[gentoo-commits] repo/proj/prefix:master commit in: scripts/rsync-generation/

[Fabian Groffen]

commit:     17ac45552c0f6c49f28e11fad23ab2cddfdd5393
Author:     Fabian Groffen <grobian <AT> gentoo <DOT> org>
AuthorDate: Wed Nov 29 19:26:38 2017 +0000
Commit:     Fabian Groffen <grobian <AT> gentoo <DOT> org>
CommitDate: Wed Nov 29 19:26:38 2017 +0000
URL:        https://gitweb.gentoo.org/repo/proj/prefix.git/commit/?id=17ac4555

update-rsync-master: only sign the top level Manifest

 scripts/rsync-generation/update-rsync-master.sh | 69 +++++++------------------
 1 file changed, 20 insertions(+), 49 deletions(-)

diff --git a/scripts/rsync-generation/update-rsync-master.sh 
b/scripts/rsync-generation/update-rsync-master.sh
index 5f73206eae..459edebce0 100755
--- a/scripts/rsync-generation/update-rsync-master.sh
+++ b/scripts/rsync-generation/update-rsync-master.sh
@@ -187,57 +187,28 @@ TIME_SVNPREFIX=$((STOP - START))
 
 START=$(date +%s)
 
-echo "($(date +"%F %R")) signing unsigned Manifests"
+echo "($(date +"%F %R")) signing Manifest"
 
 # generate Thick Manifests
-${BASE_PATH}/hashgen ${RSYNCDIR}
-
-# We store signed Manifests in a "cache", so we don't have to
-# generate them all-over all the time.  Generation needs to take place
-# if:
-# 1. the original Manifest isn't signed
-# 2. we don't have one generated file
-# 3. the Manifest modification time is newer than our generated file
-# Signing is done with our snapshot signing key
-sign_manifest() {
-       local pkg=$1
-       local mc=${pkg//\//_}.manifest
-       [[ -z ${pkg} ]] && return 1
-
-       if [[ ! -f ${MANIFEST_CACHE}/${mc} || ${RSYNCDIR}/${pkg}/Manifest -nt 
${MANIFEST_CACHE}/${mc} ]] ; then
-               mkdir -p "${MANIFEST_CACHE}"
-
-               echo "Signing Manifest for ${pkg}"
-               cat "${RSYNCDIR}/${pkg}"/Manifest > "${MANIFEST_CACHE}"/${mc}
-               # remember, HOME is set to misc/ so .gnupg keychain lives there
-               gpg --batch --no-tty --passphrase-fd 0 --default-key C6317B3C \
-                       --pinentry-mode loopback \
-                       --sign --clearsign --digest-algo SHA512 \
-                       --yes "${MANIFEST_CACHE}"/${mc} \
-                       < "${BASE_PATH}"/autosigner.pwd >& /dev/null
-               if [[ -f ${MANIFEST_CACHE}/${mc}.asc ]] ; then
-                       touch -r "${RSYNCDIR}/${pkg}"/Manifest \
-                               "${MANIFEST_CACHE}"/${mc}.asc
-                       mv "${MANIFEST_CACHE}"/${mc}{.asc,}
-               else
-                       rm "${MANIFEST_CACHE}"/${mc}
-                       echo "signing failed!" >> /dev/stderr
-                       return 0
-               fi
-       fi
-
-       cp -a "${MANIFEST_CACHE}"/${mc} "${RSYNCDIR}/${pkg}"/Manifest
-
-       return 0
-}
-
-for entry in "${RSYNCDIR}"/*/* ; do
-       [[ ! -f "${entry}"/Manifest ]] && continue
-       entry=${entry#${RSYNCDIR}/}
-       sign_manifest "${entry}"
-done
-
-echo "($(date +"%F %R")) unsigned Manifests signed"
+${BASE_PATH}/hashgen "${RSYNCDIR}"
+
+# Signing is done with our snapshot signing key, and only on the top
+# level Manifest, for it covers indirectly the entire tree
+
+# remember, HOME is set to misc/ so .gnupg keychain lives there
+gpg --batch --no-tty --passphrase-fd 0 --default-key C6317B3C \
+       --pinentry-mode loopback \
+       --sign --clearsign --digest-algo SHA512 \
+       --yes "${RSYNCDIR}"/Manifest \
+       < "${BASE_PATH}"/autosigner.pwd >& /dev/null
+if [[ -f ${RSYNCDIR}/Manifest.asc ]] ; then
+       touch -r "${RSYNCDIR}"/Manifest "${RSYNCDIR}"/Manifest.asc
+       mv "${RSYNCDIR}"/Manifest{.asc,}
+else
+       echo "signing failed!" >> /dev/stderr
+fi
+
+echo "($(date +"%F %R")) Manifest signed"
 
 STOP=$(date +%s)
 TIME_MANISIGN=$((STOP - START))