gpg-sign all valid files in the repo, including source tarballs

This makes sure there is a GPG signature on any file that is included in
the repo, including APKs, OBB, source tarballs, media files, OTA update
ZIPs, etc.  Having a GPG signature is more important on non-APK files since
they mostly do not have any signature mechanism of their own.

This also adds basic tests of adding non-APK/OBB files to a repo with
`fdroid update`.

closes #232
parent 84e09cd2
......@@ -86,7 +86,7 @@ The repository of older versions of applications from the main demo repository.
# current_version_name_source = 'id'
# Optionally, override home directory for gpg
# gpghome = /home/fdroid/somewhere/else/.gnupg
# gpghome = '/home/fdroid/somewhere/else/.gnupg'
# The ID of a GPG key for making detached signatures for apks. Optional.
# gpgkey = '1DBA2E89'
......@@ -2084,3 +2084,14 @@ def get_per_app_repos():
return repos
def is_repo_file(filename):
'''Whether the file in a repo is a build product to be delivered to users'''
return os.path.isfile(filename) \
and os.path.basename(filename) not in [
......@@ -50,10 +50,13 @@ def main():
# Process any apks that are waiting to be signed...
for apkfile in sorted(glob.glob(os.path.join(output_dir, '*.apk'))):
apkfilename = os.path.basename(apkfile)
sigfilename = apkfilename + ".asc"
for f in sorted(glob.glob(os.path.join(output_dir, '*.*'))):
if common.get_file_extension(f) == 'asc':
if not common.is_repo_file(f):
filename = os.path.basename(f)
sigfilename = filename + ".asc"
sigpath = os.path.join(output_dir, sigfilename)
if not os.path.exists(sigpath):
......@@ -64,13 +67,13 @@ def main():
gpgargs.extend(['--homedir', config['gpghome']])
if 'gpgkey' in config:
gpgargs.extend(['--local-user', config['gpgkey']])
gpgargs.append(os.path.join(output_dir, apkfilename))
gpgargs.append(os.path.join(output_dir, filename))
p = FDroidPopen(gpgargs)
if p.returncode != 0:
logging.error("Signing failed.")
sys.exit(1)'Signed ' + apkfilename)'Signed ' + filename)
if __name__ == "__main__":
......@@ -517,13 +517,11 @@ def scan_repo_files(apkcache, repodir, knownapks, use_date_from_file=False):
cachechanged = False
repo_files = []
for name in os.listdir(repodir):
if name in ['index.jar', 'index.xml', 'index.html', 'categories.txt', ]:
file_extension = common.get_file_extension(name)
if file_extension == 'apk' or file_extension == 'obb':
filename = os.path.join(repodir, name)
if not os.path.isfile(filename):
if not common.is_repo_file(name):
stat = os.stat(filename)
if stat.st_size == 0:
......@@ -139,21 +139,33 @@ $fdroid update
echo_header "copy tests/repo, generate a keystore, and update"
echo_header "copy tests/repo, generate java/gpg keys, update, and gpgsign"
$fdroid init
cp -a $WORKSPACE/tests/metadata $WORKSPACE/tests/repo $REPOROOT/
cp -a $WORKSPACE/tests/gnupghome $GNUPGHOME
chmod 0700 $GNUPGHOME
echo "accepted_formats = ['json', 'txt', 'xml', 'yml']" >>
echo "install_list = 'org.adaway'" >>
echo "uninstall_list = {'', 'com.facebook.orca',}" >>
echo "gpghome = '$GNUPGHOME'" >>
echo "gpgkey = 'CE71F7FB'" >>
$fdroid update --verbose
test -e repo/index.xml
test -e repo/index.jar
grep -F '<application id=' repo/index.xml > /dev/null
grep -F '<install packageName=' repo/index.xml > /dev/null
grep -F '<uninstall packageName=' repo/index.xml > /dev/null
$fdroid gpgsign --verbose
$fdroid gpgsign --verbose
test -e repo/obb.mainpatch.current_1619.apk.asc
test -e repo/obb.main.twoversions_1101617_src.tar.gz.asc
! test -e repo/obb.mainpatch.current_1619.apk.asc.asc
! test -e repo/obb.main.twoversions_1101617_src.tar.gz.asc.asc
! test -e repo/index.xml.asc
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment