From 43865aa1615bf0ca65914344dbef85199d3130d0 Mon Sep 17 00:00:00 2001 From: Simon Tatham Date: Wed, 2 Sep 2015 18:30:10 +0100 Subject: [PATCH] Key rollover: switch to signing using the new keys. sign.sh's command-line syntax has changed, so I've updated the sample command line in CHECKLST as well. Also the file extensions of the signatures have changed, so I've updated the pre-release verification command line in CHECKLST too. (cherry picked from commit 11eb75a260ca1c6e48a19afe241d423f6e7b0e4e) --- CHECKLST.txt | 4 ++-- sign.sh | 30 +++++++++++++++++------------- 2 files changed, 19 insertions(+), 15 deletions(-) diff --git a/CHECKLST.txt b/CHECKLST.txt index d23b3f4e..93996f8d 100644 --- a/CHECKLST.txt +++ b/CHECKLST.txt @@ -135,7 +135,7 @@ for it: installer and the Unix source tarball. - Sign the release: in the `build.out' directory, type - sh sign.sh putty Releases + sh sign.sh -r putty and enter the passphrases a lot of times. The actual release procedure @@ -151,7 +151,7 @@ locally, this is the procedure for putting it up on the web. - Do final checks on the release directory in its new location: + verify all the signatures: - for i in `find . -name '*.*SA'`; do case $i in *sums*) gpg --verify $i;; *) gpg --verify $i ${i%%.?SA};; esac; done + for i in `find . -name '*.gpg'`; do case $i in *sums*) gpg --verify $i;; *) gpg --verify $i ${i%%.gpg};; esac; done + check the checksum files: md5sum -c md5sums sha1sum -c sha1sums diff --git a/sign.sh b/sign.sh index 2d348aa3..ea63b4bf 100755 --- a/sign.sh +++ b/sign.sh @@ -3,29 +3,33 @@ # Generate GPG signatures on a PuTTY release/snapshot directory as # delivered by Buildscr. -# Usage: sh sign.sh -# e.g. sh sign.sh putty Snapshots (probably in the build.out directory) -# or sh sign.sh 0.60 Releases +# Usage: sh sign.sh [-r] +# e.g. sh sign.sh putty (probably in the build.out directory) +# or sh sign.sh -r 0.60 (-r means use the release keys) set -e +keyname=EEF20295D15F7E8A + +if test "x$1" = "x-r"; then + shift + keyname=9DFE2648B43434E4 +fi + sign() { # Check for the prior existence of the signature, so we can # re-run this script if it encounters an error part way # through. - echo "----- Signing $2 with '$keyname'" + echo "----- Signing $2 with key '$keyname'" test -f "$3" || \ gpg --load-extension=idea "$1" -u "$keyname" -o "$3" "$2" } cd "$1" -for t in DSA RSA; do - keyname="$2 ($t)" - echo "===== Signing with '$keyname'" - for i in putty*src.zip putty*.tar.gz x86/*.exe x86/*.zip; do - sign --detach-sign "$i" "$i.$t" - done - for i in md5sums sha1sums sha256sums sha512sums; do - sign --clearsign $i ${i}.$t - done +echo "===== Signing with key '$keyname'" +for i in putty*src.zip putty*.tar.gz x86/*.exe x86/*.zip; do + sign --detach-sign "$i" "$i.gpg" +done +for i in md5sums sha1sums sha256sums sha512sums; do + sign --clearsign "$i" "$i.gpg" done -- 2.45.2