gpg-sign all valid files in the repo, including source tarballs

This makes sure there is a GPG signature on any file that is included in the repo, including APKs, OBB, source tarballs, media files, OTA update ZIPs, etc. Having a GPG signature is more important on non-APK files since they mostly do not have any signature mechanism of their own. This also adds basic tests of adding non-APK/OBB files to a repo with `fdroid update`. closes #232
2025-11-03 22:20:28 +03:00 · 2016-11-03 10:26:38 +01:00 · 2016-11-03 10:26:38 +01:00 · 56d51fcd6b
commit 56d51fcd6b
parent 84e09cd2a2
11 changed files with 35 additions and 11 deletions
--- a/examples/config.py
+++ b/examples/config.py
@ -86,7 +86,7 @@ The repository of older versions of applications from the main demo repository.
 # current_version_name_source = 'id'

 # Optionally, override home directory for gpg
-# gpghome = /home/fdroid/somewhere/else/.gnupg
+# gpghome = '/home/fdroid/somewhere/else/.gnupg'

 # The ID of a GPG key for making detached signatures for apks. Optional.
 # gpgkey = '1DBA2E89'
--- a/fdroidserver/common.py
+++ b/fdroidserver/common.py
@ -2084,3 +2084,14 @@ def get_per_app_repos():
                repos.append(d)
        break
    return repos
+
+
+def is_repo_file(filename):
+    '''Whether the file in a repo is a build product to be delivered to users'''
+    return os.path.isfile(filename) \
+        and os.path.basename(filename) not in [
+            'index.jar',
+            'index.xml',
+            'index.html',
+            'categories.txt',
+        ]
--- a/fdroidserver/gpgsign.py
+++ b/fdroidserver/gpgsign.py
@ -50,10 +50,13 @@ def main():
            sys.exit(1)

        # Process any apks that are waiting to be signed...
-        for apkfile in sorted(glob.glob(os.path.join(output_dir, '*.apk'))):
-
-            apkfilename = os.path.basename(apkfile)
-            sigfilename = apkfilename + ".asc"
+        for f in sorted(glob.glob(os.path.join(output_dir, '*.*'))):
+            if common.get_file_extension(f) == 'asc':
+                continue
+            if not common.is_repo_file(f):
+                continue
+            filename = os.path.basename(f)
+            sigfilename = filename + ".asc"
            sigpath = os.path.join(output_dir, sigfilename)

            if not os.path.exists(sigpath):
@ -64,13 +67,13 @@ def main():
                    gpgargs.extend(['--homedir', config['gpghome']])
                if 'gpgkey' in config:
                    gpgargs.extend(['--local-user', config['gpgkey']])
-                gpgargs.append(os.path.join(output_dir, apkfilename))
+                gpgargs.append(os.path.join(output_dir, filename))
                p = FDroidPopen(gpgargs)
                if p.returncode != 0:
                    logging.error("Signing failed.")
                    sys.exit(1)

-                logging.info('Signed ' + apkfilename)
+                logging.info('Signed ' + filename)


 if __name__ == "__main__":
--- a/fdroidserver/update.py
+++ b/fdroidserver/update.py
@ -517,13 +517,11 @@ def scan_repo_files(apkcache, repodir, knownapks, use_date_from_file=False):
    cachechanged = False
    repo_files = []
    for name in os.listdir(repodir):
-        if name in ['index.jar', 'index.xml', 'index.html', 'categories.txt', ]:
-            continue
        file_extension = common.get_file_extension(name)
        if file_extension == 'apk' or file_extension == 'obb':
            continue
        filename = os.path.join(repodir, name)
-        if not os.path.isfile(filename):
+        if not common.is_repo_file(name):
            continue
        stat = os.stat(filename)
        if stat.st_size == 0:
--- a/tests/gnupghome/pubring.gpg
+++ b/tests/gnupghome/pubring.gpg
--- a/tests/gnupghome/random_seed
+++ b/tests/gnupghome/random_seed
--- a/tests/gnupghome/secring.gpg
+++ b/tests/gnupghome/secring.gpg
--- a/tests/gnupghome/trustdb.gpg
+++ b/tests/gnupghome/trustdb.gpg
--- a/tests/repo/fake.ota.update_1234.zip
+++ b/tests/repo/fake.ota.update_1234.zip
--- a/tests/repo/obb.main.twoversions_1101617_src.tar.gz
+++ b/tests/repo/obb.main.twoversions_1101617_src.tar.gz
--- a/tests/run-tests
+++ b/tests/run-tests
@ -139,21 +139,33 @@ $fdroid update


 #------------------------------------------------------------------------------#
-echo_header "copy tests/repo, generate a keystore, and update"
+echo_header "copy tests/repo, generate java/gpg keys, update, and gpgsign"

 REPOROOT=`create_test_dir`
+GNUPGHOME=$REPOROOT/gnupghome
 cd $REPOROOT
 $fdroid init
 cp -a $WORKSPACE/tests/metadata $WORKSPACE/tests/repo $REPOROOT/
+cp -a $WORKSPACE/tests/gnupghome $GNUPGHOME
+chmod 0700 $GNUPGHOME
 echo "accepted_formats = ['json', 'txt', 'xml', 'yml']" >> config.py
 echo "install_list = 'org.adaway'" >> config.py
 echo "uninstall_list = {'com.android.vending', 'com.facebook.orca',}" >> config.py
+echo "gpghome = '$GNUPGHOME'" >> config.py
+echo "gpgkey = 'CE71F7FB'" >> config.py
 $fdroid update --verbose
 test -e repo/index.xml
 test -e repo/index.jar
 grep -F '<application id=' repo/index.xml > /dev/null
 grep -F '<install packageName=' repo/index.xml > /dev/null
 grep -F '<uninstall packageName=' repo/index.xml > /dev/null
+$fdroid gpgsign --verbose
+$fdroid gpgsign --verbose
+test -e repo/obb.mainpatch.current_1619.apk.asc
+test -e repo/obb.main.twoversions_1101617_src.tar.gz.asc
+! test -e repo/obb.mainpatch.current_1619.apk.asc.asc
+! test -e repo/obb.main.twoversions_1101617_src.tar.gz.asc.asc
+! test -e repo/index.xml.asc


 #------------------------------------------------------------------------------#