Greetings,
I would like to request proper detached signatures for webkitgtk's release
tarballs. The current signed sha1 sums are unusual and really awkward to
handle with our tooling.
Attached two untested diffs for the webkit-release script, either of which
should accomplish this; the simpler one replaces the current signatures
with detached signatures and the other adds the detached signatures in
addition to the existing ones.
Thanks,
Jan Steffens
--- webkit-release 2016-11-04 09:50:04.915101641 +0100
+++ webkit-release.2 2016-11-04 09:51:58.072872307 +0100
@@ -723,8 +723,12 @@
gpg_file = sha1_file + ".asc"
subprocess.call(['gpg', '--armor', '--sign', sha1_file])
+ # Sign the tarball file.
+ gpg_file2 = tarball_file + ".asc"
+ subprocess.call(['gpg', '--armor', '--detach-sign', tarball_file])
+
# Upload tarball, sha1 and gpg files.
- command = ['scp', tarball_file, sha1_file, gpg_file, '%s:%s' % (host, releases_dir)]
+ command = ['scp', tarball_file, sha1_file, gpg_file, gpg_file2, '%s:%s' % (host, releases_dir)]
if subprocess.call(command) != 0:
sys.stderr.write("Error uploading %s to %s:%s\n" % (tarball_file, host, releases_dir))
sys.exit(1)
@@ -732,6 +736,7 @@
# Remove generated files.
os.unlink(sha1_file)
os.unlink(gpg_file)
+ os.unlink(gpg_file2)
if update_symlinks:
# Create the LATEST symlink.
--- webkit-release 2016-11-04 09:50:04.915101641 +0100
+++ webkit-release.2 2016-11-04 09:53:56.996344968 +0100
@@ -719,9 +719,9 @@
shutil.move(tmp.name, sha1_file)
os.chmod(sha1_file, mode)
- # Sign the sha1 file.
- gpg_file = sha1_file + ".asc"
- subprocess.call(['gpg', '--armor', '--sign', sha1_file])
+ # Sign the tarball file.
+ gpg_file = tarball_file + ".asc"
+ subprocess.call(['gpg', '--armor', '--detach-sign', tarball_file])
# Upload tarball, sha1 and gpg files.
command = ['scp', tarball_file, sha1_file, gpg_file, '%s:%s' % (host, releases_dir)]
_______________________________________________
webkit-gtk mailing list
webkit-gtk@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-gtk
