Implement necessary code to be able to sign pkg(8) repo

2 files changed, 34 insertions, 1 deletions

diff --git a/tools/builder_common.sh b/tools/builder_common.sh
index 7c9b958..f367f06 100644
--- a/tools/builder_common.sh
+++ b/tools/builder_common.sh
@@ -1696,7 +1696,7 @@ finish() {
 pkg_repo_rsync() {
 	local _repo_path="${1}"
 
-	if [ -n "${DO_NOT_UPLOAD}" -o -z "${_repo_path}" -o ! -d "${_repo_path}" ]; then
+	if [ -z "${_repo_path}" -o ! -d "${_repo_path}" ]; then
 		return
 	fi
 
@@ -1706,6 +1706,36 @@ pkg_repo_rsync() {
 		local _logfile="${LOGFILE}"
 	fi
 
+	if [ -n "${PKG_REPO_SIGNING_COMMAND}" ]; then
+		echo -n ">>> Signing repository... " | tee -a ${_logfile}
+		if script -aq ${_logfile} pkg repo ${_repo_path} \
+		    signing_command: ${PKG_REPO_SIGNING_COMMAND} >/dev/null 2>&1; then
+			echo "Done!" | tee -a ${_logfile}
+		else
+			echo "Failed!" | tee -a ${_logfile}
+			echo ">>> ERROR: An error occurred trying to sign repo"
+			print_error_pfS
+		fi
+
+		local _pkgfile="${_repo_path}/Latest/pkg.txz"
+		if [ -e ${_pkgfile} ]; then
+			echo -n ">>> Signing Latest/pkg.txz for bootstraping... " | tee -a ${_logfile}
+
+			if sha256 -q ${_pkgfile} | ${PKG_REPO_SIGNING_COMMAND} \
+			    > ${_pkgfile}.sig 2>/dev/null; then
+				echo "Done!" | tee -a ${_logfile}
+			else
+				echo "Failed!" | tee -a ${_logfile}
+				echo ">>> ERROR: An error occurred trying to sign Latest/pkg.txz"
+				print_error_pfS
+			fi
+		fi
+	fi
+
+	if [ -n "${DO_NOT_UPLOAD}" ]; then
+		return
+	fi
+
 	echo -n ">>> Sending updated repository to ${PKG_RSYNC_HOSTNAME}... " | tee -a ${_logfile}
 	if script -aq ${_logfile} rsync -ave "ssh -p ${PKG_RSYNC_SSH_PORT}" \
 		--timeout=60 --delete-delay ${_repo_path} \
diff --git a/tools/builder_defaults.sh b/tools/builder_defaults.sh
index 6ef72e1..a1b5791 100644
--- a/tools/builder_defaults.sh
+++ b/tools/builder_defaults.sh
@@ -278,6 +278,9 @@ export PKG_RSYNC_LOGS=${PKG_RSYNC_LOGS:-"/usr/local/www/beta"}
 export PKG_REPO_SERVER=${PKG_REPO_SERVER:-"pkg+http://beta.pfsense.org/packages"}
 export PKG_REPO_CONF_BRANCH=${PKG_REPO_CONF_BRANCH:-"${GIT_REPO_BRANCH_OR_TAG}"}
 
+# Command used to sign pkg repo
+export PKG_REPO_SIGNING_COMMAND=${PKG_REPO_SIGNING_COMMAND:-""}
+
 unset _IS_RELEASE
 unset CORE_PKG_DATESTRING
 export TIMESTAMP_SUFFIX="-${DATESTRING}"