From 09aa9539d86f02f937a518f5bc131445a5293fc9 Mon Sep 17 00:00:00 2001 From: Mark Vainomaa Date: Sun, 19 Feb 2017 16:12:46 +0200 Subject: [PATCH] Add useful scripts --- README.md | 2 ++ scripts/init-gpg.sh | 37 +++++++++++++++++++++++++++++++++++++ scripts/passphrase.txt | 1 + scripts/remove-package.sh | 4 ++++ scripts/resign-all.sh | 6 ++++++ scripts/resign-missing.sh | 9 +++++++++ scripts/resign-repo.sh | 5 +++++ scripts/update-packages.sh | 2 ++ 8 files changed, 66 insertions(+) create mode 100755 scripts/init-gpg.sh create mode 100644 scripts/passphrase.txt create mode 100755 scripts/remove-package.sh create mode 100755 scripts/resign-all.sh create mode 100755 scripts/resign-missing.sh create mode 100755 scripts/resign-repo.sh create mode 100755 scripts/update-packages.sh diff --git a/README.md b/README.md index 50a07e9..5d63c7a 100644 --- a/README.md +++ b/README.md @@ -11,12 +11,14 @@ NOTE: This is actually not ready, so it is not recommended to run it in producti - Note: Don't forget to firewall! * Copy `aur` script to `/usr/bin` in host machine * Set up nginx to serve packages to host (and maybe for public) +* Take look at `scripts/` directory, you might find useful scripts there ## Known issues * You can't edit PKGBUILD-s * You can't accept GPG keys automatically (insecure to do so, but you can do `gpg --recv-key ` in container shell) * Not documentated enough! * Probably something more I'm not currently aware of +* Storing GPG password is insecure, if your builder gets hacked, then revoke your key ## TODO * Pacman cache automatic cleanup timer diff --git a/scripts/init-gpg.sh b/scripts/init-gpg.sh new file mode 100755 index 0000000..00ef217 --- /dev/null +++ b/scripts/init-gpg.sh @@ -0,0 +1,37 @@ +#!/bin/bash + +# Go to home directory for sure +pushd $HOME >/dev/null + +# Kill gpg-agent +pkill gpg-agent + +# Rewrite gpg-agent configuration +cat > ~/.gnupg/gpg-agent.conf < "${_dummyfile}" + +# Cache password in gpg-agent by signing dummy file +cat ~/passphrase.txt | env -i gpg \ + --pinentry-mode loopback --passphrase-fd 0 \ + --no-tty --batch --yes \ + --detach-sig --output "${_dummyfile}.sig" "${_dummyfile}" + +# Verify given signature +env -i gpg --verify \ + "${_dummyfile}.sig" "${_dummyfile}" + +echo $? + +rm "${_dummyfile}" "${_dummyfile}.sig" +popd >/dev/null diff --git a/scripts/passphrase.txt b/scripts/passphrase.txt new file mode 100644 index 0000000..125d272 --- /dev/null +++ b/scripts/passphrase.txt @@ -0,0 +1 @@ +# put pw here diff --git a/scripts/remove-package.sh b/scripts/remove-package.sh new file mode 100755 index 0000000..5fe0044 --- /dev/null +++ b/scripts/remove-package.sh @@ -0,0 +1,4 @@ +#!/bin/bash +pushd /srv/http/built-packages >/dev/null +repose aurpackages -zdvs ${1} +popd diff --git a/scripts/resign-all.sh b/scripts/resign-all.sh new file mode 100755 index 0000000..b3c6c79 --- /dev/null +++ b/scripts/resign-all.sh @@ -0,0 +1,6 @@ +#!/bin/bash +pushd /srv/http/built-packages >/dev/null +rm *.sig +~/resign-repo.sh +~/resign-missing.sh +popd >/dev/null diff --git a/scripts/resign-missing.sh b/scripts/resign-missing.sh new file mode 100755 index 0000000..79895a6 --- /dev/null +++ b/scripts/resign-missing.sh @@ -0,0 +1,9 @@ +#!/bin/bash +pushd /srv/http/built-packages >/dev/null +find -name "*.pkg.tar.xz" | while read _p; do + if [ ! -f "${_p}.sig" ]; then + echo "Signing ${_p}" + gpg --output ${_p}.sig --detach-sig ${_p} + fi +done +popd >/dev/null diff --git a/scripts/resign-repo.sh b/scripts/resign-repo.sh new file mode 100755 index 0000000..b62cf2e --- /dev/null +++ b/scripts/resign-repo.sh @@ -0,0 +1,5 @@ +#!/bin/bash +pushd /srv/http/built-packages >/dev/null +gpg --yes --output aurpackages.db.sig --detach-sig aurpackages.db +gpg --yes --output aurpackages.files.sig --detach-sig aurpackages.files +popd >/dev/null diff --git a/scripts/update-packages.sh b/scripts/update-packages.sh new file mode 100755 index 0000000..2b1a1be --- /dev/null +++ b/scripts/update-packages.sh @@ -0,0 +1,2 @@ +#!/bin/bash +PAGER=cat aursync -s -n -u -f