CircleCI: Add support for usign signatures

It appears snapshot target builds have switched from GPG signatures (sha256sums.asc) to usign signatures (sha256sums.sig). This adds support for verifying these usign signatures. (GPG signatures will also be verified if found.) This also restores the alphabetical ordering of packages to be installed by apt-get. Signed-off-by: Jeffery To <jeffery.to@gmail.com>
2026-04-30 23:48:39 +01:00 · 2019-07-17 16:25:25 +08:00
parent eda5cd792f
commit 2702187c5b
2 changed files with 32 additions and 6 deletions
@@ -2,7 +2,7 @@ version: 2.0
 jobs:
  build:
    docker:
-      - image: docker.io/openwrtorg/packages-cci:v1.0.2
+      - image: docker.io/openwrtorg/packages-cci:v1.0.3
    environment:
      - SDK_HOST: "downloads.openwrt.org"
      - SDK_PATH: "snapshots/targets/ath79/generic"
@@ -64,8 +64,28 @@ jobs:
          working_directory: ~/sdk
          command: |
             curl "https://$SDK_HOST/$SDK_PATH/sha256sums" -sS -o sha256sums
-             curl "https://$SDK_HOST/$SDK_PATH/sha256sums.asc" -sS -o sha256sums.asc
-             gpg --with-fingerprint --verify sha256sums.asc sha256sums
+             curl "https://$SDK_HOST/$SDK_PATH/sha256sums.asc" -fs -o sha256sums.asc || true
+             curl "https://$SDK_HOST/$SDK_PATH/sha256sums.sig" -fs -o sha256sums.sig || true
+             if [ ! -f sha256sums.asc ] && [ ! -f sha256sums.sig ]; then
+                 echo_red "Missing sha256sums signature files"
+                 exit 1
+             fi
+             [ ! -f sha256sums.asc ] || gpg --with-fingerprint --verify sha256sums.asc sha256sums
+             if [ -f sha256sums.sig ]; then
+                 VERIFIED=
+                 for KEY in ~/usign/*; do
+                     echo "Trying $KEY..."
+                     if signify-openbsd -V -q -p "$KEY" -x sha256sums.sig -m sha256sums; then
+                         echo "...verified"
+                         VERIFIED=1
+                         break
+                     fi
+                 done
+                 if [ -z "$VERIFIED" ]; then
+                     echo_red "Could not verify usign signature"
+                     exit 1
+                 fi
+             fi
             rsync -av "$SDK_HOST::downloads/$SDK_PATH/$SDK_FILE" .
             sha256sum -c --ignore-missing sha256sums