@:$RPM_PACKAGE_NAME:g
	/@CERT@/ {
		r $cert
		d
	}
" /usr/lib/rpm/pesign-repackage.spec.in >"$output/pesign-repackage.spec"

cd "$RPM_BUILD_ROOT"
args=()
for pattern in $files; do
	pattern=${pattern#/}
	if test "${pattern:0:2}" != "./"; then
		pattern="./$pattern"
	fi
	if test -d "$pattern"; then
		pattern="$pattern/*"
	fi
	args=("${args[@]}" -o -path "$pattern")
done
# delete the leading -o
unset args[0]

archive=$output/$RPM_PACKAGE_NAME.cpio.rsasign
archive_dir=$output/$RPM_PACKAGE_NAME
mkdir -p "$archive_dir"
# create an empty nss database to make pesign happy
nss_db=$(mktemp -d)
trap 'rm -rf "$nss_db"' EXIT
echo >"$nss_db/password"
certutil -N -f "$nss_db/password" -d "$nss_db"

echo "Creating $archive"
files=($(find . -type f \( "${args[@]}" \)))
for f in "${files[@]}"; do
	dest="$archive_dir/$f"
	mkdir -p "${dest%/*}"
	case "$f" in
	./boot/* | *.efi)
		pesign --certdir="$nss_db" -i "$f" --digestdata "$dest"
		;;
	*)
		cp "$f" "$dest"
	esac
done
cd "$archive_dir"
find . -type f | cpio -H newc -o >"$archive"
rm -rf "$archive_dir"
osc copypac from project:home:michal-m:modsign package:pesign-obs-integration revision:2 OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign-obs-integration?expand=0&rev=1 2013-02-05 10:41:47 +00:00			`#!/bin/bash`
			`# This script is run by rpmbuild at the end of install section. It computes`
			`# hashes of files listed in the %sign_files macro and stores them in`
			`# %_topdir/OTHER/%name.cpio.rsasign. It also puts a specfile there, that`
			`# is later used to repackage the RPMs.`
			`#`
			`# Copyright (c) 2013 SUSE Linux Products GmbH, Nuernberg, Germany.`
			`#`
			`# This program is free software; you can redistribute it and/or modify`
			`# it under the terms of the GNU General Public License as published by`
			`# the Free Software Foundation; either version 2 of the License, or`
			`# (at your option) any later version.`
			`#`
			`# This program is distributed in the hope that it will be useful,`
			`# but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`# GNU General Public License for more details.`
			`#`
			`# You should have received a copy of the GNU General Public License`
			`# along with this program; if not, write to the Free Software`
			`# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA`

			`set -e`

			`files=`
			`output=`
			`while test $# -gt 0; do`
			`case "$1" in`
			`--files)`
			`files=$2`
			`shift 2`
			`;;`
			`--output)`
			`output=$2`
			`shift 2`
			`;;`
			`*)`
			`echo "$0: Unknown option: $1" >&2`
			`exit 1`
			`esac`
			`done`
			`if test -z "$files"; then`
			`exit 0`
			`fi`
			`if test -z "$output"; then`
			`echo "$0: --output not specified" >&2`
			`exit 1`
			`fi`
			`if test -z "$RPM_BUILD_ROOT"; then`
			`echo "$0: warning: \$RPM_BUILD_ROOT not set, using the root directory" >&2`
			`RPM_BUILD_ROOT=/`
			`fi`

			`mkdir -p "$output"`
			`cert=$RPM_SOURCE_DIR/_projectcert.crt`
			`if test -e "$cert"; then`
			`echo "Using signing certificate $cert"`
			`else`
			`echo "No buildservice signing certificate"`
			`cert=/dev/null`
			`fi`
			`sed "`
			`s:@NAME@:$RPM_PACKAGE_NAME:g`
			`/@CERT@/ {`
			`r $cert`
			`d`
			`}`
			`" /usr/lib/rpm/pesign-repackage.spec.in >"$output/pesign-repackage.spec"`

			`cd "$RPM_BUILD_ROOT"`
			`args=()`
			`for pattern in $files; do`
			`pattern=${pattern#/}`
			`if test "${pattern:0:2}" != "./"; then`
			`pattern="./$pattern"`
			`fi`
			`if test -d "$pattern"; then`
			`pattern="$pattern/*"`
			`fi`
			`args=("${args[@]}" -o -path "$pattern")`
			`done`
			`# delete the leading -o`
			`unset args[0]`

			`archive=$output/$RPM_PACKAGE_NAME.cpio.rsasign`
			`archive_dir=$output/$RPM_PACKAGE_NAME`
			`mkdir -p "$archive_dir"`
			`# create an empty nss database to make pesign happy`
			`nss_db=$(mktemp -d)`
			`trap 'rm -rf "$nss_db"' EXIT`
			`echo >"$nss_db/password"`
			`certutil -N -f "$nss_db/password" -d "$nss_db"`

			`echo "Creating $archive"`
			`files=($(find . -type f \( "${args[@]}" \)))`
			`for f in "${files[@]}"; do`
			`dest="$archive_dir/$f"`
			`mkdir -p "${dest%/*}"`
			`case "$f" in`
			`./boot/* \| *.efi)`
			`pesign --certdir="$nss_db" -i "$f" --digestdata "$dest"`
			`;;`
			`*)`
			`cp "$f" "$dest"`
			`esac`
			`done`
			`cd "$archive_dir"`
			`find . -type f \| cpio -H newc -o >"$archive"`
			`rm -rf "$archive_dir"`