This bash script is intended to be run from inside a git repository to:

  • Make a checksum of all the tracked files (sha1sum and md5sum by default)
  • Sign the checksum with gpg (using git's user.signingkey or
  • Create a .tar.xz (very good compression) and .zip (for non-techie) archives with all the files (see below for other formats)
  • Output the HTML code to publish the file on the web

By default the script takes the directory name and latest git revision to build the package, though this behaviour can be modified via options.


Version Format Download Size
0.2 zip 20.46k
tar.xz gitpack-0.2.tar.xz 18.17k
0.1.3 zip 16.54k
tar.xz gitpack-0.1.3.tar.xz 14.66k
0.1.2 zip 15.92k
tar.xz gitpack-0.1.2.tar.xz 13.94k

This program is released under the terms of the GPLv3 or any later version. See the details.


The program is a basic wrapper around the common git-archive, to insert into the archives one or more signed checksums of all the files.

The supported archive formats are zip, tar.bz2, tar.gz and tar.xz (the last is very good and to be preferred over tar.lzma, also supported).
The supported digest algorithms are md5, sha1, sha224, sha256, sha384, sha512, to create digest files of all the archive files.
These compatibilities are achieved via the programs that should already be present on your system (installed by default on a Ubuntu installation).

Along with the package(s), you can choose to generate an html file with a table of the generated files (i.e. the one you can see in the above "Download" section).


Put the "gitpack" executable in a directory included in $PATH, reload the shell and cd into a git directory.

To view the complete usage, type gitpack -? at the prompt, which shows the output below:

     gitpack    [-#] [-b] [-d "alg1,..,algN"] [-f "fmt1,..,fmtN"] [-g] [-h]
                [-k <gpg signing key>] [-l] [-n "name"] [-o <output path>]
                [-p <repository path>] [-r "revision"] [-t <git tree-ish>]
                [-x] [-q] [-v[v]] [-?]

Operation Options:
    -h <base dir>           Output an HTML table of the created packages, which
                            will be linked inside the HTML code at the URL 
                            "<base dir>/archive.ext". The generated code will be
                            put along with the packages, in an html file.
    -q                      Operate quietly, and less interactively.
    -t <git tree-ish>       The tree or commit to produce a package for.
    -v, -vv                 Increase gitpack's verbosity.

Filenames and Paths:
    -n "name"               Set a base name for the packages. If missing, the
                            git repository's name will be taken.
    -o <output path>        The package should be put in this dir (if omitted
                            tries to put files in the 'packages' directory of
                            the git repository, if present).
    -p <repository path>    The git repository path, defaults to "." (current
                            working directory).
    -r "revision"           Set a manual revision for the packages, overriding
                            the default query to git-describe to find it.

Signing Options:
    -k <gpg signing key>    The GPG key that will be used to sign the checksum
                            file. If omitted the git configuration is searched
                            (either 'user.signingkey' or '') for a key
                            or email to pass to gpg. If there is no such config,
                            no option is passed to gpg and the default key is
    -d "alg1,..,algN"       A comma-separated list of digest algorithms,
                            including 'sha1', 'sha224', 'sha256', 'sha384', 
                            'sha512', 'md5'. Note that for each specified (algo)
                            you need the helper program '(algo)sum'
                            (i.e. 'sha1sum' for 'sha1'). Default is 'sha1' only.

Package Compression Options:
    -# [1-9]                Set the slowness of the compression (-1 the fastest
                            compression process and -9 for the best but slowest
                            factor). This option will be passed to the programs
                            responsible of the compression itself. If omitted,
                            each compressor is left with its default option.

Package Format Options:
    When no format option is specified, only a tar.xz and zip package are built.

    -f "fmt1,..,fmtN"       A comma-separated list of packages format you want
                            to be build. Currently accepted formats include
                            'zip', 'lzma' (lzma compressed tarball) and 'gzip' 
                            (gzip compressed tarball). See also -b,-l,-g,-x,-z.
    -b                      Create a bzip2 compressed tarball (tar.bz2).
    -l                      Create a lzma compressed tarball (tar.lzma).
    -g                      Create a gzip compressed tarball (tar.gz).
    -x                      Create a xz compressed tarball (tar.xz).
    -z                      Create a zip archive (zip).

Verify a package

The package itself contains almost all the information you need to verify its consistency, with the "*ALG*SUMS" and "*ALG*SUMS.gpg" files.
Let's check the consistency for example using the "SHA1SUMS" and "SHA1SUMS.gpg" files.

  • Prerequisite: obtaining the package author's public key (here's mine, for example), preferably via another channel (i.e. a public key repository).
  • Open a terminal and move to the unpacked archive directory, where the SHA1SUMS and SHA1SUMS.gpg files are:
    cd /home/foo/unpacked/
  • As the file is "SHA1"(SUMS), you should check with the sha1sum program:
    sha1sum --check SHA1SUMS
  • You should see a list of files confirming that their hash matches the one in the file. Now to check the authenticy of the sum file:
    gpg --verify SHA1SUMS.gpg
    If you have already imported the package author's public key, just check that the signing key match the author's.