40 lines
1.0 KiB
Bash
40 lines
1.0 KiB
Bash
|
#!/bin/bash
|
||
|
|
|
||
|
|
set -e
|
||
|
|
|
||
|
|
# Setup agent to read password from TTY (so we can use Expect)
|
||
|
|
gpg-agent --daemon --pinentry-program /usr/bin/pinentry-tty
|
||
|
|
|
||
|
|
# Import GPG key (passphrase set with $PLUGIN_GPG_PASSPHRASE)
|
||
|
|
echo "Importing GPG secret key"
|
||
|
|
tmpkey="$(mktemp /tmp/privkey-XXXXXXX)"
|
||
|
|
echo "$PLUGIN_GPG_SECRET_KEY" > "$tmpkey"
|
||
|
|
gpg.expect --import "$tmpkey" > /tmp/gpg.out || ret=$?
|
||
|
|
rm "$tmpkey"
|
||
|
|
|
||
|
|
if (( ! ret )); then
|
||
|
|
echo "Failed to import secret key."
|
||
|
|
echo "gpg output:"
|
||
|
|
cat /tmp/gpg.out >&2
|
||
|
|
exit 1
|
||
|
|
fi
|
||
|
|
|
||
|
|
# Retrieve key ID
|
||
|
|
keyid="$(cat /tmp/gpg.out | grep 'secret key imported' | awk '{ print $3 }' | tr -d ':')"
|
||
|
|
|
||
|
|
# Detach-sign all files
|
||
|
|
cd "$PLUGIN_SIGN_DIR"
|
||
|
|
find -mindepth 1 -maxdepth 1 -type f | while read -r filename; do
|
||
|
|
gpg.expect --detach-sign --use-agent "${keyid}" --no-armor "$filename" > /tmp/gpg.out || ret=$?
|
||
|
|
|
||
|
|
if (( ! ret )); then
|
||
|
|
printf "Created signature file %s." "${filename##*/}.sig"
|
||
|
|
else
|
||
|
|
printf "Failed to sign file %s." "${filename##*/}"
|
||
|
|
echo "gpg output:"
|
||
|
|
cat /tmp/gpg.out >&2
|
||
|
|
exit 1
|
||
|
|
fi
|
||
|
|
done
|
||
|
|
|