From c7e6e14bde5e7d1fcede0bd5ff42bbcfc18e52a6 Mon Sep 17 00:00:00 2001 From: "Andreas K. Hüttel" Date: Sat, 5 Aug 2023 12:19:28 +0200 Subject: add sync-binpackages.sh MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Andreas K. Hüttel --- sync-binpackages.sh | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100755 sync-binpackages.sh diff --git a/sync-binpackages.sh b/sync-binpackages.sh new file mode 100755 index 0000000..bae48af --- /dev/null +++ b/sync-binpackages.sh @@ -0,0 +1,19 @@ +#!/bin/bash +# Copyright 2011-2023 Gentoo Authors; Distributed under the GPL v2 + +# this is the directory where the tree is fully assembled and all packages are signed +# we assume it's on dipper / releng-incoming, but might as well give a full rsync +# specification here +INITIALDIR="blabla" + +FINALDIR="/var/tmp/gmirror-releases/binpackages" +RSYNC="/usr/bin/rsync" +RSYNC_ARGS="--no-motd --recursive --times --links --ignore-errors --delete --delete-after --timeout=300 --exclude=timestamp*" +RSYNC_ARGS="${RSYNC_ARGS} --quiet" + +[[ -d ${FINALDIR} ]] || mkdir ${FINALDIR} +${RSYNC} ${RSYNC_ARGS} ${INITIALDIR}/ ${FINALDIR}/ + +/bin/date -u '+%s %c' > ${FINALDIR}/timestamp.x +/bin/date -R -u > ${FINALDIR}/timestamp.chk +/bin/date -u '+%s' > ${FINALDIR}/timestamp.mirmon -- cgit v1.2.3-65-gdbad From ea4f8298a221de3d6638b580edc30ff3234b0e24 Mon Sep 17 00:00:00 2001 From: "Andreas K. Hüttel" Date: Sat, 5 Aug 2023 12:44:55 +0200 Subject: add sign-binpackages.sh MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Andreas K. Hüttel --- sign-binpackages.sh | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100755 sign-binpackages.sh diff --git a/sign-binpackages.sh b/sign-binpackages.sh new file mode 100755 index 0000000..4ae9dc0 --- /dev/null +++ b/sign-binpackages.sh @@ -0,0 +1,41 @@ +#!/bin/bash +# Copyright 2010-2023 Gentoo Authors; Distributed under the GPL v2 +# might be earlier copyright, no history available + +# Keep this variable in sync in both sign-autobuilds.sh & sync-autobuilds.sh +_ARCHES="alpha amd64 arm64 arm hppa ia64 loong m68k mips ppc riscv s390 sh sparc x86" + #alpha amd64 arm64 arm hppa ia64 loong m68k mips ppc riscv s390 sh sparc x86 +ARCHES=${ARCHES:-${_ARCHES}} + + +INTREE=blablabla +SIGTREE=blablabla + +DEBUG='' +VERBOSE='' + +BINPKG_GPG_SIGNING_GPG_HOME=/home/gmirror/.gnupg-releng +BINPKG_GPG_SIGNING_KEY=blablabla + +gpgconf --kill all + +# step 1: rsync from the dirs where the arches copy in +# make sure to *not* overwrite existing newer files (obviously +# the signature changed them)... + +for a in $ARCHES ; do + rsync --recursive --delete --delete-after --update ${INTREE}/${a}/* ${SIGTREE}/${a}/ +done + +# step 2: iterate over all binary package trees, sign +# all unsigned files +# we assume the directory structure to be +# /binpackages/amd64/17.1/x86-64 +# /binpackages/amd64/17.1/x86-64_musl +# /binpackages/mips/17.0/mipsel3_n32 +# /binpackages/x86/17.0/x86_musl_hardened + +for t in ${SIGTREE}/*/*/* ; do + find ${t} -name '*.gpkg' -exec gpkg-sign --skip-signed \{\} \; + PKGDIR=${t} emaint binhost fix +done -- cgit v1.2.3-65-gdbad From 2b338a4a748704a875038ac68b65315394721a65 Mon Sep 17 00:00:00 2001 From: "Andreas K. Hüttel" Date: Sat, 5 Aug 2023 13:01:33 +0200 Subject: more details MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Andreas K. Hüttel --- sign-binpackages.sh | 24 ++++++++++++++++++++---- sync-binpackages.sh | 2 +- 2 files changed, 21 insertions(+), 5 deletions(-) diff --git a/sign-binpackages.sh b/sign-binpackages.sh index 4ae9dc0..2fe0ff9 100755 --- a/sign-binpackages.sh +++ b/sign-binpackages.sh @@ -2,14 +2,17 @@ # Copyright 2010-2023 Gentoo Authors; Distributed under the GPL v2 # might be earlier copyright, no history available -# Keep this variable in sync in both sign-autobuilds.sh & sync-autobuilds.sh +# for testing +ARCHES="aarch64 sparc" + +# Keep this variable in sync _ARCHES="alpha amd64 arm64 arm hppa ia64 loong m68k mips ppc riscv s390 sh sparc x86" #alpha amd64 arm64 arm hppa ia64 loong m68k mips ppc riscv s390 sh sparc x86 ARCHES=${ARCHES:-${_ARCHES}} -INTREE=blablabla -SIGTREE=blablabla +INTREE=/release/weekly/binpackages +SIGTREE=/release/binpackages DEBUG='' VERBOSE='' @@ -19,12 +22,25 @@ BINPKG_GPG_SIGNING_KEY=blablabla gpgconf --kill all +# step 0: ensure all directories exist and have the right +# permissions + +for a in $ARCHES ; do + if ! [[ -d ${INTREE}/${a} ]]; then + mkdir -p ${INTREE}/${a} + chown ${a}:${a} ${INTREE}/${a} + chmod u+rwx,o+rx ${INTREE}/${a} + fi +done + +[[ -d SIGTREE ]] || mkdir -p ${SIGTREE} + # step 1: rsync from the dirs where the arches copy in # make sure to *not* overwrite existing newer files (obviously # the signature changed them)... for a in $ARCHES ; do - rsync --recursive --delete --delete-after --update ${INTREE}/${a}/* ${SIGTREE}/${a}/ + rsync --recursive --delete --delete-after --update ${INTREE}/${a}/ ${SIGTREE}/${a}/ done # step 2: iterate over all binary package trees, sign diff --git a/sync-binpackages.sh b/sync-binpackages.sh index bae48af..da94c33 100755 --- a/sync-binpackages.sh +++ b/sync-binpackages.sh @@ -4,7 +4,7 @@ # this is the directory where the tree is fully assembled and all packages are signed # we assume it's on dipper / releng-incoming, but might as well give a full rsync # specification here -INITIALDIR="blabla" +INITIALDIR="/release/binpackages" FINALDIR="/var/tmp/gmirror-releases/binpackages" RSYNC="/usr/bin/rsync" -- cgit v1.2.3-65-gdbad From 3f315ea95fad1b6fb9acea3ddad6abd35a449a87 Mon Sep 17 00:00:00 2001 From: "Andreas K. Hüttel" Date: Sat, 5 Aug 2023 17:51:41 +0200 Subject: fixes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Andreas K. Hüttel --- sign-binpackages.sh | 30 ++++++++++++++++-------------- 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/sign-binpackages.sh b/sign-binpackages.sh index 2fe0ff9..8fa8475 100755 --- a/sign-binpackages.sh +++ b/sign-binpackages.sh @@ -3,7 +3,7 @@ # might be earlier copyright, no history available # for testing -ARCHES="aarch64 sparc" +ARCHES="arm64 sparc" # Keep this variable in sync _ARCHES="alpha amd64 arm64 arm hppa ia64 loong m68k mips ppc riscv s390 sh sparc x86" @@ -18,22 +18,24 @@ DEBUG='' VERBOSE='' BINPKG_GPG_SIGNING_GPG_HOME=/home/gmirror/.gnupg-releng -BINPKG_GPG_SIGNING_KEY=blablabla +BINPKG_GPG_SIGNING_KEY=DCD05B71EAB94199527F44ACDB6B8C1F96D8BF6D gpgconf --kill all -# step 0: ensure all directories exist and have the right -# permissions - -for a in $ARCHES ; do - if ! [[ -d ${INTREE}/${a} ]]; then - mkdir -p ${INTREE}/${a} - chown ${a}:${a} ${INTREE}/${a} - chmod u+rwx,o+rx ${INTREE}/${a} - fi -done - -[[ -d SIGTREE ]] || mkdir -p ${SIGTREE} +## step 0: ensure all directories exist and have the right +## permissions +## we can't actually do that here since this script runs as +## unprivileged user +# +#for a in $ARCHES ; do +# if ! [[ -d ${INTREE}/${a} ]]; then +# mkdir -p ${INTREE}/${a} +# chown ${a}:${a} ${INTREE}/${a} +# chmod u+rwx,o+rx ${INTREE}/${a} +# fi +#done +# +#[[ -d SIGTREE ]] || mkdir -p ${SIGTREE} # step 1: rsync from the dirs where the arches copy in # make sure to *not* overwrite existing newer files (obviously -- cgit v1.2.3-65-gdbad From f1ac8778e45caa7c397f4c8a8976eccb94a07c0e Mon Sep 17 00:00:00 2001 From: "Andreas K. Hüttel" Date: Sun, 6 Aug 2023 01:15:08 +0200 Subject: first complete version MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Andreas K. Hüttel --- sign-binpackages.sh | 28 ++++++---------------------- sync-binpackages.sh | 40 +++++++++++++++++++++++++++++----------- 2 files changed, 35 insertions(+), 33 deletions(-) diff --git a/sign-binpackages.sh b/sign-binpackages.sh index 8fa8475..e11ba71 100755 --- a/sign-binpackages.sh +++ b/sign-binpackages.sh @@ -14,7 +14,6 @@ ARCHES=${ARCHES:-${_ARCHES}} INTREE=/release/weekly/binpackages SIGTREE=/release/binpackages -DEBUG='' VERBOSE='' BINPKG_GPG_SIGNING_GPG_HOME=/home/gmirror/.gnupg-releng @@ -22,38 +21,23 @@ BINPKG_GPG_SIGNING_KEY=DCD05B71EAB94199527F44ACDB6B8C1F96D8BF6D gpgconf --kill all -## step 0: ensure all directories exist and have the right -## permissions -## we can't actually do that here since this script runs as -## unprivileged user -# -#for a in $ARCHES ; do -# if ! [[ -d ${INTREE}/${a} ]]; then -# mkdir -p ${INTREE}/${a} -# chown ${a}:${a} ${INTREE}/${a} -# chmod u+rwx,o+rx ${INTREE}/${a} -# fi -#done -# -#[[ -d SIGTREE ]] || mkdir -p ${SIGTREE} - # step 1: rsync from the dirs where the arches copy in # make sure to *not* overwrite existing newer files (obviously # the signature changed them)... for a in $ARCHES ; do - rsync --recursive --delete --delete-after --update ${INTREE}/${a}/ ${SIGTREE}/${a}/ + rsync ${VERBOSE} --archive --delete --delete-after --update --mkpath ${INTREE}/${a}/* ${SIGTREE}/${a}/ done # step 2: iterate over all binary package trees, sign # all unsigned files # we assume the directory structure to be -# /binpackages/amd64/17.1/x86-64 -# /binpackages/amd64/17.1/x86-64_musl -# /binpackages/mips/17.0/mipsel3_n32 -# /binpackages/x86/17.0/x86_musl_hardened +# .../binpackages/amd64/17.1/x86-64 +# .../binpackages/amd64/17.1/x86-64_musl +# .../binpackages/mips/17.0/mipsel3_n32 +# .../binpackages/x86/17.0/x86_musl_hardened for t in ${SIGTREE}/*/*/* ; do - find ${t} -name '*.gpkg' -exec gpkg-sign --skip-signed \{\} \; + find "${t}" -name '*.gpkg' -exec gpkg-sign --skip-signed \{\} \; PKGDIR=${t} emaint binhost fix done diff --git a/sync-binpackages.sh b/sync-binpackages.sh index da94c33..dbee1d7 100755 --- a/sync-binpackages.sh +++ b/sync-binpackages.sh @@ -1,19 +1,37 @@ #!/bin/bash # Copyright 2011-2023 Gentoo Authors; Distributed under the GPL v2 -# this is the directory where the tree is fully assembled and all packages are signed +# for testing +ARCHES="arm64 sparc" + +# Keep this variable in sync in both sign-binpackages.sh & sync-binpackages.sh +_ARCHES="alpha amd64 arm64 arm hppa ia64 loong m68k mips ppc riscv s390 sh sparc x86" + #alpha amd64 arm64 arm hppa ia64 loong m68k mips ppc riscv s390 sh sparc x86 +ARCHES=${ARCHES:-${_ARCHES}} + +# this is the directory where all packages are signed # we assume it's on dipper / releng-incoming, but might as well give a full rsync # specification here -INITIALDIR="/release/binpackages" +SRCDIR="/release/binpackages" +# append ${a} -FINALDIR="/var/tmp/gmirror-releases/binpackages" -RSYNC="/usr/bin/rsync" -RSYNC_ARGS="--no-motd --recursive --times --links --ignore-errors --delete --delete-after --timeout=300 --exclude=timestamp*" -RSYNC_ARGS="${RSYNC_ARGS} --quiet" +# this is the outgoing directory +DSTDIR="/var/tmp/gmirror-releases/releases" +# append ${a}/binpackages -[[ -d ${FINALDIR} ]] || mkdir ${FINALDIR} -${RSYNC} ${RSYNC_ARGS} ${INITIALDIR}/ ${FINALDIR}/ +RSYNC="/usr/bin/rsync" +RSYNC_OPTS=( + --no-motd + --archive + --ignore-errors + --delete + --delete-after + --timeout=300 + --quiet + --mkpath +) -/bin/date -u '+%s %c' > ${FINALDIR}/timestamp.x -/bin/date -R -u > ${FINALDIR}/timestamp.chk -/bin/date -u '+%s' > ${FINALDIR}/timestamp.mirmon +for a in ${ARCHES}; do + [[ -d ${DSTDIR}${a}/binpackages ]] || mkdir ${DSTDIR}/${a}/binpackages + ${RSYNC} ${RSYNC_ARGS} ${SRCDIR}/${a}/* ${DSTDIR}/${a}/binpackages/ +done -- cgit v1.2.3-65-gdbad From ef94c6ac3da5e313cf5bce124325398df1abddbc Mon Sep 17 00:00:00 2001 From: "Andreas K. Hüttel" Date: Sun, 6 Aug 2023 02:03:25 +0200 Subject: Make signing work MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Andreas K. Hüttel --- sign-binpackages.sh | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/sign-binpackages.sh b/sign-binpackages.sh index e11ba71..6cee806 100755 --- a/sign-binpackages.sh +++ b/sign-binpackages.sh @@ -14,10 +14,11 @@ ARCHES=${ARCHES:-${_ARCHES}} INTREE=/release/weekly/binpackages SIGTREE=/release/binpackages -VERBOSE='' +export BINPKG_GPG_SIGNING_GPG_HOME=/home/gmirror/.gnupg-releng +export BINPKG_GPG_SIGNING_KEY=13EBBDBEDE7A12775DFDB1BABB572E0E2D182910 +export BINPKG_GPG_VERIFY_GPG_HOME=${BINPKG_GPG_SIGNING_GPG_HOME} -BINPKG_GPG_SIGNING_GPG_HOME=/home/gmirror/.gnupg-releng -BINPKG_GPG_SIGNING_KEY=DCD05B71EAB94199527F44ACDB6B8C1F96D8BF6D +[[ $(whoami) == "gmirror" ]] || exit 111 gpgconf --kill all @@ -26,7 +27,7 @@ gpgconf --kill all # the signature changed them)... for a in $ARCHES ; do - rsync ${VERBOSE} --archive --delete --delete-after --update --mkpath ${INTREE}/${a}/* ${SIGTREE}/${a}/ + rsync --archive --delete --delete-after --update --mkpath ${INTREE}/${a}/* ${SIGTREE}/${a}/ done # step 2: iterate over all binary package trees, sign @@ -38,6 +39,7 @@ done # .../binpackages/x86/17.0/x86_musl_hardened for t in ${SIGTREE}/*/*/* ; do - find "${t}" -name '*.gpkg' -exec gpkg-sign --skip-signed \{\} \; - PKGDIR=${t} emaint binhost fix + find "${t}" -name '*.gpkg.tar' -exec gpkg-sign --skip-signed \{\} \; > /dev/null + PKGDIR=${t} emaint -f binhost > /dev/null done +# unfortunately these commands make much noise... let's hope we notice errors -- cgit v1.2.3-65-gdbad From 7282c2264166b42d321f6797f4a2f75516a999b2 Mon Sep 17 00:00:00 2001 From: "Andreas K. Hüttel" Date: Sun, 6 Aug 2023 02:12:47 +0200 Subject: Make syncing work MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Andreas K. Hüttel --- sync-binpackages.sh | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/sync-binpackages.sh b/sync-binpackages.sh index dbee1d7..fe524d9 100755 --- a/sync-binpackages.sh +++ b/sync-binpackages.sh @@ -2,7 +2,7 @@ # Copyright 2011-2023 Gentoo Authors; Distributed under the GPL v2 # for testing -ARCHES="arm64 sparc" +ARCHES="sparc" # Keep this variable in sync in both sign-binpackages.sh & sync-binpackages.sh _ARCHES="alpha amd64 arm64 arm hppa ia64 loong m68k mips ppc riscv s390 sh sparc x86" @@ -27,11 +27,12 @@ RSYNC_OPTS=( --delete --delete-after --timeout=300 - --quiet --mkpath ) +[[ $(whoami) == "gmirror" ]] || exit 111 + for a in ${ARCHES}; do - [[ -d ${DSTDIR}${a}/binpackages ]] || mkdir ${DSTDIR}/${a}/binpackages - ${RSYNC} ${RSYNC_ARGS} ${SRCDIR}/${a}/* ${DSTDIR}/${a}/binpackages/ + [[ -d ${DSTDIR}/${a}/binpackages ]] || mkdir -p ${DSTDIR}/${a}/binpackages + rsync "${RSYNC_OPTS[@]}" ${SRCDIR}/${a}/* ${DSTDIR}/${a}/binpackages/ done -- cgit v1.2.3-65-gdbad From c8334424bd31df9cac598ecc4177f1c7c7ee696b Mon Sep 17 00:00:00 2001 From: "Andreas K. Hüttel" Date: Sun, 6 Aug 2023 02:17:09 +0200 Subject: Some comments MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Andreas K. Hüttel --- sign-binpackages.sh | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/sign-binpackages.sh b/sign-binpackages.sh index 6cee806..61d8874 100755 --- a/sign-binpackages.sh +++ b/sign-binpackages.sh @@ -1,9 +1,15 @@ #!/bin/bash -# Copyright 2010-2023 Gentoo Authors; Distributed under the GPL v2 +# Copyright 2023 Gentoo Authors; Distributed under the GPL v2 # might be earlier copyright, no history available +# NOTE 1: This script is SLOW. It should run at most once per day. +# NOTE 2: This script requires that the signing key has its ownertrust +# set to ultimate. Which makes sense anyway, since we have the +# secret key. +# NOTE 3: This script has to run as gmirror user. + # for testing -ARCHES="arm64 sparc" +ARCHES="sparc" # Keep this variable in sync _ARCHES="alpha amd64 arm64 arm hppa ia64 loong m68k mips ppc riscv s390 sh sparc x86" -- cgit v1.2.3-65-gdbad From 2fe2355ae0ccf4067d685adbadefba964289737e Mon Sep 17 00:00:00 2001 From: "Andreas K. Hüttel" Date: Sun, 6 Aug 2023 23:40:02 +0200 Subject: Merge two scripts and speed things up MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Andreas K. Hüttel --- sign-binpackages.sh | 51 ------------------------ sign-sync-binpackages.sh | 102 +++++++++++++++++++++++++++++++++++++++++++++++ sync-binpackages.sh | 38 ------------------ 3 files changed, 102 insertions(+), 89 deletions(-) delete mode 100755 sign-binpackages.sh create mode 100755 sign-sync-binpackages.sh delete mode 100755 sync-binpackages.sh diff --git a/sign-binpackages.sh b/sign-binpackages.sh deleted file mode 100755 index 61d8874..0000000 --- a/sign-binpackages.sh +++ /dev/null @@ -1,51 +0,0 @@ -#!/bin/bash -# Copyright 2023 Gentoo Authors; Distributed under the GPL v2 -# might be earlier copyright, no history available - -# NOTE 1: This script is SLOW. It should run at most once per day. -# NOTE 2: This script requires that the signing key has its ownertrust -# set to ultimate. Which makes sense anyway, since we have the -# secret key. -# NOTE 3: This script has to run as gmirror user. - -# for testing -ARCHES="sparc" - -# Keep this variable in sync -_ARCHES="alpha amd64 arm64 arm hppa ia64 loong m68k mips ppc riscv s390 sh sparc x86" - #alpha amd64 arm64 arm hppa ia64 loong m68k mips ppc riscv s390 sh sparc x86 -ARCHES=${ARCHES:-${_ARCHES}} - - -INTREE=/release/weekly/binpackages -SIGTREE=/release/binpackages - -export BINPKG_GPG_SIGNING_GPG_HOME=/home/gmirror/.gnupg-releng -export BINPKG_GPG_SIGNING_KEY=13EBBDBEDE7A12775DFDB1BABB572E0E2D182910 -export BINPKG_GPG_VERIFY_GPG_HOME=${BINPKG_GPG_SIGNING_GPG_HOME} - -[[ $(whoami) == "gmirror" ]] || exit 111 - -gpgconf --kill all - -# step 1: rsync from the dirs where the arches copy in -# make sure to *not* overwrite existing newer files (obviously -# the signature changed them)... - -for a in $ARCHES ; do - rsync --archive --delete --delete-after --update --mkpath ${INTREE}/${a}/* ${SIGTREE}/${a}/ -done - -# step 2: iterate over all binary package trees, sign -# all unsigned files -# we assume the directory structure to be -# .../binpackages/amd64/17.1/x86-64 -# .../binpackages/amd64/17.1/x86-64_musl -# .../binpackages/mips/17.0/mipsel3_n32 -# .../binpackages/x86/17.0/x86_musl_hardened - -for t in ${SIGTREE}/*/*/* ; do - find "${t}" -name '*.gpkg.tar' -exec gpkg-sign --skip-signed \{\} \; > /dev/null - PKGDIR=${t} emaint -f binhost > /dev/null -done -# unfortunately these commands make much noise... let's hope we notice errors diff --git a/sign-sync-binpackages.sh b/sign-sync-binpackages.sh new file mode 100755 index 0000000..d5e1caf --- /dev/null +++ b/sign-sync-binpackages.sh @@ -0,0 +1,102 @@ +#!/bin/bash +# Copyright 2023 Gentoo Authors; Distributed under the GPL v2 +# might be earlier copyright, no history available + +# NOTE 1: This script is SLOW. It should run at most once per day. +# NOTE 2: This script requires that the signing key has its ownertrust +# set to ultimate. Which makes sense anyway, since we have the +# secret key. +# NOTE 3: This script has to run as gmirror user. + +# for testing +ARCHES="sparc" + +# Keep this variable in sync +_ARCHES="alpha amd64 arm64 arm hppa ia64 loong m68k mips ppc riscv s390 sh sparc x86" + #alpha amd64 arm64 arm hppa ia64 loong m68k mips ppc riscv s390 sh sparc x86 +ARCHES=${ARCHES:-${_ARCHES}} + + +INTREE=/release/weekly/binpackages +STAGINGTREE=/release/binpackages-staging +OUTTREE=/var/tmp/gmirror-releases/releases + +IN_RSYNC_OPTS=( + --archive + --delete + --delete-after + --update + --mkpath +) + +OUT_RSYNC_OPTS=( + --no-motd + --archive + --ignore-errors + --delete + --delete-after + --timeout=300 + --mkpath +) + +export BINPKG_GPG_SIGNING_GPG_HOME=/home/gmirror/.gnupg-releng +export BINPKG_GPG_SIGNING_KEY=13EBBDBEDE7A12775DFDB1BABB572E0E2D182910 +export BINPKG_GPG_VERIFY_GPG_HOME=${BINPKG_GPG_SIGNING_GPG_HOME} + +# this script needs to be run as gmirror user +[[ $(whoami) == "gmirror" ]] || exit 111 + +# we make sure we're not running twice in parallel +[[ -f ${STAGINGTREE}/.running ]] && exit 112 +touch ${STAGINGTREE}/.running || exit 110 + +# make sure we have an updated gpg-agent +gpgconf --kill all + + +# step 1: rsync from the dirs where the arches copy in +# make sure to *not* overwrite existing newer files (obviously +# the signature changed them)... + +for a in ${ARCHES} ; do + rsync "${IN_RSYNC_OPTS[@]}" ${INTREE}/${a}/* ${STAGINGTREE}/${a}/ +done + +# now the set of files is frozen in the staging dir, and we dont care +# if any arches start uploading in the meantime + + +# step 2: iterate over all binary package trees, sign +# all unsigned files +# we assume the directory structure to be +# .../binpackages-staging/amd64/17.1/x86-64 +# .../binpackages-staging/amd64/17.1/x86-64_musl +# .../binpackages-staging/mips/17.0/mipsel3_n32 +# .../binpackages-staging/x86/17.0/x86_musl_hardened + +for t in ${STAGINGTREE}/*/*/* ; do + # find all unsigned packages as fast as possible + find "${t}" -name '*.gpkg.tar' -print0 | \ + parallel -0 -n1 -- "tar tf {} |grep -E -e '/metadata\.tar\..*\.sig$' -L --label={}" > ${STAGINGTREE}/.unsigned + + # sign the packages + xargs -n1 -- gpkg-sign "{}" < ${STAGINGTREE}/.unsigned > /dev/null || exit 113 + + # regenerate the indices + PKGDIR=${t} emaint -f binhost > /dev/null || exit 114 +done +# unfortunately these commands make much noise... let's hope we notice errors + + +# step 3: sync the result into the mirror directories from where +# the files are distributed + +for a in ${ARCHES}; do + [[ -d ${OUTTREE}/${a}/binpackages ]] || mkdir -p ${OUTTREE}/${a}/binpackages + rsync "${OUT_RSYNC_OPTS[@]}" ${STAGINGTREE}/${a}/* ${OUTTREE}/${a}/binpackages/ + date -u > ${OUTTREE}/${a}/binpackages/.timestamp +done + + +# we're done so remove the "lockfile" +rm ${STAGINGTREE}/.running diff --git a/sync-binpackages.sh b/sync-binpackages.sh deleted file mode 100755 index fe524d9..0000000 --- a/sync-binpackages.sh +++ /dev/null @@ -1,38 +0,0 @@ -#!/bin/bash -# Copyright 2011-2023 Gentoo Authors; Distributed under the GPL v2 - -# for testing -ARCHES="sparc" - -# Keep this variable in sync in both sign-binpackages.sh & sync-binpackages.sh -_ARCHES="alpha amd64 arm64 arm hppa ia64 loong m68k mips ppc riscv s390 sh sparc x86" - #alpha amd64 arm64 arm hppa ia64 loong m68k mips ppc riscv s390 sh sparc x86 -ARCHES=${ARCHES:-${_ARCHES}} - -# this is the directory where all packages are signed -# we assume it's on dipper / releng-incoming, but might as well give a full rsync -# specification here -SRCDIR="/release/binpackages" -# append ${a} - -# this is the outgoing directory -DSTDIR="/var/tmp/gmirror-releases/releases" -# append ${a}/binpackages - -RSYNC="/usr/bin/rsync" -RSYNC_OPTS=( - --no-motd - --archive - --ignore-errors - --delete - --delete-after - --timeout=300 - --mkpath -) - -[[ $(whoami) == "gmirror" ]] || exit 111 - -for a in ${ARCHES}; do - [[ -d ${DSTDIR}/${a}/binpackages ]] || mkdir -p ${DSTDIR}/${a}/binpackages - rsync "${RSYNC_OPTS[@]}" ${SRCDIR}/${a}/* ${DSTDIR}/${a}/binpackages/ -done -- cgit v1.2.3-65-gdbad From 78ad69992cbfb852ea077dd2378d860189189aca Mon Sep 17 00:00:00 2001 From: "Andreas K. Hüttel" Date: Sun, 6 Aug 2023 23:47:04 +0200 Subject: Make verbosity possible MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Andreas K. Hüttel --- sign-sync-binpackages.sh | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/sign-sync-binpackages.sh b/sign-sync-binpackages.sh index d5e1caf..ed85e11 100755 --- a/sign-sync-binpackages.sh +++ b/sign-sync-binpackages.sh @@ -16,12 +16,14 @@ _ARCHES="alpha amd64 arm64 arm hppa ia64 loong m68k mips ppc riscv s390 sh sparc #alpha amd64 arm64 arm hppa ia64 loong m68k mips ppc riscv s390 sh sparc x86 ARCHES=${ARCHES:-${_ARCHES}} +VERBOSE='1' INTREE=/release/weekly/binpackages STAGINGTREE=/release/binpackages-staging OUTTREE=/var/tmp/gmirror-releases/releases IN_RSYNC_OPTS=( + --no-motd --archive --delete --delete-after @@ -53,13 +55,17 @@ touch ${STAGINGTREE}/.running || exit 110 # make sure we have an updated gpg-agent gpgconf --kill all +# prepare some handy variables +_verbose_v='' +[[ ${VERBOSE} == '1' ]] && _verbose_v='-v' + # step 1: rsync from the dirs where the arches copy in # make sure to *not* overwrite existing newer files (obviously # the signature changed them)... for a in ${ARCHES} ; do - rsync "${IN_RSYNC_OPTS[@]}" ${INTREE}/${a}/* ${STAGINGTREE}/${a}/ + rsync ${_verbose_v} "${IN_RSYNC_OPTS[@]}" ${INTREE}/${a}/* ${STAGINGTREE}/${a}/ done # now the set of files is frozen in the staging dir, and we dont care @@ -79,11 +85,19 @@ for t in ${STAGINGTREE}/*/*/* ; do find "${t}" -name '*.gpkg.tar' -print0 | \ parallel -0 -n1 -- "tar tf {} |grep -E -e '/metadata\.tar\..*\.sig$' -L --label={}" > ${STAGINGTREE}/.unsigned + if [[ ${VERBOSE} == '1' ]] ; then + echo "List of unsigned pacakges:" + cat ${STAGINGTREE}/.unsigned + echo ; echo + fi + # sign the packages - xargs -n1 -- gpkg-sign "{}" < ${STAGINGTREE}/.unsigned > /dev/null || exit 113 + [[ ${VERBOSE} == '1' ]] && xargs -n1 -- gpkg-sign "{}" < ${STAGINGTREE}/.unsigned || exit 113 + [[ ${VERBOSE} == '1' ]] || xargs -n1 -- gpkg-sign "{}" < ${STAGINGTREE}/.unsigned > /dev/null || exit 113 # regenerate the indices - PKGDIR=${t} emaint -f binhost > /dev/null || exit 114 + [[ ${VERBOSE} == '1' ]] && PKGDIR=${t} emaint -f binhost || exit 114 + [[ ${VERBOSE} == '1' ]] || PKGDIR=${t} emaint -f binhost > /dev/null || exit 114 done # unfortunately these commands make much noise... let's hope we notice errors @@ -92,8 +106,8 @@ done # the files are distributed for a in ${ARCHES}; do - [[ -d ${OUTTREE}/${a}/binpackages ]] || mkdir -p ${OUTTREE}/${a}/binpackages - rsync "${OUT_RSYNC_OPTS[@]}" ${STAGINGTREE}/${a}/* ${OUTTREE}/${a}/binpackages/ + [[ -d ${OUTTREE}/${a}/binpackages ]] || mkdir -p ${_verbose_v} ${OUTTREE}/${a}/binpackages + rsync ${_verbose_v} "${OUT_RSYNC_OPTS[@]}" ${STAGINGTREE}/${a}/* ${OUTTREE}/${a}/binpackages/ date -u > ${OUTTREE}/${a}/binpackages/.timestamp done -- cgit v1.2.3-65-gdbad From 8bc64b7f500ba6cb266659f72899546a5e188af1 Mon Sep 17 00:00:00 2001 From: "Andreas K. Hüttel" Date: Mon, 7 Aug 2023 01:04:15 +0200 Subject: Add --no-run-if-empty MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Andreas K. Hüttel --- sign-sync-binpackages.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sign-sync-binpackages.sh b/sign-sync-binpackages.sh index ed85e11..b437ccb 100755 --- a/sign-sync-binpackages.sh +++ b/sign-sync-binpackages.sh @@ -92,8 +92,8 @@ for t in ${STAGINGTREE}/*/*/* ; do fi # sign the packages - [[ ${VERBOSE} == '1' ]] && xargs -n1 -- gpkg-sign "{}" < ${STAGINGTREE}/.unsigned || exit 113 - [[ ${VERBOSE} == '1' ]] || xargs -n1 -- gpkg-sign "{}" < ${STAGINGTREE}/.unsigned > /dev/null || exit 113 + [[ ${VERBOSE} == '1' ]] && xargs -n1 --no-run-if-empty -- gpkg-sign "{}" < ${STAGINGTREE}/.unsigned || exit 113 + [[ ${VERBOSE} == '1' ]] || xargs -n1 --no-run-if-empty -- gpkg-sign "{}" < ${STAGINGTREE}/.unsigned > /dev/null || exit 113 # regenerate the indices [[ ${VERBOSE} == '1' ]] && PKGDIR=${t} emaint -f binhost || exit 114 -- cgit v1.2.3-65-gdbad From 318de71660c3397fb5c06cf8747828c9a6dd0501 Mon Sep 17 00:00:00 2001 From: "Andreas K. Hüttel" Date: Mon, 7 Aug 2023 14:31:22 +0200 Subject: Minor fixes after testing MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Andreas K. Hüttel --- sign-sync-binpackages.sh | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/sign-sync-binpackages.sh b/sign-sync-binpackages.sh index b437ccb..c26a3f5 100755 --- a/sign-sync-binpackages.sh +++ b/sign-sync-binpackages.sh @@ -8,15 +8,12 @@ # secret key. # NOTE 3: This script has to run as gmirror user. -# for testing -ARCHES="sparc" - # Keep this variable in sync -_ARCHES="alpha amd64 arm64 arm hppa ia64 loong m68k mips ppc riscv s390 sh sparc x86" +_ARCHES="alpha amd64 arm64 arm hppa ia64 loong m68k mips ppc riscv s390 sparc x86" #alpha amd64 arm64 arm hppa ia64 loong m68k mips ppc riscv s390 sh sparc x86 ARCHES=${ARCHES:-${_ARCHES}} -VERBOSE='1' +VERBOSE='0' INTREE=/release/weekly/binpackages STAGINGTREE=/release/binpackages-staging @@ -83,7 +80,7 @@ done for t in ${STAGINGTREE}/*/*/* ; do # find all unsigned packages as fast as possible find "${t}" -name '*.gpkg.tar' -print0 | \ - parallel -0 -n1 -- "tar tf {} |grep -E -e '/metadata\.tar\..*\.sig$' -L --label={}" > ${STAGINGTREE}/.unsigned + parallel -0 -n1 --will-cite -- "tar tf {} |grep -E -e '/metadata\.tar\..*\.sig$' -L --label={}" > ${STAGINGTREE}/.unsigned if [[ ${VERBOSE} == '1' ]] ; then echo "List of unsigned pacakges:" @@ -92,8 +89,8 @@ for t in ${STAGINGTREE}/*/*/* ; do fi # sign the packages - [[ ${VERBOSE} == '1' ]] && xargs -n1 --no-run-if-empty -- gpkg-sign "{}" < ${STAGINGTREE}/.unsigned || exit 113 - [[ ${VERBOSE} == '1' ]] || xargs -n1 --no-run-if-empty -- gpkg-sign "{}" < ${STAGINGTREE}/.unsigned > /dev/null || exit 113 + [[ ${VERBOSE} == '1' ]] && xargs -n1 --no-run-if-empty -- gpkg-sign < ${STAGINGTREE}/.unsigned || exit 113 + [[ ${VERBOSE} == '1' ]] || xargs -n1 --no-run-if-empty -- gpkg-sign < ${STAGINGTREE}/.unsigned > /dev/null || exit 113 # regenerate the indices [[ ${VERBOSE} == '1' ]] && PKGDIR=${t} emaint -f binhost || exit 114 -- cgit v1.2.3-65-gdbad From 7e3b9a4083fe98cf8bda9b3cb03ea04813db8c34 Mon Sep 17 00:00:00 2001 From: "Andreas K. Hüttel" Date: Mon, 7 Aug 2023 15:47:45 +0200 Subject: Silence errors for arches that have not uploaded yet MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Andreas K. Hüttel --- sign-sync-binpackages.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sign-sync-binpackages.sh b/sign-sync-binpackages.sh index c26a3f5..a71f8ba 100755 --- a/sign-sync-binpackages.sh +++ b/sign-sync-binpackages.sh @@ -24,6 +24,7 @@ IN_RSYNC_OPTS=( --archive --delete --delete-after + --ignore-missing-args --update --mkpath ) @@ -34,7 +35,7 @@ OUT_RSYNC_OPTS=( --ignore-errors --delete --delete-after - --timeout=300 + --ignore-missing-args --mkpath ) -- cgit v1.2.3-65-gdbad From 32bac9644e6af62151c4d213070bf3d2c3ac08f5 Mon Sep 17 00:00:00 2001 From: "Andreas K. Hüttel" Date: Mon, 7 Aug 2023 15:53:51 +0200 Subject: Abort noisily if lockfile exists MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Andreas K. Hüttel --- sign-sync-binpackages.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/sign-sync-binpackages.sh b/sign-sync-binpackages.sh index a71f8ba..7db6611 100755 --- a/sign-sync-binpackages.sh +++ b/sign-sync-binpackages.sh @@ -47,7 +47,10 @@ export BINPKG_GPG_VERIFY_GPG_HOME=${BINPKG_GPG_SIGNING_GPG_HOME} [[ $(whoami) == "gmirror" ]] || exit 111 # we make sure we're not running twice in parallel -[[ -f ${STAGINGTREE}/.running ]] && exit 112 +if [[ -f ${STAGINGTREE}/.running ]] ; then + echo sign-sync-binpackages.sh lockfile ${STAGINGTREE}/.running exists, aborting + exit 112 +fi touch ${STAGINGTREE}/.running || exit 110 # make sure we have an updated gpg-agent -- cgit v1.2.3-65-gdbad