fix: sign top-level Release files instead of non-existent component files

igorpecovnik · igorpecovnik · commit 0b76c99e278e · 2026-01-10T22:18:25.000+01:00
The signing function was looking for component-level Release files
(dists/{release}/{component}/Release) which aptly doesn't create.
Aptly only creates:
- Top-level: dists/{release}/Release
- Binary subdir: dists/{release}/{component}/binary-{arch}/Release

Changed the signing function to:
- Use find -maxdepth 2 to limit search depth
- Sign files with slash_count=1 (top-level Release files)
- This creates InRelease and Release.gpg for each distribution

Verified:
- All 4 distributions (bookworm, jammy, noble, trixie) now have signed Release files
- gpg --verify confirms signatures are valid
- Both InRelease (clearsigned) and Release.gpg (detached) created

Signed-off-by: Igor Pecovnik &lt;igor@armbian.com&gt;
diff --git a/tools/repository/repo.sh b/tools/repository/repo.sh
@@ -666,23 +666,17 @@ signing() {
         echo "Using GPG key: $actual_key (requested: $key)" >&2
     done
 
-    # Only sign Release files at component level, NOT binary subdirs
-    # Sign: dists/{release}/{component}/Release
-    # Skip: dists/{release}/Release (top-level, not needed)
-    # Skip: dists/{release}/*/binary-*/Release (subdirs, not needed)
-    find "$output_folder/public/dists" -type f -name Release | while read -r release_file; do
-        # Skip if file is in a binary-* subdirectory
-        if [[ "$release_file" =~ /binary-[^/]+/Release$ ]]; then
-            continue
-        fi
-
-        # Skip top-level Release files (dists/{release}/Release)
-        # Only sign component-level Release files (dists/{release}/{component}/Release)
+    # Sign top-level Release files for each distribution
+    # Sign: dists/{release}/Release
+    # Skip: dists/{release}/{component}/binary-*/Release (subdirs, not needed)
+    find "$output_folder/public/dists" -maxdepth 2 -type f -name Release | while read -r release_file; do
+        # Skip if file is in a subdirectory (component or binary subdir)
+        # Only sign top-level dists/{release}/Release files
         local rel_path="${release_file#$output_folder/public/dists/}"
-        # Count slashes - should have exactly 2 for component level: {release}/{component}/Release
+        # Count slashes - should have exactly 1 for top-level: {release}/Release
         local slash_count=$(echo "$rel_path" | tr -cd '/' | wc -c)
 
-        if [[ $slash_count -eq 2 ]]; then
+        if [[ $slash_count -eq 1 ]]; then
             local distro_path
             distro_path="$(dirname "$release_file")"
             echo "Signing release at: $distro_path" | logger -t repo-management
