This bash script is intended to be run from inside a git repository to:
Make a checksum of all the tracked files (
Sign the checksum with
.tar.xz(very good compression) and
.zip(for non-techie) archives with all the files (see below for other formats)
- Output the HTML code to publish the file on the web
By default the script takes the directory name and latest git revision to build the package, though this behaviour can be modified via options.
The program is a basic wrapper around the common
git-archive, to insert into the archives one or more signed checksums of all the files.
The supported archive formats are
tar.xz (the last is very good and to be preferred over
tar.lzma, also supported).
The supported digest algorithms are
sha512, to create digest files of all the archive files.
These compatibilities are achieved via the programs that should already be present on your system (installed by default on a Ubuntu installation).
Along with the package(s), you can choose to generate an html file with a table of the generated files (i.e. the one you can see in the above "Download" section).
Put the "gitpack" executable in a directory included in
$PATH, reload the shell and
cd into a git directory.
To view the complete usage, type
gitpack -? at the prompt, which shows the output below:
Verify a package
The package itself contains almost all the information you need to verify its consistency, with the "*ALG*SUMS" and "*ALG*SUMS.gpg" files.
Let's check the consistency for example using the "SHA1SUMS" and "SHA1SUMS.gpg" files.
- Prerequisite: obtaining the package author's public key (here's mine, for example), preferably via another channel (i.e. a public key repository).
Open a terminal and move to the unpacked archive directory, where the SHA1SUMS and SHA1SUMS.gpg files are:
As the file is "SHA1"(SUMS), you should check with the
sha1sum --check SHA1SUMS
You should see a list of files confirming that their hash matches the one in the file. Now to check the authenticy of the sum file:
gpg --verify SHA1SUMS.gpg
If you have already imported the package author's public key, just check that the signing key match the author's.