VerityBook/mkrelease.sh

#!/bin/bash -ex

usage() {
    cat << EOF
Usage: $PROGNAME [OPTION]

  -h, --help             Display this help
  --nosign               Don't sign the EFI executable
  --dbkey KEY            Use KEY as certification key for EFI signing
  --dbcrt CRT            Use CRT as certification for EFI signing
EOF
}

TEMP=$(
    getopt -o '' \
        --long dbkey: \
        --long dbcrt: \
        --long nosign \
        --long notar \
    --long help \
        -- "$@"
    )

if (( $? != 0 )); then
    usage >&2
    exit 1
fi

eval set -- "$TEMP"
unset TEMP

while true; do
    case "$1" in
        '--dbkey')
            DBKEY="$(readlink -e $2)"
            shift 2; continue
            ;;
        '--dbcrt')
            DBCRT="$(readlink -e $2)"
            shift 2; continue
            ;;
        '--nosign')
            NOSIGN="1"
            shift 1; continue
            ;;
        '--notar')
            NOTAR="1"
            shift 1; continue
            ;;
        '--help')
            usage
            exit 0
            ;;
        '--')
            shift
            break
            ;;
        *)
            echo 'Internal error!' >&2
            exit 1
            ;;
    esac
done

JSON="$(realpath -e $1)"
BASEDIR="${JSON%/*}"
IMAGE="${BASEDIR}/$(jq -r '.name' ${JSON})-$(jq -r '.version' ${JSON})"

(
    cd "$IMAGE"
    if ! [[ $NOSIGN ]]; then
        if ! [[ $DBKEY ]] || ! [[ $DBCRT ]]; then
            echo "Need --dbkey KEY --dbcrt CRT options"
            exit 1
        fi
        if ! sbverify --cert "$DBCRT" bootx64.efi &>/dev/null ; then
            sbsign --key "$DBKEY" --cert "$DBCRT" --output bootx64-signed.efi bootx64.efi
            mv bootx64-signed.efi bootx64.efi
        fi
    fi
    [[ -f sha512sum.txt ]] || sha512sum * > sha512sum.txt
    [[ -f sha512sum.txt.sig ]] || gpg2 --detach-sign sha512sum.txt
)

if ! [[ $NOTAR ]] && ! [[ -e "$IMAGE".tgz ]]; then
    tar cf - -C "${IMAGE%/*}" "${IMAGE##*/}" | pigz -c > "$IMAGE".tgz
fi
add mkrelease.sh 2018-09-10 15:51:20 +02:00			`#!/bin/bash -ex`

mkrelease.sh: add UEFI signing 2018-09-12 16:44:03 +02:00			`usage() {`
			`cat << EOF`
			`Usage: $PROGNAME [OPTION]`

			`-h, --help Display this help`
mkrelease.sh: add --nosign option 2018-09-13 10:15:54 +02:00			`--nosign Don't sign the EFI executable`
mkrelease.sh: use sbsign as EFI signing tool 2018-09-14 11:37:19 +02:00			`--dbkey KEY Use KEY as certification key for EFI signing`
			`--dbcrt CRT Use CRT as certification for EFI signing`
mkrelease.sh: add UEFI signing 2018-09-12 16:44:03 +02:00			`EOF`
			`}`

			`TEMP=$(`
			`getopt -o '' \`
mkrelease.sh: use sbsign as EFI signing tool 2018-09-14 11:37:19 +02:00			`--long dbkey: \`
			`--long dbcrt: \`
mkrelease.sh: add --nosign option 2018-09-13 10:15:54 +02:00			`--long nosign \`
mkrelease.sh: add --notar 2018-09-13 10:58:26 +02:00			`--long notar \`
mkrelease.sh: use sbsign as EFI signing tool 2018-09-14 11:37:19 +02:00			`--long help \`
mkrelease.sh: add UEFI signing 2018-09-12 16:44:03 +02:00			`-- "$@"`
			`)`

			`if (( $? != 0 )); then`
			`usage >&2`
			`exit 1`
			`fi`

			`eval set -- "$TEMP"`
			`unset TEMP`

			`while true; do`
			`case "$1" in`
mkrelease.sh: use sbsign as EFI signing tool 2018-09-14 11:37:19 +02:00			`'--dbkey')`
			`DBKEY="$(readlink -e $2)"`
			`shift 2; continue`
			`;;`
			`'--dbcrt')`
			`DBCRT="$(readlink -e $2)"`
mkrelease.sh: add UEFI signing 2018-09-12 16:44:03 +02:00			`shift 2; continue`
			`;;`
mkrelease.sh: add --nosign option 2018-09-13 10:15:54 +02:00			`'--nosign')`
mkrelease.sh: use sbsign as EFI signing tool 2018-09-14 11:37:19 +02:00			`NOSIGN="1"`
mkrelease.sh: add --nosign option 2018-09-13 10:15:54 +02:00			`shift 1; continue`
			`;;`
mkrelease.sh: add --notar 2018-09-13 10:58:26 +02:00			`'--notar')`
mkrelease.sh: use sbsign as EFI signing tool 2018-09-14 11:37:19 +02:00			`NOTAR="1"`
mkrelease.sh: add --notar 2018-09-13 10:58:26 +02:00			`shift 1; continue`
			`;;`
mkrelease.sh: add UEFI signing 2018-09-12 16:44:03 +02:00			`'--help')`
mkrelease.sh: use sbsign as EFI signing tool 2018-09-14 11:37:19 +02:00			`usage`
			`exit 0`
mkrelease.sh: add UEFI signing 2018-09-12 16:44:03 +02:00			`;;`
			`'--')`
			`shift`
			`break`
			`;;`
			`*)`
			`echo 'Internal error!' >&2`
			`exit 1`
			`;;`
			`esac`
			`done`

add mkrelease.sh 2018-09-10 15:51:20 +02:00			`JSON="$(realpath -e $1)"`
			`BASEDIR="${JSON%/*}"`
			`IMAGE="${BASEDIR}/$(jq -r '.name' ${JSON})-$(jq -r '.version' ${JSON})"`

			`(`
			`cd "$IMAGE"`
mkrelease.sh: add --nosign option 2018-09-13 10:15:54 +02:00			`if ! [[ $NOSIGN ]]; then`
mkrelease.sh: use sbsign as EFI signing tool 2018-09-14 11:37:19 +02:00			`if ! [[ $DBKEY ]] \|\| ! [[ $DBCRT ]]; then`
			`echo "Need --dbkey KEY --dbcrt CRT options"`
			`exit 1`
			`fi`
mkrelease.sh: prevent double sign 2018-09-14 12:43:15 +02:00			`if ! sbverify --cert "$DBCRT" bootx64.efi &>/dev/null ; then`
			`sbsign --key "$DBKEY" --cert "$DBCRT" --output bootx64-signed.efi bootx64.efi`
			`mv bootx64-signed.efi bootx64.efi`
			`fi`
mkrelease.sh: add --nosign option 2018-09-13 10:15:54 +02:00			`fi`
add mkrelease.sh 2018-09-10 15:51:20 +02:00			`[[ -f sha512sum.txt ]] \|\| sha512sum * > sha512sum.txt`
			`[[ -f sha512sum.txt.sig ]] \|\| gpg2 --detach-sign sha512sum.txt`
			`)`

mkrelease.sh: add --notar 2018-09-13 10:58:26 +02:00			`if ! [[ $NOTAR ]] && ! [[ -e "$IMAGE".tgz ]]; then`
add mkrelease.sh 2018-09-10 15:51:20 +02:00			`tar cf - -C "${IMAGE%/}" "${IMAGE##/}" \| pigz -c > "$IMAGE".tgz`
			`fi`