rpms/java-25-openjdk
7
0
Fork 0
Code Issues Pull Requests Releases Activity
c10s
java-25-openjdk/scripts/builds/check_signatures.sh
Andrew Hughes 68b316d15b Add tagging scripts with signature checks and gating handling 
Resolves: RHEL-147634
2026-03-12 02:22:14 +00:00

78 lines
2.3 KiB
Bash
Executable File
Raw Permalink Blame History

#!/bin/sh
# Copyright (C) 2026 Red Hat, Inc.
# Written by:
# Andrew John Hughes <gnu.andrew@redhat.com>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Check the signatures (if any) in RHEL RPM buildinfo
# This is intended to be run from the tagging scripts
# Return codes:
# - 1 - Buildinfo file not specified
# - 2 = Missing buildinfo file
# - 3 = No signatures
# - 4 = Multiple signature types found
# - 5 = PQC signature found
# - 6 = Old signature (fd431d51) found
# - 7 = Unknown signature found
BUILDINFO=${1}
NEW_SIGNATURE="release4";
OLD_SIGNATURE="fd431d51";
if test "${BUILDINFO}" = ""; then
echo "${0} <BUILDINFO>";
exit 1;
fi
if ! test -e "${BUILDINFO}" ; then
echo "${BUILDINFO} not found.";
exit 2;
fi
if cat ${BUILDINFO} | grep -q Signatures ; then
signature=$(cat ${BUILDINFO} | grep Signatures|cut -d ' ' -f 2-|uniq -c);
uniq_count=$(echo ${signature} | wc -l);
if test ${uniq_count} -gt 1; then
echo "Multiple signature types found:";
echo "${signature}";
exit 4;
fi
sig_count=$(echo ${signature} | cut -d ' ' -f 1);
sig_type=$(echo ${signature} | cut -d ' ' -f 2);
echo "${sig_count} signatures of type ${sig_type} found";
if echo "${sig_type}" | grep -q "${NEW_SIGNATURE}" ; then
echo "PQC signature found.";
exit 5;
elif echo "${sig_type}" | grep -q "${OLD_SIGNATURE}"; then
echo "Old pre-PQC signature found.";
exit 6;
else
echo "Unknown signature found.";
exit 7;
fi
else
echo "Build has no signatures.";
exit 3;
fi
# Local Variables:
# compile-command: "shellcheck check_signatures.sh"
# fill-column: 80
# indent-tabs-mode: nil
# sh-basic-offset: 4
# End:
Reference in New Issue View Git Blame Copy Permalink