# # Handle signing and verifying of release artefacts. # # make # - equivalent of make verify # # make verify # - verify all signatures in the directory # # make sign # - sign all release artefacts. # # Use # GPG2FLAGS='-u uid@redwax.eu' gmake sign # to force a specific UID to be used for signing. # KEYS=../keys/KEYS all: verify verify: find . -name '*.asc' -exec bash -c "basename {}; gpg2 ${GPG2FLAGS} --armor --verify '{}'" \; ${KEYS}.gpg:${KEYS} gpg2 --no-default-keyring --keyring "${KEYS}.gpg" --import --trust-model always < "${KEYS}" verify-local: ${KEYS}.gpg find . -name '*.asc' -exec bash -c "basename {}; gpg2 ${GPG2FLAGS} --armor --verify --no-default-keyring --keyring "${KEYS}.gpg" '{}'" \; # test -s "$?" && gpg2 --armor --verify $? || true sign: sign-tar.gz sign-tar.bz2 sign-%: find . -name '*.$*' -exec bash -c "gpg2 ${GPG2FLAGS} --armor --output - --detach-sign {} >> {}.asc" \; hash: hash-tar.gz hash-tar.bz2 hash-%: find * -name '*.$*' -exec bash -c "(command -v sha256sum > /dev/null && sha256sum --tag {} ) || (command -v gsha256sum > /dev/null && gsha256sum --tag {} ) || (command -v shasum > /dev/null && shasum -a 256 --tag {} ) > {}.sha256" \;