github-personal/firezone
1
0
Fork 0
mirror of https://github.com/outbackdingo/firezone.git synced 2026-01-27 10:18:54 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
883d95c2c80543ec966ad47b9a424c36a5c3809c
firezone/scripts/sync-apt.sh
Thomas Eizinger 883d95c2c8 feat(apt): sign contents of APT repository (#10688) 
In order to secure an APT repository, the `Release` file containing the
hashes of all packages needs to be signed with a GPG key. These
signatures simply need to be synced back up to the repository. The rest
is handled by `apt` itself.

Resolves: #10599
2025-10-22 23:44:48 +00:00

85 lines
2.2 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
#
set -euo pipefail
COMPONENT="main"
WORK_DIR="$(mktemp -d)"
DISTS_DIR="${WORK_DIR}/dists"
if [ -z "${AZURERM_ARTIFACTS_CONNECTION_STRING:-}" ]; then
echo "Error: AZURERM_ARTIFACTS_CONNECTION_STRING not set"
exit 1
fi
if [ -z "${GPG_KEY_ID:-}" ]; then
echo "Error: GPG_KEY_ID not set"
exit 1
fi
cleanup() {
rm -rf "${WORK_DIR}"
}
trap cleanup EXIT
for DISTRIBUTION in "stable" "preview"; do
POOL_DIR="${WORK_DIR}/pool-${DISTRIBUTION}"
echo "Downloading packages for distribution $DISTRIBUTION..."
az storage blob download-batch \
--destination "${WORK_DIR}" \
--source apt \
--pattern "pool-${DISTRIBUTION}/*.deb" \
--connection-string "${AZURERM_ARTIFACTS_CONNECTION_STRING}" \
2>&1 | grep -v "WARNING" || true
echo "Detecting architectures..."
ARCHITECTURES=$(for deb in "${POOL_DIR}"/*.deb; do dpkg-deb -f "$deb" Architecture 2>/dev/null; done | sort -u | tr '\n' ' ') || true
echo "Found: ${ARCHITECTURES}"
echo "Generating metadata..."
mkdir -p "${DISTS_DIR}/${DISTRIBUTION}/${COMPONENT}"
for ARCH in $ARCHITECTURES; do
BINARY_DIR="${DISTS_DIR}/${DISTRIBUTION}/${COMPONENT}/binary-${ARCH}"
mkdir -p "${BINARY_DIR}"
apt-ftparchive packages --arch "${ARCH}" "${POOL_DIR}/" >"${BINARY_DIR}/Packages"
gzip -k -f "${BINARY_DIR}/Packages"
cat >"${BINARY_DIR}/Release" <<EOF
Archive: ${DISTRIBUTION}
Component: ${COMPONENT}
Architecture: ${ARCH}
EOF
done
cd "${DISTS_DIR}/${DISTRIBUTION}"
cat >Release <<EOF
Origin: Firezone
Label: Firezone
Suite: ${DISTRIBUTION}
Codename: ${DISTRIBUTION}
Architectures: ${ARCHITECTURES}
Components: ${COMPONENT}
Description: Firezone APT Repository
Date: $(date -R -u)
EOF
apt-ftparchive release . >>Release
gpg --default-key "${GPG_KEY_ID}" -abs -o Release.gpg Release
gpg --default-key "${GPG_KEY_ID}" --clearsign -o InRelease Release
done
echo "Uploading metadata..."
az storage blob upload-batch \
--destination apt \
--source "${DISTS_DIR}" \
--destination-path dists \
--connection-string "${AZURERM_ARTIFACTS_CONNECTION_STRING}" \
--overwrite \
--output table
Reference in New Issue View Git Blame Copy Permalink