frederickding · February 13, 2020 17:49
diff --git a/gpg2-vmimage.sh b/gpg2-vmimage.sh
 #!/bin/bash
 ## Usage: gpg2-vmimage.sh FILENAME
 ## 
 ## FILENAME can be:
 ##   - a tar archive (in which case this script will apply zstd 
 ##     compression before encrypting & signing with GnuPG)
 ##   - an already-compressed OVA file (in which case this script 
 ##     will not further compress)
 ##
 ## The output will be a .zstd.gpg or .gpg of the input file and 
 ## a signed SHA256 checksum file (containing the hashes of the input file, 
 ## the intermediate .zstd archive, if any, and the encrypted output file).

 # hardcode the PGP recipients here before using
 RECIPIENTS="-r [email protected] -r 0x12345678"

 input_filename=$1
 if [ ! -f "$input_filename" ]; then
    echo "$input_filename does not exist!"
    exit 128
 fi

 # check if is a tar by stripping off any .tar extension
 test_basename=${input_filename%.tar}
 if [ "$test_basename" == "$input_filename" ]; then
    # not a tar
    input_basename=${input_filename%.*}
 else
    # is a tar, so zstd compress first
    sha256sum "$input_filename" | tee -a "$test_basename.sha256sum"
    printf "First, going to compress this tar: %s\n" $input_filename
    # you may want to tweak this line for performance/compression settings
    zstd --long -T4 -19 "$input_filename"
    input_basename=$test_basename
    input_filename="$input_filename.zst"
 fi

 printf "About to hash, encrypt, and sign %s\n" $input_filename
 sha256sum "$input_filename" | tee -a "$input_basename.sha256sum"
 printf "Invoking GPG to encrypt and sign...\n"
 gpg2 --encrypt --sign --compress-algo none \
    $RECIPIENTS \
    -o "$input_filename.gpg" "$input_filename"
 sha256sum "$input_filename.gpg" | tee -a "$input_basename.sha256sum"
 gpg2 --clearsign -o "$input_basename.asc" "$input_basename.sha256sum"

 # can comment out if you want to see how it works and keep the intermediate file
 if [ $? -eq 0 ]; then
    rm "$input_basename.sha256sum"
 fi
	#!/bin/bash
	## Usage: gpg2-vmimage.sh FILENAME
	##
	## FILENAME can be:
	## - a tar archive (in which case this script will apply zstd
	## compression before encrypting & signing with GnuPG)
	## - an already-compressed OVA file (in which case this script
	## will not further compress)
	##
	## The output will be a .zstd.gpg or .gpg of the input file and
	## a signed SHA256 checksum file (containing the hashes of the input file,
	## the intermediate .zstd archive, if any, and the encrypted output file).

	# hardcode the PGP recipients here before using
	RECIPIENTS="-r [email protected] -r 0x12345678"

	input_filename=$1
	if [ ! -f "$input_filename" ]; then
	echo "$input_filename does not exist!"
	exit 128
	fi

	# check if is a tar by stripping off any .tar extension
	test_basename=${input_filename%.tar}
	if [ "$test_basename" == "$input_filename" ]; then
	# not a tar
	input_basename=${input_filename%.*}
	else
	# is a tar, so zstd compress first
	sha256sum "$input_filename" \| tee -a "$test_basename.sha256sum"
	printf "First, going to compress this tar: %s\n" $input_filename
	# you may want to tweak this line for performance/compression settings
	zstd --long -T4 -19 "$input_filename"
	input_basename=$test_basename
	input_filename="$input_filename.zst"
	fi

	printf "About to hash, encrypt, and sign %s\n" $input_filename
	sha256sum "$input_filename" \| tee -a "$input_basename.sha256sum"
	printf "Invoking GPG to encrypt and sign...\n"
	gpg2 --encrypt --sign --compress-algo none \
	$RECIPIENTS \
	-o "$input_filename.gpg" "$input_filename"
	sha256sum "$input_filename.gpg" \| tee -a "$input_basename.sha256sum"
	gpg2 --clearsign -o "$input_basename.asc" "$input_basename.sha256sum"

	# can comment out if you want to see how it works and keep the intermediate file
	if [ $? -eq 0 ]; then
	rm "$input_basename.sha256sum"
	fi