jenkins-utils/sign-pkg.py

#!/usr/bin/python3
# -*- coding=utf-8
from os import listdir, path
from sys import argv, exit, stdout
from pgpy import PGPKey
from logging import info, basicConfig, INFO
from argparse import ArgumentParser


def LoadKey(key: str) -> PGPKey:
	signer = PGPKey.from_file(key)[0]
	if signer.is_public:
		raise Exception("signer not a private key")
	if not signer.is_protected:
		raise Exception("private key unprotected")
	info("loaded key %s" % key)
	return signer


def SignPackage(signer: PGPKey, pwd: str, file: str, sign: str = None):
	if sign is None:
		sign = file + ".sig"
	info("signing %s" % file)
	with signer.unlock(pwd):
		with open(file, "rb") as r:
			msg = signer.sign(r.read())
			with open(sign, "wb") as w:
				w.write(bytes(msg))
	info("wrote signature %s" % sign)


def SignOnePackage(key: str, pwd: str, file: str, sign: str = None):
	SignPackage(LoadKey(key), pwd, file, sign)


def main(args: list) -> int:
	prs = ArgumentParser("Renegade Project Arch Linux Repo Uploader")
	prs.add_argument("-d", "--dir",  help="Package folder",   required=False)
	prs.add_argument("-f", "--file", help="Package file",     required=False)
	prs.add_argument("-s", "--sign", help="Signature file",   required=False)
	prs.add_argument("-k", "--key",  help="Private key",      required=True)
	prs.add_argument("-p", "--pwd",  help="Key passphrase",   required=True)
	ps = prs.parse_args(args[1:])
	basicConfig(level=INFO, stream=stdout)
	key = LoadKey(ps.key)
	cnt = 0
	if ps.file:
		SignPackage(key, ps.pwd, ps.file, ps.sign)
		cnt += 1
	elif ps.dir:
		exts = [".pkg.tar.gz", ".pkg.tar.xz", ".pkg.tar.zst"]
		for f in listdir(ps.dir):
			full = path.join(ps.dir, f)
			if any(f.endswith(ext) for ext in exts):
				SignPackage(key, ps.pwd, full)
				cnt += 1
	if cnt <= 0:
		raise Exception("no any package found")
	return 0


if __name__ == '__main__':
	exit(main(argv))