This bash script is intended to be run from inside a git repository to:
Make a checksum of all the tracked files (
Sign the checksum with
.tar.xz(very good compression) and
.zip(for non-techie) archives with all the files (see below for other formats)
- Output the HTML code to publish the file on the web
By default the script takes the directory name and latest git revision to build the package, though this behaviour can be modified via options.
The program is a basic wrapper around the common
git-archive, to insert into the archives one or more signed checksums of all the files.
The supported archive formats are
tar.xz (the last is very good and to be preferred over
tar.lzma, also supported).
The supported digest algorithms are
sha512, to create digest files of all the archive files.
These compatibilities are achieved via the programs that should already be present on your system (installed by default on a Ubuntu installation).
Along with the package(s), you can choose to generate an html file with a table of the generated files (i.e. the one you can see in the above "Download" section).
Put the "gitpack" executable in a directory included in
$PATH, reload the shell and
cd into a git directory.
To view the complete usage, type
gitpack -? at the prompt, which shows the output below:
Usage: gitpack [-#] [-b] [-d "alg1,..,algN"] [-f "fmt1,..,fmtN"] [-g] [-h] [-k <gpg signing key>] [-l] [-n "name"] [-o <output path>] [-p <repository path>] [-r "revision"] [-t <git tree-ish>] [-x] [-q] [-v[v]] [-?] Operation Options: -h <base dir> Output an HTML table of the created packages, which will be linked inside the HTML code at the URL "<base dir>/archive.ext". The generated code will be put along with the packages, in an html file. -q Operate quietly, and less interactively. -t <git tree-ish> The tree or commit to produce a package for. -v, -vv Increase gitpack's verbosity. Filenames and Paths: -n "name" Set a base name for the packages. If missing, the git repository's name will be taken. -o <output path> The package should be put in this dir (if omitted tries to put files in the 'packages' directory of the git repository, if present). -p <repository path> The git repository path, defaults to "." (current working directory). -r "revision" Set a manual revision for the packages, overriding the default query to git-describe to find it. Signing Options: -k <gpg signing key> The GPG key that will be used to sign the checksum file. If omitted the git configuration is searched (either 'user.signingkey' or 'user.email') for a key or email to pass to gpg. If there is no such config, no option is passed to gpg and the default key is used. -d "alg1,..,algN" A comma-separated list of digest algorithms, including 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', 'md5'. Note that for each specified (algo) you need the helper program '(algo)sum' (i.e. 'sha1sum' for 'sha1'). Default is 'sha1' only. Package Compression Options: -# [1-9] Set the slowness of the compression (-1 the fastest compression process and -9 for the best but slowest factor). This option will be passed to the programs responsible of the compression itself. If omitted, each compressor is left with its default option. Package Format Options: When no format option is specified, only a tar.xz and zip package are built. -f "fmt1,..,fmtN" A comma-separated list of packages format you want to be build. Currently accepted formats include 'zip', 'lzma' (lzma compressed tarball) and 'gzip' (gzip compressed tarball). See also -b,-l,-g,-x,-z. -b Create a bzip2 compressed tarball (tar.bz2). -l Create a lzma compressed tarball (tar.lzma). -g Create a gzip compressed tarball (tar.gz). -x Create a xz compressed tarball (tar.xz). -z Create a zip archive (zip).
Verify a package
The package itself contains almost all the information you need to verify its consistency, with the "*ALG*SUMS" and "*ALG*SUMS.gpg" files.
Let's check the consistency for example using the "SHA1SUMS" and "SHA1SUMS.gpg" files.
- Prerequisite: obtaining the package author's public key (here's mine, for example), preferably via another channel (i.e. a public key repository).
Open a terminal and move to the unpacked archive directory, where the SHA1SUMS and SHA1SUMS.gpg files are:
As the file is "SHA1"(SUMS), you should check with the
sha1sum --check SHA1SUMS
You should see a list of files confirming that their hash matches the one in the file. Now to check the authenticy of the sum file:
gpg --verify SHA1SUMS.gpg
If you have already imported the package author's public key, just check that the signing key match the author's.