build: add package signing glue

build/packages.sh

@@ -44,8 +44,14 @@ cp ${PACKAGESDIR}/${ARCH}/* ${STAGEDIR}/All
 # needed bootstrap glue when no packages are on the system
 cd ${STAGEDIR}/Latest && ln -s ../All/pkg-*.txz pkg.txz
 
+SIGNARGS=
+if [ -n "$(${TOOLSDIR}/scripts/pkg_fingerprint.sh)" ]; then
+	# XXX check if fingerprint is in core.git
+	SIGNARGS="signing_command: ${TOOLSDIR}/scripts/pkg_sign.sh"
+fi
+
 # generate index files
-cd ${STAGEDIR} && pkg repo .
+cd ${STAGEDIR} && pkg repo . ${SIGNARGS}
 
 echo -n ">>> Creating packages set... "
 

scripts/pkg_fingerprint.sh

@@ -0,0 +1,6 @@
+#!/bin/sh
+
+if [ -f /root/repo.pub ]; then
+	echo "function: \"sha256\""
+	echo "fingerprint: \"$(sha256 -q /root/repo.pub)\""
+fi

scripts/pkg_sign.sh

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+read -t 2 SUM
+[ -z "${SUM}" ] && exit 1
+echo SIGNATURE
+echo -n ${SUM} | openssl dgst -sign /root/repo.key -sha256 -binary
+echo
+echo CERT
+cat /root/repo.pub
+echo END