1
0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-25 09:12:24 +00:00

Key rollover: switch to signing using the new keys.

sign.sh's command-line syntax has changed, so I've updated the sample
command line in CHECKLST as well. Also the file extensions of the
signatures have changed, so I've updated the pre-release verification
command line in CHECKLST too.
This commit is contained in:
Simon Tatham 2015-09-02 18:30:10 +01:00
parent bb68baf53b
commit 11eb75a260
2 changed files with 19 additions and 15 deletions

View File

@ -135,7 +135,7 @@ for it:
installer and the Unix source tarball. installer and the Unix source tarball.
- Sign the release: in the `build.out' directory, type - Sign the release: in the `build.out' directory, type
sh sign.sh putty Releases sh sign.sh -r putty
and enter the passphrases a lot of times. and enter the passphrases a lot of times.
The actual release procedure The actual release procedure
@ -151,7 +151,7 @@ locally, this is the procedure for putting it up on the web.
- Do final checks on the release directory in its new location: - Do final checks on the release directory in its new location:
+ verify all the signatures: + verify all the signatures:
for i in `find . -name '*.*SA'`; do case $i in *sums*) gpg --verify $i;; *) gpg --verify $i ${i%%.?SA};; esac; done for i in `find . -name '*.gpg'`; do case $i in *sums*) gpg --verify $i;; *) gpg --verify $i ${i%%.gpg};; esac; done
+ check the checksum files: + check the checksum files:
md5sum -c md5sums md5sum -c md5sums
sha1sum -c sha1sums sha1sum -c sha1sums

24
sign.sh
View File

@ -3,29 +3,33 @@
# Generate GPG signatures on a PuTTY release/snapshot directory as # Generate GPG signatures on a PuTTY release/snapshot directory as
# delivered by Buildscr. # delivered by Buildscr.
# Usage: sh sign.sh <builddir> <keytype> # Usage: sh sign.sh [-r] <builddir>
# e.g. sh sign.sh putty Snapshots (probably in the build.out directory) # e.g. sh sign.sh putty (probably in the build.out directory)
# or sh sign.sh 0.60 Releases # or sh sign.sh -r 0.60 (-r means use the release keys)
set -e set -e
keyname=EEF20295D15F7E8A
if test "x$1" = "x-r"; then
shift
keyname=9DFE2648B43434E4
fi
sign() { sign() {
# Check for the prior existence of the signature, so we can # Check for the prior existence of the signature, so we can
# re-run this script if it encounters an error part way # re-run this script if it encounters an error part way
# through. # through.
echo "----- Signing $2 with '$keyname'" echo "----- Signing $2 with key '$keyname'"
test -f "$3" || \ test -f "$3" || \
gpg --load-extension=idea "$1" -u "$keyname" -o "$3" "$2" gpg --load-extension=idea "$1" -u "$keyname" -o "$3" "$2"
} }
cd "$1" cd "$1"
for t in DSA RSA; do echo "===== Signing with key '$keyname'"
keyname="$2 ($t)"
echo "===== Signing with '$keyname'"
for i in putty*src.zip putty*.tar.gz x86/*.exe x86/*.zip; do for i in putty*src.zip putty*.tar.gz x86/*.exe x86/*.zip; do
sign --detach-sign "$i" "$i.$t" sign --detach-sign "$i" "$i.gpg"
done done
for i in md5sums sha1sums sha256sums sha512sums; do for i in md5sums sha1sums sha256sums sha512sums; do
sign --clearsign $i ${i}.$t sign --clearsign "$i" "$i.gpg"
done
done done