build: add override for signing keys #20

The logic of scripts dir was that it doesn't need build dir foo, which isn't true anymore for the pkg_* scripts so that needs to be shuffled now.
2015-10-30 07:22:22 +01:00 · 2015-10-30 07:22:22 +01:00 · e213702060
parent ba1f580968
commit e213702060
5 changed files with 19 additions and 9 deletions
--- a/4
+++ b/4
@ -20,6 +20,7 @@ NAME?=		OPNsense
 TYPE?=		opnsense-devel
 FLAVOUR?=	OpenSSL
 SETTINGS?=	15.7
+SIGNATURE?=	/root/repo
 _VERSION!=	date '+%Y%m%d%H%M'
 VERSION?=	${_VERSION}
 PORTSREFDIR?=	/usr/freebsd-ports
@ -59,5 +60,6 @@ ${STEP}:
 	@cd build && sh ${VERBOSE_FLAGS} ./${.TARGET}.sh \
 	    -f ${FLAVOUR} -n ${NAME} -v ${VERSION} -s ${SETTINGS} \
 	    -S ${SRCDIR} -P ${PORTSDIR} -p ${PLUGINSDIR} -T ${TOOLSDIR} \
-	    -C ${COREDIR} -R ${PORTSREFDIR} -t ${TYPE} ${${STEP}_ARGS}
+	    -C ${COREDIR} -R ${PORTSREFDIR} -t ${TYPE} -k ${SIGNATURE} \
+	    ${${STEP}_ARGS}
 .endfor
--- a/README.md
+++ b/README.md
@ -74,12 +74,14 @@ All build steps are invoked via make(1):

 Available build options are:

-* NAME:		"OPNsense" (default)
-* TYPE:         the name of the meta package to be installed
+* CONFIG: 	reads the below from the specified file
 * FLAVOUR:	"OpenSSL" (default), "LibreSSL"
-* VERSION:	a version tag (if applicable)
+* NAME:		"OPNsense" (default)
 * SETTINGS:	the name of the selected settings in config/
-* CONFIG: 	reads the above from the specified file
+* SIGNATURE:	file prefix to the packages signature files,
+		automatically appending ".key" and ".pub"
+* TYPE:         the name of the meta package to be installed
+* VERSION:	a version tag (if applicable)

 Build the userland binaries, bootloader and administrative
 files:
--- a/build/common.sh
+++ b/build/common.sh
@ -33,6 +33,7 @@ usage()
 {
 	echo "Usage: ${0} -f flavour -n name -v version -R freebsd-ports.git" >&2
 	echo "	-C core.git -P ports.git -S src.git -T tools.git -t type" >&2
+	echo "	-k /path/to/signature/prefix [...]" >&2
 	exit 1
 }

@ -50,6 +51,10 @@ while getopts C:f:n:P:p:R:S:s:T:t:v: OPT; do
 		export PRODUCT_NAME=${OPTARG}
 		SCRUB_ARGS=${SCRUB_ARGS};shift;shift
 		;;
+	k)
+		export PRODUCT_SIGNATURE=${OPTARG}
+		SCRUB_ARGS=${SCRUB_ARGS};shift;shift
+		;;
 	P)
 		export PORTSDIR=${OPTARG}
 		SCRUB_ARGS=${SCRUB_ARGS};shift;shift
@ -93,6 +98,7 @@ if [ -z "${PRODUCT_NAME}" -o \
    -z "${PRODUCT_FLAVOUR}" -o \
    -z "${PRODUCT_VERSION}" -o \
    -z "${PRODUCT_SETTINGS}" -o \
+    -z "${PRODUCT_SIGNATURE}" -o \
    -z "${TOOLSDIR}" -o \
    -z "${PLUGINSDIR}" -o \
    -z "${PORTSDIR}" -o \
--- a/scripts/pkg_fingerprint.sh
+++ b/scripts/pkg_fingerprint.sh
@ -1,6 +1,6 @@
 #!/bin/sh

-if [ -f /root/repo.pub ]; then
+if [ -f ${PRODUCT_SIGNATURE}.pub ]; then
 	echo "function: \"sha256\""
-	echo "fingerprint: \"$(sha256 -q /root/repo.pub)\""
+	echo "fingerprint: \"$(sha256 -q ${PRODUCT_SIGNATURE}.pub)\""
 fi
--- a/scripts/pkg_sign.sh
+++ b/scripts/pkg_sign.sh
@ -3,8 +3,8 @@
 read -t 2 SUM
 [ -z "${SUM}" ] && exit 1
 echo SIGNATURE
-echo -n ${SUM} | openssl dgst -sign /root/repo.key -sha256 -binary
+echo -n ${SUM} | openssl dgst -sign ${PRODUCT_SIGNATURE}.key -sha256 -binary
 echo
 echo CERT
-cat /root/repo.pub
+cat ${PRODUCT_SIGNATURE}.pub
 echo END