support repo signing with a key on a smartcard

This assumes that the smartcard is already setup with a signing key. init does not generate a key on the smartcard, and skips genkey() if things are configured to use a smartcard. This also does not touch APK signing because that is a much more elaborate question, since each app is signed by its own key.
2025-10-09 02:41:06 +03:00 · 2014-04-04 00:05:22 -04:00 · 2014-04-04 00:05:22 -04:00 · 3829d37d34
commit 3829d37d34
parent 9945045f1b
5 changed files with 59 additions and 7 deletions
--- a/fdroidserver/update.py
+++ b/fdroidserver/update.py
@ -796,12 +796,15 @@ def make_index(apps, apks, repodir, archive, categories):
            sys.exit(1)

        # Sign the index...
-        p = FDroidPopen(['jarsigner', '-keystore', config['keystore'],
-            '-storepass:file', config['keystorepassfile'],
-            '-keypass:file', config['keypassfile'],
-            '-digestalg', 'SHA1', '-sigalg', 'MD5withRSA',
-            os.path.join(repodir, 'index.jar') , config['repo_keyalias']]
-            + config['smartcardoptions'])
+        args = ['jarsigner', '-keystore', config['keystore'],
+                '-storepass:file', config['keystorepassfile'],
+                '-digestalg', 'SHA1', '-sigalg', 'MD5withRSA',
+                os.path.join(repodir, 'index.jar'), config['repo_keyalias']]
+        if config['keystore'] == 'NONE':
+            args += config['smartcardoptions']
+        else:  # smardcards never use -keypass
+            args += ['-keypass:file', config['keypassfile']]
+        p = FDroidPopen(args)
        # TODO keypass should be sent via stdin
        if p.returncode != 0:
            logging.info("Failed to sign index")